9 Replies Latest reply: Apr 1, 2009 4:35 AM by Ex_Brit RSS

    Warning to McAfee and subscribed users

      Hi, I would like to first state that I'm very dissatisfied with my McAfee Security center and the apparent lack of the ability for McAfee NOT to be able to STOP a virus nor be able to identify the apparent packet of sub virus'that this virus planted on my computer. Let's start with the day I had to roll my computer back to a previous restore point. Then when having to re-install McAfee I get this oddity message from McAfee that I have to remove my Spybot Search & Destroy (never had to do this before) so that McAfee can install. I do so and install. I figure maybe McAfee is now good enough to brazenly state "we can do better, get rid of this", so I never reload the Spybot S & D. In hind sight now, I guess maybe I shouldn't have put that much faith in it and neither should you. Here's what happened Sunday.
      My daughter was downloading music for her ipod from Apple and she sees McAfee mentioning that wpv551232895578.cpx wants internet access, she denies it. McAfee mentioning that wpv721232670442.cpx wants internet access, she denies it. Virus warning pops up Virus file Vundo!grb in a file etcidpqk.tmp in C:\Windows\System32. She doesn't tell me about it she figures all is ok.
      My wife later says "Why is my account trying to contact the internet? And what is this security ballon?" I come upstairs and up pops Internet Explorer trying to search for snbsearch.com. Windows update SAYS it is not turned on and I turn it on. 2 minutes later it is "disabled"...I check, it is enabled as it should be but refusing to re-enable from the screen where it says to click there to enable them. Try to get to Control Panel, takes a real long time to get in. I reboot the PC. Explorer.exe is having a hard time shutting down...tries twice with two of those "file is busy" messages, then it says it can't message and windows closes all on it's own. Boot ok. Up pops trying to connect to the internet all on its own. I connect to get the latest McAfee update, up pops a web site about once every 5 minutes...seems to run a pattern, but not always. If you search for something, it too may hunt for your request, when it does bring up sites they are "real" sites and not the old "I can't find it".
      Close out on internet and full scan, find the what was tmp file as an ini and something stuck in the now Windows automated system backup. Manually search and find wpv551232895578.cpx sitting in the C:\Windows\System32 and manally delete it. Kill the virus', run another scan, again the backup got another. Look up the Vundo!grb and says to be sure to stop the system back up. I look in here and the one and ONLY backup is 3 minutes after infection. Kill back up, scan full again, clean. Use the Quick clean that looks for registry orphans etc...kind of like the Windows version of this where it can delete the items in recycle bin etc. Download SpyBot Search & Destry and find what you see below. I kill these and immunize files.

      Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)

      Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
      HKEY_USERS\S-1-5-21-1969495163-134034212-909423319-1006\Software\Microsoft\inst key

      Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
      HKEY_USERS\S-1-5-21-1969495163-134034212-909423319-1007\Software\Microsoft\inst key

      Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, nothing done)

      Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

      Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, nothing done)
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExec uteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

      Virtumonde: [SBI $109A62D0] Executable (File, nothing done)

      Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)

      Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)

      Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)

      Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)

      Virtumonde.prx: [SBI $3F5CA9DA] Autorun settings (1cf0e3be) (Registry value, nothing done)

      Virtumonde.prx: [SBI $3F5CA9DA] Program file (File, nothing done)

      Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, nothing done)
      HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\= ...C:\WINDOWS\system32\byXPFXoM.dll...

      --- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

      Reboot. Only slightly better. Do another Full McAffe scan, nothing. Spybot S & D scan again, finds 1/2 less but still finding some of the same stuff. Look on the internet under Wikipedia about Virtumonde and it says it is part of the vundo!grb family...and to get rid of it I should try one of 3 programs to get rid of it. I get the MalwareBytes...This does twice as good as the Spybot S & D, it finds 24 things wrong and I fix them with some of them being killed on the next reboot. All fixed after 12 hours and 4 hours missed sleep.

      My beef is, why do I pay McAfee to protect me when it couldn't even kill the full virus upon entry (the etcidpqk.ini after the kill of the etcidpqk.tmp) and not even identify the other 24 items found on my PC? The definition of the Vundo! on the web should be redefined as "also potential packet of malware including family member Virtumonde please use xxxx to find and search for other malware components we can't find" instead of saying and leaving me hanging with:
      "Characteristics -
      These files by themselves are not executable, and therefore cannot exhibit malicious behavior without other components of the malware. The presence of these files may indicate that a variation of the Vundo malware has been executed on the host in which the detection occured.

      Symptoms -
      Presence of various files associated with Vundo malware.


      Use current engine and DAT files for detection and removal.

      Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher)."
        • 1. the customer service answer
          Not that anyone has read my post, but if interested, here's your typical "scripted for dummies" reply from customer service...
          Thank you for contacting McAfee Customer Service.

          I understand that McAfee is unable to detect the threats which are detected by other security software.

          xxx, When you browse certain websites which have malicious content, McAfee always alerts you with a popup stating a warning. These are warnings that programs or unwanted software may be downloaded to your computer, if you happen to ignore them or bypass them by accepting it, chances are that spyware might infect your computer. To ensure that you remain protected, you should refrain from visiting malicious websites or when you receive any alerts please verify the message before accepting. Also, I would suggest that you use McAfee SiteAdvisor ( free ) to protect you from malicious websites and to prevent this type of incident in future.

          Your service request for this incident is 249xxxxxxx.

          You may receive an email survey regarding the level of service I have provided. We would appreciate if you can take the time to accomplish this survey and provide valuable feedback that will help us provide the best possible customer service.

          I hope I have addressed and satisfied all of your concerns. If you require further assistance, please reply to this email including the previous correspondence.

          For all of your Customer Service and Technical Support needs, please visit https://service.mcafee.com


          xxxxx x x,
          McAfee CS-Tier 1

          Safe online? Avoid dangerous web sites using McAfee SiteAdvisor™ — a FREE download from http://www.siteadvisor.com?cid=27092. Don’t search or surf without it!

          Be aware I couldn't go into detail because its customer service and not technical support and the web page only allows so much room for explanation. But I did mention to see this post for more detail. In reply, I then posed a question of, if McAfee was doing its job and FINDING spyware/malware, I wouldn't have gotten the virus that gave me the packet of malware that they couldn't detect in the first place and the last place...and also what is so malicious about visiting Apple to download music (how this got started or triggered and how the order of timing of things PROVES this fact). I will poke Apple about this also...but I'm sure the basic answer from them will be, its my job to have a proper virus protection program on my PC and they are not responsible for what I download from them, and then to read the bla, bla bla, policy......
          • 2. oh, did I forget to mention
            oh, did I forget to mention, I have security center 9...with Virus and Firewall parts active until 9/2009...do you all feel this is enough, or do I need MORE protection?
            • 3. RE: oh, did I forget to mention
              lol same exact scenario except the ipod...

              its like they sell the product then tell you its your fault for going online...

              i know mine was working and i didnt bypass the security warning and some mcafee hoser sent me that same email too...

              wonder how many times that gets copy/pasted per day????
              • 4. RE: oh, did I forget to mention

                Also, keep handy this link to Kaspersky's Online Scanner:


                It has found stuff that McAfee missed.
                • 5. RE: oh, did I forget to mention
                  Read any reliable malware forum out there and they will tell you that there is no such thing as the perfect protection software. What Kaspersky or Norton finds one day that McAfee misses, the next day McAfee will find something that they miss.

                  Vundo/Virtumonde etc. is an extremely prolific malware, new versions of which appear daily, sometimes several times a day and is an extremely tough one to crack.

                  Whilst it is essential to have at one (& only one or they will clash) software firewall and anti-virus application installed, we also advise people to add at least one good anti-spyware application to their protection repertoire. See THIS page for more information. A hardware firewall such as those found in routers is also a good idea as it wont interfere with the software one.

                  The best way to stay infection-free is to avoid risky websites, be extra careful what you download, avoid file-sharing and take extra care when opening any attachments that people send you.

                  If you don't believe me then read some of the malware forums. Here's a selection of but just a few of the many out there.

                  AUMHA FORUM


                  GEEKS TO GO FORUM

                  MAJOR GEEKS FORUM

                  MALWAREBYTES FORUM

                  MALWARE REMOVAL FORUM

                  SPYWAREHAMMER FORUM

                  SPYWARE INFO FORUM

                  WHAT THE TECH FORUM

                  Lastly, when posting about an infection post in "Virus Discussions & Removal Assistance" where you will get help much more quickly than in the general forums and always include full details of your operating system, service pack and the version numbers of your installed McAfee software.

                  From the link I posted earlier you could probably benefit form the free version of this tool: http://www.superantispyware.com/superantispywarefreevspro.html

                  Moving this thread from Security Center 9 2009 to Virus Discussions & Removal Assistance.
                  • 6. Vundo
                    Okay, from quick web search it appears we have 'contracted' VUNDO (plus other Trojans) today 31 March 2009. Have McAfee Security Centre, updated. My question is this. Given the problems I have read from other users in these forums about McAfee not picking up VUNDO (some dated in Feb), how is it that my system could be infected by that same malware NOW?

                    I'm also having the update/not fully protected/confirm subscription problem mentioned elsewhere, and have just about had enough of McAfee.

                    Can someone from McAfee please explain why my system is infected with Vundo. Haven't got a clue how I can fix it but will try other programs as advised in these pages.

                    • 7. RE: Vundo
                      It's already clearly explained above. Vundo is extremely prolific and anti-virus applications, no matter which brand, can't defend against it fully.

                      Try the SuperAntispyware link I posted just before your post and if that doesn't help then download Hijackthis and post its log on one of those forums in the same post.

                      DOWNLOAD HIJACKTHIS

                      Do not post the log here, we can't help!

                      Post the logs at a specialist Forum:

                      AUMHA FORUM

                      BLEEPING COMPUTER FORUM

                      GEEKS TO GO FORUM

                      MAJOR GEEKS FORUM

                      MALWAREBYTES FORUM

                      MALWARE REMOVAL FORUM

                      SPYWAREHAMMER FORUM

                      SPYWARE INFO FORUM

                      WHAT THE TECH FORUM

                      Be sure to read all the sticky announcements/instructions at the top of each malware forum!
                      • 8. RE: Vundo

                        As a (once) respected and large AV purveyor the VERY LEAST that McAfee should have done is put out an email warning about this trojan, for the very reasons you have given above (prolific, complex, currently not all variants can be fixed by McAfee or other AV apps). Such an alert would have given me the opportunity to shutdown my daughter's access to music download sites for example.

                        The fact that McAfee hasn't bothered says a lot about the company's current attitude to customers. We don't expect miracles, but a level of concern and consideration should come with the reputation (and fees). It's one thing to have glossy brochures,
                        quite another to maintain a basic level of communication with customers. In the case of Vundo I would say that McAfee has dropped the ball.

                        It's still not too late to warn customers about Vundo....
                        • 9. RE: Vundo
                          If that were the policy you would be receiving at least 150 emails a day from McAfee alone.

                          NO anti-virus vendor would even think of spamming it's customers in such a manner with unsolicited emails.

                          Sorry, that isn't a good suggestion.

                          You can, however, sign up for a McAfee Threat Center newsletter here: http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx
                          (Main Threat Center page here: http://www.mcafee.com/us/threat_center/default.asp )

                          Keep your Windows, associated add-ons (Java and suchlike) & anti-virus up to date, surf wisely, be extremely careful what files you download and who you let into your machine, take care when opening emails, particularly from an unknown source and keep some up to date anti-spyware handy as listed HERE.

                          Vundo has been on McAfee's books since 2004 as listed HERE, but as I stated earlier, so many new variants of it appear daily that NO anti-virus can keep up with it. That's where those specialised tools come in.

                          Now, as this was some one else's thread originally, I'm locking it out of courtesy to them.