Shit Happens!
We are all vulnerable! Yesterday, it was my turn… Infected by a trojan. Up to 04:00 AM to fix the problem!
The culprit was Vundo. A well-known (and quite old) Trojan which slows down the system, display pop-ups etc… Nothing very malicious but it was difficult to get rid of it! See the details here.
My laptop iswas fully secured: up-to-date OS and software patches, running anti-virus with up-to-date signatures, anti-spare. Anyway I was infected. How? No idea yet, I’ve to analyze my home proxy logs .
What happened? The Symantec anti-virus reported and successfully deleted infected files in the IExplorer cache and in a restore point. Immediately, I scanned the whole system for viruses and malwares. Nothing detected!? A scan with HijackThis reported several problems: two BHO linked to a DLL named “c:\windows\system32\geBtSMgF.dll“. The DLL was impossible to remove (locked by two processes: explorer.exe, winlogon.exe).
To get rid of the DLL, I booted my laptop with UBCD for Windows, a Windows live CD. I was able to access the NTFS file system and to remove the DLL. One reboot later, I cleaned the registry with HijackThis.
Later today, I still got alerts from the anti-virus: infected files were found in “c:\System Volume Information” where are stored the files needed by the Windows Restore Point system. To remove them, you need to disable the restore point feature. Finally, I used RestorWin to delete all restore points created of modified since the infection.
I read and re-read the Trojan description and I should not be infected!? Is this a new variant? Or a new one based on the original. No idea, I cross my fingers!
