Getting rid of some nasty malware (xnev.exe and lsass.exe)

NOTE: Using CNET links so you feel safe downloading the software I have chosen. Many link back to the manufacturer page anyway, but you will see that CNET, a trusted source, is the starting point. This does not guarantee safety, but it sure increases your chances.

NOTE: This post deals with Vundo (aka, Virtumonde) and the xneve.exe/lsass.exe virus (not sure the actual name, nor do I care at this time (will research logs later and see if I have a name). The steps here are not guaranteed to get rid of all viruses and malware.

Yesterday, I got a nasty version of Vundo, aka Virtumonde, on my computer at work. I am not sure where it came from, as we are pretty heavily filtered, but I can state that our Trend Micro at work did not catch it. (Please note this should not be taken as a reason not to buy Trend Micro, as virii and other malcontents are being developed all the time and NO product catches everything all the time).

Rather than take the chance of not having a computer for a few days, I figured I would take a crack at the malware first and see if I could irradicate it. My first shot was with Spybot – Search and Destroy, which you can find on CNET’s The main reason for downloading this program was finding a deleted folder with the name, indicating the company had installed it at one time. Spybot – S&D has a neat tool that installs with it called TeaTimer, which allows you to stop the malware from making Registry changes. This is the theory, but the varient of Vundo I had was making changes so fast I could not guarantee I killed all refs prior to reboot.

I then shredded any files with what is now yesterday’s date in my system32 directory and at the root of my drive, etc. Not every file, but every file with a strange name. Looking back, killing every file might have worked. For this, I used Search and Destroy’s file shredder.

I did do some damage,  and when I started shredding the files that were not started (using the file shredder in Spybot – Search and Destroy), the malware went into overdrive and started installing other malcontents. This is when xnev.exe and lsass.exe showed up at the root.

Here is how I killed xnev and lsass (or at least how I feel I killed them. The first thing was getting the computer off the network completely. Any network means the malware can call home for reinforcements. 

I started with Search and Destroy, which missed them on reboot, although it killed other baddies on the machine. My nextshot was with Malwarebyte’s Anti-Malware. It caught the malware and destroyed it, but it did not destroy the browser objects it installs, so the malware came back. I am sure with some seeking for the root files that caused the problems. I then used Spyware Doctor (CNET launch page). I did have to connect to the network to download the latest patches for the product, so I did it at the same time as Malwarebyte’s Anti-Malware (next step), so I only connnected once.

If you go this route, you have two options:

  1. Pay for the product
  2. Manually delete the items it shows you

I chose the later. This got rid of the browser plug in that was making it hard to kill all this garbage. I then ran Malwarebyte’s Anti-Malware, which removed the xnev.exe and lsass.exe that were running from C:. After reboot, I got into the registry and deleted the key for xnev.exe in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.

The machine was now running normally again, but I was not satisfied all the baddies were dead. Running Anti-Malware again, I see 2 Objects infected using a full scan. It is a system restore point, so it is turn off system restore and kill off the remaining baddies. I will edit this once I have fully clean scans.

Here are the steps I would recommend, from my experience:

  1. Download Spybot – Search and Destroy, Malwarebyte’s Anti-Malware, and Spyware Doctor and possibly some others. Having your tools ready before you get off the Internet is key.
  2. Install the programs and download the latest patches
  3. Disconnect from the Internet completely (including wireless)
  4. Run all three programs
  5. For Spyware Doctor, you will either have to purchase or manually remove the entries, as much as possible
  6. For the others, let them do their thing
  7. Delete all temp files
  8. Delete all internet temp files
  9. Turn off system restore
  10. Delete files created the day you are infected (this may not be easy), or files that have very strange names in your system32 directory. Take care here if you are a newbie at this and use products instead.

You should do this as soon as you find malware on your computer, which is normally noticed by slow downs of the machine and possibly popups. If you start getting popups to strange places (porn sites, sites advertising anti-virus/malware products), you are probably infected. The quicker you find it, the better, as you can see the files the malware installed.

Peace and Grace,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: