How do I kill a file that's "in use"

I have the dreaded Vundo Trojan. Both AVast and Software Doctor spot it, and have killed it in the past, but now cannot remove 1 or more key files that are "in use ".
Safe mode does not work, nor does the Microsoft Live Search scanning tool.
VundoFix.exe also is not able to kill it, but did before.
They do locate and kill ancillary files, but Vundo recreates them with different names.

The file I need to kill is c:\windows\system32\oponopom.dll although it can reappear later with a different name.
There is also some file hidden in the C:\recycler folder, and it too is "in use ".
The files are loaded by Explorer.exe and Winlogon.exe. I don't know if they are infected, but they scan clean.

However, I once saw a tool that allowed me to name and delete a file at next bootup, before the baddy can load.
I cannot locate that tool now that I need it.

Anybody know of that tool, or how to kill "in use" files?

 

It was partially successful. Thank you.

Can I temporarily suspend (by renaming) WINLOGON.EXE?

It seems that the offending file is called by WINLOGON.EXE which protects it. before the boot killer can load and get to it.
The next call is from EXPLORER.EXE well down the boot process, and the boot killer should have deleted the file by then.

 

This post will give you some things to do first.

If, after all of that, the problem reappears (and there's a very good chance it will), read the fourth post in the thread I linked to above and post the resulting Hijack This log in the Removing Spyware and Viruses forum.

 

Unlocker works very well.

http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe

 

You should really post a log over in spyware & virus removal.

A couple of newer variants won't remove without some 'brute force' tactics\tools.

At the very least, VundoFix is needed. Trying to manually snag one file at a time is fruitless, so many of them are hidden from Windows. You're more likely to spend more time trying to catch the same files that morph than actually doing any good.

Just my.02

 

Hi JGB.

Check all these malware removal tutorials out:

http://www.windowsbbs.com/showthread.php?t=67958 Windows BBS

http://www.geekstogo.com/forum/Must-Read-Before-Posting-Hijackthis-Log-t2852.html GeeksToGo

http://www.bleepingcomputer.com/forums/topic34773.html Bleeping Computer

 

I thought I posted my "fix" here, but that was probably in another tech BBS, so here is what I did....

Where all other anti-virus, anti-spyware and boot file killers failed to kill Trojan.VirtuMonde, I found a simple way to kill it. This will also apply to any other Virus/Trojan that exploits the "File In Use" feature? of Windows.

All A/V sites say this Trojan may well be impossible to kill manually and recommend a format as the final solution. Not on my PC, thanks.....

All the other A/V's only reported the presence of this Trojan, and while they reported the culprit files names, they were only able to kill the ancillary files, but not the main .DLL file in C:\windows\system32\ which was protected from deletion by being called by WINLOGON.EXE very early in the boot process.

This resulted in the message "File in use" at any attempt to delete or modify the file, thwarting all A/V programs or boot killers. Also, note that this Trojan changes the file name when it detects an intense A/V attack.

But now I knew where and what file was the culprit.

The key was to get to the file BEFORE WINLOGON loaded. Safe-mode will not work in this instance.

I had a flash. Boot the system from floppy or CD. I booted with my original Windows XP CD and discovered "repair mode" which turns out to be a DOS like tool.

I did a DIR to the file and it was there.
I did a DEL to the file, and it was GONE!!!!

Exit and reboot, NO Trojan. And still not after a week, although it tried once to get on, but was stopped by AVast.

I would also recommend the following process, before doing this,
* Reboot normal but with the modem POWERED OFF. This seems to put the Trojan to sleep so you can work.
* Do a scan with a good A/V on C:\Windows and the Internet cache directories to clean any ancillary files,
* Then do a REGEDIT and delete or disable ALL references to the culprit file and any of the ancillaries. The A/V scan does not get them all.
* Empty the recycle bin.
* POWER OFF the PC, do NOT do a "shut down ". Some malware do a restoration process during the shutdown cycle.
* Then boot the Windows Install CD into repair mode and delete the file(s).
* Exit and reboot normal.

One other precaution. I now boot my PC with the modem POWERED OFF, then turn it on when Windows is fully up, but before you boot any web based s/w, ie: your email.

Keep this in your bag of tools in case someone gets an "in use" protected file that you can't otherwise get rid of.

 

I don't know what av sites you visit, but I've never seen one where they recommend a reformat for Vundo.

And as for all you went thru being an advisable way to remove Vundo, it's certainly a bit long in the tooth, although perhaps effective in your case.

There are a couple of dedicated tools which can and do indeed remove just about all instances of Vundo automatically and in all likelihood do a better job at removing registry points that you could possibly find mostly because they have been tweaked by developers who analyze each and every variant to see exactly what changes are made to the system. And believe me, those variants can be quite tricky.

And then turning off the modem at every reboot is just a tick paranoid. Unless you spend your days traversing the red light district and are constantly infected of course.

 

No A/V site "recommended" a reformat. A few said it would be a last resort as Virtumonde is almost impossible to remove in some cases, like mine.

As for my method being "long in the tooth" presumably, old. Nowhere did I see a fix using Windows Repair Mode. All urge the use of 1 or more "best" tools. I tried at least 6 different tools, (including VundoFix, Move-On-Boot) all highly recommended, none of which did the complete job. I still had Virtumonde resurrect itself next boot. And while they did remove a lot of files and registry entries, a few were left for me to delete. Most likely, I did not get them all, but they are silent now.

And when I turn OFF the modem on boot, my boot time is about 55 seconds compared to over 2 minutes when ON, even with no virus present. I used Process Explorer to prove out the times. And while I was infected, Virtumonde was silent when the modem was off. It came alive within 10 seconds of my modem manually coming on-line. That is the main reason I now boot modem-off, not so much to disable any virus that may be present.

The free AVast and Spyware Doctor work splendidly in combination, and do a far better job at scanning and "firewalling" than Norton or PC-Cillin ever did, with very little noticeable system slowing.

You are the second expert to downplay my fix. You, and others as well, recommended the very same fixes that did not do the full job. My fix worked, and that's all that matters to me in the end. The trials and errors of killing this Trojan cost me over 4 full days of lost productivity. My fix, once I figured it out, took 10 minutes.

 

I'm not downplaying your fix at all, I'm just saying there are better, more precise methods to fix the infection. I guess over the thousands of logs I have done I have relied on the tried and true methods which I have seen work on hundreds of thousands of users all over the world with far more than just Vundo.

I've rarely ever seen a machine that just had Vundo on it, require a format. Vundo just isn't that damaging an infection in and of itself. As I sit here thinking, I know it's never happened to me. Occasionally a Vundo variant pops up with a tweak that may take a day or two to figure out, but they're never any sort of outbreak like Gromozon or Bube from a year or two ago.

I have a fair idea how many these infections work, waiting and always searching for a connection to call out for 'reinforcements'. I see the infections attack my router, looking for a network to spread. But Vundo is not usually the culprit here, but just along for the ride.

I'd love to find out what else was on your machine as I'm very skeptical that there was the one file or even dozen, all only Vundo.

And I'll stick by my opinion that turning off the router is not required for everyone, maybe you. Certainly not for most of the world.

But I'm glad that you got your machine figured out.

 

Just out of curiosity, is Vundu and Virtumonde the same beast?

Because I had both at the same time. My scanners would call out different files under either name. The only thing I noticed was a similarity in the way they protected themselves, and the file naming conventions.

VundoFix would do its job but was unable to remove the main .dll, and yet both Avast and SW.Dr. would then rescan and find Virtumonde files after VunduFix did its job.

 

Yes, essentially they are the same thing, if there is any difference I've never read it specifically.

The main problem with Vundo is getting the one rogue .dll that re-infects.

VundoFix even has a secondary 'manual' file removal method because of this.

There is no anti-spyware scanner on the Net able to remove this infection that I have seen, tho some may claim to remove it.

 

Hence my "fix ".

Thanks,

 

My reference to 'anti-spyware scanners' was one towards the likes of Ad-Aware, Spybot S&D, and all the other 'commercial' apps. VundoFix and other specialised tools like it, do not fall into that category in any way shape manner or form.