cancel
Showing results for 
Search instead for 
Did you mean: 
marchant
Level 7

How to get rid of vundo.gen.ab

Hi I am new to this, and i'm sure if I could search better I would find the answer but I have done several full scans I have turned off my system recovery while doing the full scan but I still have vundo.gen.ab  My bigger problem is that for some reason I can't download the dat or any updates from mcafee onto the computer that has the trojan, after I say that I agree and the new page tries to pop up it says internet explorer cannot display page.  Help, any suggestions on how to solve this.

11/6 1:20 pm,   Just want to say thanks to the three of you for so much help.  I am at work right now so can't run the programs that have been suggested.  I will tonight and let you know how it works.  Again, thank you very much....

Message was edited by: marchant on 11/6/09 11:21 AM
0 Kudos
19 Replies
exbrit
Level 21

Re: How to get rid of vundo.gen.ab

Try running the free versions of these two tools. Update them before running and let them remove anything they find. Reboot immediately if asked to.

http://www.superantispyware.com/superantispywarefreevspro.html

http://www.malwarebytes.org/mbam.php

If that fails then download Hijackthis and post its log on one of the following forums for expert help:

DOWNLOAD HIJACKTHIS

Do not post the log here, we can't help!

Post the logs at a specialist Forum:

AUMHA FORUM

BLEEPING COMPUTER FORUM

GEEKS TO GO FORUM

MAJOR GEEKS FORUM

MALWAREBYTES FORUM

MALWARE REMOVAL FORUM

SPYWAREHAMMER FORUM

SPYWARE INFO FORUM

WHAT THE TECH FORUM

Be sure to read all the sticky announcements/instructions at the top of each malware forum!

0 Kudos
Rsteven1
Level 7

Re: How to get rid of vundo.gen.ab

Cleaning Vundo

Removing a Vundo infection is often difficult, due to the in-built protection mechanism employed by the Trojan.

Certain variants of the Vundo Trojan are especially difficult to remove. Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory. However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat.

Instructions

1. Download Process Explorer (procexp.exe) from Sysinternals

2. Reboot the infected machine

3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet

4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, lssas.exe and rundll32.exe processes (right-click on these process names and choose suspend)

5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]

6. Physically power the machine off and back on (a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).

These steps will removal all relevant registry entries and identified Vundo components.

If this proves to be unsuccessful then we may need to seek out infected files on the system that are going undetected. Post back with your results of above and if we need to I can show the way to find the files that are needed.

Ron

Message was edited by: Rsteven1 on 11/5/09 9:12 PM
0 Kudos
exbrit
Level 21

Re: How to get rid of vundo.gen.ab

The person said they are new at this..

Rsteven1 wrote:

3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet

4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, lssas.exe and rundll32.exe processes (right-click on these process names and choose suspend)

5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]


so it might be a good idea to spell out how to do this.  That's why I posted what I did.   VirusScan will never get rid of Vundo in a month of Sundays.  New variations appear almost daily and the 1st tool I listed should clean it up easily, if not the second one surely will.

Message was edited by: Ex_Brit on 11/6/09 4:58 AM
0 Kudos
Rsteven1
Level 7

Re: How to get rid of vundo.gen.ab

     Virus Scan WILL get rid of Vundo as long as it's not a variant that we are not aware of. The process I describe should clean this with no problem. The user says they are having a hard time getting rid of Vundo, which seems to me that detection is occurring just not getting cleaned all the way. This  has to do with the way Vundo infects the memory. I don't know how much more spelled out I can get, it's as easy as 1.2.3.

     We can always resort to MalwareBytes. All the application has is heuristics drivers for detection. If that's the case let's enable Artemis with "high sensitivity" and Virus Scan can do the same. Issue with MalwareBytes is that most detections are MD5 based and just a top level detection and deletion which has limited cleaning capabilities.

NOTE: I have gotten rid of known variants of Vundo using this process many times.

I have attached a document to help educate everyone of how Vundo infects systems and best method of cleaning. This document was written by McAfee Labs (formerly AVERT).

WHO DAT 7-0

Thanks for the heads up Brit. Document now attached.

Ron

Message was edited by: Rsteven1 on 11/6/09 7:35 AM
0 Kudos
exbrit
Level 21

Re: How to get rid of vundo.gen.ab

Rsteven1 wrote:

     Virus Scan WILL get rid of Vundo as long as it's not a variant that we are not aware of. The process I describe should clean this with no problem. The user says they are having a hard time getting rid of Vundo, which seems to me that detection is occurring just not getting cleaned all the way. This  has to do with the way Vundo infects the memory. I don't know how much more spelled out I can get, it's as easy as 1.2.3.

     We can always resort to MalwareBytes. All the application has is heuristics drivers for detection. If that's the case let's enable Artemis with "high sensitivity" and Virus Scan can do the same. Issue with MalwareBytes is that most detections are MD5 based and just a top level detection and deletion which has limited cleaning capabilities.

NOTE: I have gotten rid of known variants of Vundo using this process many times.

I have attached a document to help educate everyone of how Vundo infects systems and best method of cleaning. This document was written by McAfee Labs (formerly AVERT).

WHO DAT 7-0

Ron

OK Ron, if you say so, but I would need a lot of proof to convince me. 

Message was edited by: Ex_Brit on 11/6/09 10:25 AM
0 Kudos
marchant
Level 7

Re: How to get rid of vundo.gen.ab

Hi Brit, unfortunately I could not download any of the three things you suggested (malware, spy or highjacker)  Highjacker did what the dat downloads did which was just come up with the explorer message that the page can not be shown, the other two had error messages superanti spyware was not a valid win32 application, didn't seem to let me download, and malware seeemed to let me download then sort of disappeared and when i try to run get two different popups about "bad images".  I will move on to the next post and see how that works

0 Kudos
exbrit
Level 21

Re: How to get rid of vundo.gen.ab

Oh dear, that doesn't sound good.   Next try would be if you have access to another machine that can burn a CD - one of our experts had made a BootCD which should work in cases like this:

http://community.mcafee.com/thread/6923

0 Kudos
marchant
Level 7

Re: How to get rid of vundo.gen.ab

Thanks Peter, can I download this program to the infected computer? or should I burn it off a different one (I can do that).  Also, tried the process explorere solution, but I kept freezing when I tried to get the virus scan to run after I suspended the processes, also couldn't find rundllew.exe

Lorna

0 Kudos
exbrit
Level 21

Re: How to get rid of vundo.gen.ab

Use a separate machine for that.

0 Kudos