7 Replies Latest reply on Apr 15, 2009 12:09 PM by secured2k

    Vundo variant

      I was having virus problems about a week ago and decided just to install a clean version of windows and start over. I did so, immediately installing mcafee with it. Winxp, IE 7, all current updates for it and for mcaffee. Well, in only 3 days I ended up hitting some web sites that mcafee said it blocked something like 'vundo.gbr'. But it didn't actually block it. I've had experience with this virus before and I'm very angry McAfee couldn't actually deal with it.

      We started getting random weird web pages popping up on us so I knew it had gotten through. I ran a full scan but Mcafee didn't see anything wrong.

      I found it in my tools->manage addons list as a registry key name pointed to a .dll. Everytime I tried to disable it it would immediately re-enable itself. It was referring to a .dll I didn't recognize in my system32 directory. I rebooted from cd to dos and deleted it. I rebooted and it was still acting up - I looked in regedit and found 3 dlls set to run at startup, so I wrote them down, rebooted off cd once more, deleted the .dlls and a strange looking .exe I found too. I then booted into safe mode dos and ran regedit and deleted everything that looked like that registry key as well with extreme prejudice. After another reboot it now allows me to remove the IE addon and remove the registry startup run commands - so it looks like it's gone for now, which is amazing because the last time I had it I couldn't get rid of it.

      I wish Mcafee or some other product I knew of was good enough to keep me from getting it through normal web surfing! (I did not download an run anything!)
        • 1. RE: Vundo variant
          Jubo
          Without mentioning specific details it's hard to say anything what is wrong or has happened with the computer. Hopefully all is well now. For a 2nd opinion you can always try to do an online scan as here, and see what they say.
          Any suspicious looking files can be submitted to sites like VirusTotal, Jotti or MS Malware Protection Center
          • 2. Vundo!grb
            I have the same Trojan on one of my pc's and running McAfee scans does noting for me. Occansionally it tells me it blocked and removed but as you stated this is really not ture. I was reading a Vundo article on Wiki and it suggested that you use PCTools Spy Doctor for removal. I down loaded a free copy and ran a scan. It found many incidents of the Trojon but of course would not let me remove it unless I purchased a registerd copy of their software. It costs $50 to download. I am thinking of asking McAfee for my money back for "Total Protection" and then purchasing Spy Dpctor and see if it really works.
            • 3. RE: Vundo!grb
              Peter M
              There isn't an anti-virus on the market that can catch everything, especially Vundo, whose makers issue new variants thereof on a daily basis.

              There are, however, many anti-spyware tools which are specialised and can remove Vundo, and are FREE.

              SuperAntiSpyware and MalwareBytes, to name just two, both of which are listed on our forum here: http://community.mcafee.com/showthread.php?t=136913

              You wasted your money buying Spy Doctor. It isn't even recommended. Hope they have a money-back guarantee (PC Tools usually do I believe).
              • 4. Vundo!grb
                Thanks for the link....i will try that. MTW....I didn't purchase Spy Dr, only was going to consider it since it sounded as if it would remove the Trojan.


                Thanks again....ES
                • 5. RE: Vundo!grb
                  We are getting hit with Vundo variants. It's nice and easy for an average home user to use the free spyware tools, but in an environment with 7,200 machines it's a pain in the butt when 20 of them end up getting Vundo in one day. 20 out of 7,200 doesn't seem bad, but when you have say 10 desktop personnel working on reimaging or repairing 20 infected machines, other helpdesk calls start to build up.

                  I am getting a LOT of questions from Managers about why this is happening. They come to me as I run the EPO server, looking for help or trying to understand why an up to date machine would get infected by something like this. I understand a new variant comes out and blah blah blah, but it does seem like McAfee could step up efforts to fight this menace to society.
                  • 6. RE: Vundo!grb
                    Peter M



                    You'd be well advised to post this in the Corporate area.
                    • 7. RE: Vundo!grb
                      secured2k


                      You are probably getting this virus from an exploit in a 3rd party plugin like older versions of Flash, Acrobat, and/or Java. Also, the end user must take action (visiting questionable/exploited web sites) for infection.

                      As the epo admin, you may want to implement a policy to filter traffic or use VSE's application rules to block the registry entries for IE addons, winlogon, userinit, appinit_dlls, and kernel driver installation.

                      This could break the installation of some new programs but most will not add or change those entries. You may want to try setting VSE to only report so you can test to see what would be affected.

                      By blocking those entries, you can stop most all unknown kernel and usermode rootkits/malware from installing. Of course if you ever needed to do a software install, you could turn the rules off and continue normally.