Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
This discussion is locked
4957 Views 9 Replies Latest reply: Apr 1, 2009 4:35 AM by Ex_Brit RSS
Newcomer 4 posts since
Jan 29, 2009
Currently Being Moderated

Jan 29, 2009 8:57 PM

Warning to McAfee and subscribed users

Hi, I would like to first state that I'm very dissatisfied with my McAfee Security center and the apparent lack of the ability for McAfee NOT to be able to STOP a virus nor be able to identify the apparent packet of sub virus'that this virus planted on my computer. Let's start with the day I had to roll my computer back to a previous restore point. Then when having to re-install McAfee I get this oddity message from McAfee that I have to remove my Spybot Search & Destroy (never had to do this before) so that McAfee can install. I do so and install. I figure maybe McAfee is now good enough to brazenly state "we can do better, get rid of this", so I never reload the Spybot S & D. In hind sight now, I guess maybe I shouldn't have put that much faith in it and neither should you. Here's what happened Sunday.
My daughter was downloading music for her ipod from Apple and she sees McAfee mentioning that wpv551232895578.cpx wants internet access, she denies it. McAfee mentioning that wpv721232670442.cpx wants internet access, she denies it. Virus warning pops up Virus file Vundo!grb in a file etcidpqk.tmp in C:\Windows\System32. She doesn't tell me about it she figures all is ok.
My wife later says "Why is my account trying to contact the internet? And what is this security ballon?" I come upstairs and up pops Internet Explorer trying to search for snbsearch.com. Windows update SAYS it is not turned on and I turn it on. 2 minutes later it is "disabled"...I check, it is enabled as it should be but refusing to re-enable from the screen where it says to click there to enable them. Try to get to Control Panel, takes a real long time to get in. I reboot the PC. Explorer.exe is having a hard time shutting down...tries twice with two of those "file is busy" messages, then it says it can't message and windows closes all on it's own. Boot ok. Up pops trying to connect to the internet all on its own. I connect to get the latest McAfee update, up pops a web site about once every 5 minutes...seems to run a pattern, but not always. If you search for something, it too may hunt for your request, when it does bring up sites they are "real" sites and not the old "I can't find it".
Close out on internet and full scan, find the what was tmp file as an ini and something stuck in the now Windows automated system backup. Manually search and find wpv551232895578.cpx sitting in the C:\Windows\System32 and manally delete it. Kill the virus', run another scan, again the backup got another. Look up the Vundo!grb and says to be sure to stop the system back up. I look in here and the one and ONLY backup is 3 minutes after infection. Kill back up, scan full again, clean. Use the Quick clean that looks for registry orphans etc...kind of like the Windows version of this where it can delete the items in recycle bin etc. Download SpyBot Search & Destry and find what you see below. I kill these and immunize files.

Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\PE_C_CRISTA\Software\Microsoft\instkey

Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1969495163-134034212-909423319-1006\Software\Microsoft\inst key

Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1969495163-134034212-909423319-1007\Software\Microsoft\inst key

Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExec uteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: [SBI $109A62D0] Executable (File, nothing done)
C:\WINDOWS\SYSTEM32\~.exe

Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\SYSTEM32\xHjkknpo.ini2

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\SYSTEM32\xHjkknpo.ini

Virtumonde.prx: [SBI $3F5CA9DA] Autorun settings (1cf0e3be) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cf0e3be

Virtumonde.prx: [SBI $3F5CA9DA] Program file (File, nothing done)
C:\WINDOWS\system32\kqpdicte.dll

Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\= ...C:\WINDOWS\system32\byXPFXoM.dll...


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

Reboot. Only slightly better. Do another Full McAffe scan, nothing. Spybot S & D scan again, finds 1/2 less but still finding some of the same stuff. Look on the internet under Wikipedia about Virtumonde and it says it is part of the vundo!grb family...and to get rid of it I should try one of 3 programs to get rid of it. I get the MalwareBytes...This does twice as good as the Spybot S & D, it finds 24 things wrong and I fix them with some of them being killed on the next reboot. All fixed after 12 hours and 4 hours missed sleep.

My beef is, why do I pay McAfee to protect me when it couldn't even kill the full virus upon entry (the etcidpqk.ini after the kill of the etcidpqk.tmp) and not even identify the other 24 items found on my PC? The definition of the Vundo! on the web should be redefined as "also potential packet of malware including family member Virtumonde please use xxxx to find and search for other malware components we can't find" instead of saying and leaving me hanging with:
"Characteristics -
These files by themselves are not executable, and therefore cannot exhibit malicious behavior without other components of the malware. The presence of these files may indicate that a variation of the Vundo malware has been executed on the host in which the detection occured.

Symptoms -
Presence of various files associated with Vundo malware.

Variants
N/A

Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher)."
  • Newcomer 4 posts since
    Feb 2, 2009
    Currently Being Moderated
    3. Feb 2, 2009 9:56 PM (in response to tgerz)
    RE: oh, did I forget to mention
    lol same exact scenario except the ipod...

    its like they sell the product then tell you its your fault for going online...

    i know mine was working and i didnt bypass the security warning and some mcafee hoser sent me that same email too...

    wonder how many times that gets copy/pasted per day????
  • bres3000 Newcomer 13 posts since
    Jun 27, 2007
    Currently Being Moderated
    4. Feb 2, 2009 11:12 PM (in response to tgerz)
    RE: oh, did I forget to mention



    Also, keep handy this link to Kaspersky's Online Scanner:

    http://usa.kaspersky.com/products_services/free-virus-scanner.php


    It has found stuff that McAfee missed.
  • Ex_Brit Volunteer Moderator 59,592 posts since
    May 6, 2004
    Currently Being Moderated
    5. Feb 3, 2009 4:57 AM (in response to bres3000)
    RE: oh, did I forget to mention
    Read any reliable malware forum out there and they will tell you that there is no such thing as the perfect protection software. What Kaspersky or Norton finds one day that McAfee misses, the next day McAfee will find something that they miss.

    Vundo/Virtumonde etc. is an extremely prolific malware, new versions of which appear daily, sometimes several times a day and is an extremely tough one to crack.

    Whilst it is essential to have at one (& only one or they will clash) software firewall and anti-virus application installed, we also advise people to add at least one good anti-spyware application to their protection repertoire. See THIS page for more information. A hardware firewall such as those found in routers is also a good idea as it wont interfere with the software one.

    The best way to stay infection-free is to avoid risky websites, be extra careful what you download, avoid file-sharing and take extra care when opening any attachments that people send you.

    If you don't believe me then read some of the malware forums. Here's a selection of but just a few of the many out there.

    AUMHA FORUM

    BLEEPING COMPUTER FORUM

    GEEKS TO GO FORUM

    MAJOR GEEKS FORUM

    MALWAREBYTES FORUM

    MALWARE REMOVAL FORUM

    SPYWAREHAMMER FORUM

    SPYWARE INFO FORUM

    WHAT THE TECH FORUM

    Lastly, when posting about an infection post in "Virus Discussions & Removal Assistance" where you will get help much more quickly than in the general forums and always include full details of your operating system, service pack and the version numbers of your installed McAfee software.

    From the link I posted earlier you could probably benefit form the free version of this tool: http://www.superantispyware.com/superantispywarefreevspro.html

    Moving this thread from Security Center 9 2009 to Virus Discussions & Removal Assistance.

    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Newcomer 3 posts since
    Mar 31, 2009
    Currently Being Moderated
    6. Mar 31, 2009 6:43 AM (in response to Ex_Brit)
    Vundo
    Okay, from quick web search it appears we have 'contracted' VUNDO (plus other Trojans) today 31 March 2009. Have McAfee Security Centre, updated. My question is this. Given the problems I have read from other users in these forums about McAfee not picking up VUNDO (some dated in Feb), how is it that my system could be infected by that same malware NOW?

    I'm also having the update/not fully protected/confirm subscription problem mentioned elsewhere, and have just about had enough of McAfee.

    Can someone from McAfee please explain why my system is infected with Vundo. Haven't got a clue how I can fix it but will try other programs as advised in these pages.

    :mad::mad::mad:
  • Ex_Brit Volunteer Moderator 59,592 posts since
    May 6, 2004
    Currently Being Moderated
    7. Mar 31, 2009 7:25 AM (in response to jons52)
    RE: Vundo
    It's already clearly explained above. Vundo is extremely prolific and anti-virus applications, no matter which brand, can't defend against it fully.

    Try the SuperAntispyware link I posted just before your post and if that doesn't help then download Hijackthis and post its log on one of those forums in the same post.

    DOWNLOAD HIJACKTHIS

    Do not post the log here, we can't help!

    Post the logs at a specialist Forum:

    AUMHA FORUM

    BLEEPING COMPUTER FORUM

    GEEKS TO GO FORUM

    MAJOR GEEKS FORUM

    MALWAREBYTES FORUM

    MALWARE REMOVAL FORUM

    SPYWAREHAMMER FORUM

    SPYWARE INFO FORUM

    WHAT THE TECH FORUM

    Be sure to read all the sticky announcements/instructions at the top of each malware forum!

    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Newcomer 3 posts since
    Mar 31, 2009
    Currently Being Moderated
    8. Apr 1, 2009 1:26 AM (in response to Ex_Brit)
    RE: Vundo


    As a (once) respected and large AV purveyor the VERY LEAST that McAfee should have done is put out an email warning about this trojan, for the very reasons you have given above (prolific, complex, currently not all variants can be fixed by McAfee or other AV apps). Such an alert would have given me the opportunity to shutdown my daughter's access to music download sites for example.

    The fact that McAfee hasn't bothered says a lot about the company's current attitude to customers. We don't expect miracles, but a level of concern and consideration should come with the reputation (and fees). It's one thing to have glossy brochures,
    http://mcafee.com/us/local_content/brochures/mcafee_brochure.pdf
    quite another to maintain a basic level of communication with customers. In the case of Vundo I would say that McAfee has dropped the ball.

    It's still not too late to warn customers about Vundo....
    .
  • Ex_Brit Volunteer Moderator 59,592 posts since
    May 6, 2004
    Currently Being Moderated
    9. Apr 1, 2009 4:35 AM (in response to jons52)
    RE: Vundo
    If that were the policy you would be receiving at least 150 emails a day from McAfee alone.

    NO anti-virus vendor would even think of spamming it's customers in such a manner with unsolicited emails.

    Sorry, that isn't a good suggestion.

    You can, however, sign up for a McAfee Threat Center newsletter here: http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx
    (Main Threat Center page here: http://www.mcafee.com/us/threat_center/default.asp )

    Keep your Windows, associated add-ons (Java and suchlike) & anti-virus up to date, surf wisely, be extremely careful what files you download and who you let into your machine, take care when opening emails, particularly from an unknown source and keep some up to date anti-spyware handy as listed HERE.

    Vundo has been on McAfee's books since 2004 as listed HERE, but as I stated earlier, so many new variants of it appear daily that NO anti-virus can keep up with it. That's where those specialised tools come in.


    Now, as this was some one else's thread originally, I'm locking it out of courtesy to them.

    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools

More Like This

  • Retrieving data ...

Bookmarked By (0)