Repaired my first malware infection without obvious clues as to the sourcePosted: May 6, 2009 | Author: tech0x20 | Filed under: malware | Tags: rootkit, trojan horse, vundo | Leave a comment »
The last few times I’ve repaired a malware infestation, there have been some obvious clues to the infection source: loads of “free” games, a couple suspicious browser toolbars, p2p file sharing software with a hefty repository of downloaded content, visits to questionable sites, etc… This infection had none of the above.
It manifested itself (probably due to a partial clean-up attempt) as Windows errors:
explorer.exe – Bad Image
The application or DLL c:windowssystem32dutujahi.dll is not a valid Windows image. Please check this against your installation diskette.
…tied to winlogin, explorer, lsass, etc.. It appears that the PC was infected with the Vundo trojan or Virtumonde. Of course, this infection hid itself from (or in?) Windows Explorer and was pretty good at replicating itself to evade capture.
The process took about 2 hours from start to finish, and in the process, Windows Recovery Console was installed. Oddly enough, I noticed that there was no anti-virus software installed at all, and the copy of SpySweeper on the PC had been allowed to expire.
I replaced SpySweeper with Windows Defender and installed AntiVir free edtion. When I ran Windows Defender after the ComboFix cleanup, it was able to find a couple of the orphaned copies of the Vundo trojan dlls in system32.
After the first couple steps of running ComboFix, the system no longer persistently popped the “bad image” errors, and the system appears to be running smoothly now.