1 2 Previous Next 19 Replies Latest reply on Nov 7, 2009 11:20 AM by secured2k

    How to get rid of vundo.gen.ab

      Hi I am new to this, and i'm sure if I could search better I would find the answer but I have done several full scans I have turned off my system recovery while doing the full scan but I still have vundo.gen.ab  My bigger problem is that for some reason I can't download the dat or any updates from mcafee onto the computer that has the trojan, after I say that I agree and the new page tries to pop up it says internet explorer cannot display page.  Help, any suggestions on how to solve this.

       

       

      11/6 1:20 pm,   Just want to say thanks to the three of you for so much help.  I am at work right now so can't run the programs that have been suggested.  I will tonight and let you know how it works.  Again, thank you very much....

       

       

      Message was edited by: marchant on 11/6/09 11:21 AM
        • 1. Re: How to get rid of vundo.gen.ab
          Peter M

          Try running the free versions of these two tools. Update them before running and let them remove anything they find. Reboot immediately if asked to.

           

          http://www.superantispyware.com/superantispywarefreevspro.html

           

          http://www.malwarebytes.org/mbam.php

           

          If that fails then download Hijackthis and post its log on one of the following forums for expert help:

           

          DOWNLOAD HIJACKTHIS

          Do not post the log here, we can't help!

          Post the logs at a specialist Forum:

          AUMHA FORUM

          BLEEPING COMPUTER FORUM

          GEEKS TO GO FORUM

          MAJOR GEEKS FORUM

          MALWAREBYTES FORUM

          MALWARE REMOVAL FORUM

          SPYWAREHAMMER FORUM

          SPYWARE INFO FORUM

          WHAT THE TECH FORUM

          Be sure to read all the sticky announcements/instructions at the top of each malware forum!

          • 2. Re: How to get rid of vundo.gen.ab

            Cleaning Vundo

            Removing a Vundo infection is often difficult, due to the in-built protection mechanism employed by the Trojan.

            Certain variants of the Vundo Trojan are especially difficult to remove. Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory. However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat.

            Instructions

             

            1. Download Process Explorer (procexp.exe) from Sysinternals

            2. Reboot the infected machine

            3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet

            4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, lssas.exe and rundll32.exe processes (right-click on these process names and choose suspend)

            5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]

            6. Physically power the machine off and back on (a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).

            These steps will removal all relevant registry entries and identified Vundo components.

             

            If this proves to be unsuccessful then we may need to seek out infected files on the system that are going undetected. Post back with your results of above and if we need to I can show the way to find the files that are needed.

             

            Ron

             

             

             

             

            Message was edited by: Rsteven1 on 11/5/09 9:12 PM
            • 3. Re: How to get rid of vundo.gen.ab
              Peter M

              The person said they are new at this..

               

               

              Rsteven1 wrote:

               

              3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet

              4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, lssas.exe and rundll32.exe processes (right-click on these process names and choose suspend)

              5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]


              so it might be a good idea to spell out how to do this.  That's why I posted what I did.   VirusScan will never get rid of Vundo in a month of Sundays.  New variations appear almost daily and the 1st tool I listed should clean it up easily, if not the second one surely will.

               

               

              Message was edited by: Ex_Brit on 11/6/09 4:58 AM
              • 4. Re: How to get rid of vundo.gen.ab

                     Virus Scan WILL get rid of Vundo as long as it's not a variant that we are not aware of. The process I describe should clean this with no problem. The user says they are having a hard time getting rid of Vundo, which seems to me that detection is occurring just not getting cleaned all the way. This  has to do with the way Vundo infects the memory. I don't know how much more spelled out I can get, it's as easy as 1.2.3.

                     We can always resort to MalwareBytes. All the application has is heuristics drivers for detection. If that's the case let's enable Artemis with "high sensitivity" and Virus Scan can do the same. Issue with MalwareBytes is that most detections are MD5 based and just a top level detection and deletion which has limited cleaning capabilities.

                 

                NOTE: I have gotten rid of known variants of Vundo using this process many times.

                 

                I have attached a document to help educate everyone of how Vundo infects systems and best method of cleaning. This document was written by McAfee Labs (formerly AVERT).

                 

                WHO DAT 7-0

                 

                Thanks for the heads up Brit. Document now attached.

                 

                Ron

                 

                 

                Message was edited by: Rsteven1 on 11/6/09 7:35 AM
                • 5. Re: How to get rid of vundo.gen.ab
                  Peter M

                  Rsteven1 wrote:

                   

                       Virus Scan WILL get rid of Vundo as long as it's not a variant that we are not aware of. The process I describe should clean this with no problem. The user says they are having a hard time getting rid of Vundo, which seems to me that detection is occurring just not getting cleaned all the way. This  has to do with the way Vundo infects the memory. I don't know how much more spelled out I can get, it's as easy as 1.2.3.

                       We can always resort to MalwareBytes. All the application has is heuristics drivers for detection. If that's the case let's enable Artemis with "high sensitivity" and Virus Scan can do the same. Issue with MalwareBytes is that most detections are MD5 based and just a top level detection and deletion which has limited cleaning capabilities.

                   

                  NOTE: I have gotten rid of known variants of Vundo using this process many times.

                   

                  I have attached a document to help educate everyone of how Vundo infects systems and best method of cleaning. This document was written by McAfee Labs (formerly AVERT).

                   

                  WHO DAT 7-0

                   

                   

                  Ron

                   

                  OK Ron, if you say so, but I would need a lot of proof to convince me. 

                   

                   

                  Message was edited by: Ex_Brit on 11/6/09 10:25 AM
                  • 6. Re: How to get rid of vundo.gen.ab

                    Hello,

                     

                    Years ago I created a tool (that should not be used anymore) called VirtumundoBeGone that automated pausing/killing the system processes and removing the registry entries and file associated with this virus. The virus has evolved to a point where the infections load in explorer.exe, lsass.exe, and rundll32.exe in addition to the original winlogon.exe and iexplorer.exe processes. These are all legitimate Windows programs that are injected with the virus code in attempts to replicate and protect itself. Unless these processes are all stopped/paused/killed, the virus scanner will not be able to completely remove the infection.

                     

                    While McAfee has done a good job to detect Vundo, the malware uses methods of encryption to prevent detection. I would suggest in addition to using a McAfee scanner to also check your computer with MalwareBytes (www.malwarebytes.org/mbam.php). It uses a combination of methods and heuristics to make it have a better detection rate of Vundo. Another benefit to this program is the ability to recognize the registry entries and remove them. This will prevent the virus from starting up  and protecting itself the next time the system is started even if the bad files cannot be detected by the scanners. Since it uses a kernel mode boot driver to stop bad drivers, make registry changes, and delete files on its own, it does not require the processes to be stopped or paused for repair.

                    • 7. Re: How to get rid of vundo.gen.ab

                      Also, MalwareBytes may repair other problems that may be causing a blocked web sites like McAfee. If you would like a quick scan of your computer using a self contained McAfee, please try the following tool I created. When it is done, it will show a log file that you can post to see if McAfee picked up and cleaned anything.

                       

                      QuickScan

                      • 8. Re: How to get rid of vundo.gen.ab

                        Hi Brit, unfortunately I could not download any of the three things you suggested (malware, spy or highjacker)  Highjacker did what the dat downloads did which was just come up with the explorer message that the page can not be shown, the other two had error messages superanti spyware was not a valid win32 application, didn't seem to let me download, and malware seeemed to let me download then sort of disappeared and when i try to run get two different popups about "bad images".  I will move on to the next post and see how that works

                        • 9. Re: How to get rid of vundo.gen.ab
                          Peter M

                          Oh dear, that doesn't sound good.   Next try would be if you have access to another machine that can burn a CD - one of our experts had made a BootCD which should work in cases like this:

                           

                          http://community.mcafee.com/thread/6923

                          1 2 Previous Next