Create an Account
username: password:
 
  MemeStreams Logo

RE: Vundo/VirtuMonde removal tool
search
Home Agent Weblogs Social Network Post Help About

DrArkaneX
Picture of DrArkaneX
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

DrArkaneX's topics
Arts
  Sci-Fi/Fantasy Literature
  Action/Adventure
  Comedy
  Cult Films
  Sci-Fi/Fantasy Films
  Electronic Music
  Rap & Hip Hop
  R&B
  Vocalist
  TV
   Cartoons
   TV Comedy
   TV Documentary
   Science TV
   SciFi TV
Business
Games
  Role Playing Games
  Video Games
   PC Video Games
   Multiplayer Online Games
Health and Wellness
Home and Garden
  Genealogy
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
  Israeli/Palestinian
  North Ireland
Recreation
  Cars and Trucks
   Motorcycles
  Bicycling
Local Information
  Food
  United States
   Tennessee
    Nashville
     Nashville Events
     Nashville News
Science
  Agriculture
  Astronomy
  Biology
  Chemistry
  Environment
  Geology
  History
  Math
  Medicine
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  Philosophy
  Relationships
  Security
Technology
  Computers
   Computer Security
   Cyber-Culture
   PC Hardware
   Computer Networking
   Computing Platforms
    Macintosh
    FreeBSD
    Linux
    Microsoft Windows
    OpenBSD
    Sun
   Perl Programming
   PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: Vundo/VirtuMonde removal tool
Topic: Computer Security 12:08 pm EST, Jan 15, 2008

Welp, I've done a LOT of research on this. Stripping the hook out of LSASS really does the trick more than anything, but I have updated my Vundo fix page as well. Only thing about your last reply on this is that Safe Mode does not work. The file is still considered a "Windows Safe File" and will still get used by LSASS even in safe mode. BleepingComputer's fix is not necessarily the right way to go. I have used the most recent version of their fix and this trojan still laid dormant. This prompted me to write my Vundo fix page because Bleeping's wasn't working for me and plus I really wanted to find out how this ticked.

but anyways, Wendy's laptop got hit with it a few days ago and the only caveat, which I have hence updated my page with, is that you MUST boot to a BartPE or ERD Commander (Ultimate Boot Disc) to delete the .DLL or .EXE and then in notepad, create the same filename as a text file and then make them Read Only. Also, it borked with her startup items like loading "googletalk .exe" (notice the space before the .exe) so I had to recreate a new account and copy her stuff over. Best fix i've seen for Vundo yet. Do me a favor and on the computer you fixed, check that Lsa reg entry and see if anything is there.

That was one of the problems I had with Bleeping's fix was that the damn thing laid dormant and you'd think you got rid of it only to find out later you were wrong. (happened to me a few times)

There was actually several ways Vundo gets on your computer. Java and Quicktime. Firefox does use the same java as IE and by default will allow Vundo to get in. Check to make sure Java is updated to Update 3. That will fix it.

Crap Cleaner is an Excellent tool for removing registry entries that are invalid or non-existant. Perhaps you should read my fix on Vundo a little better as I think you just skimmed through it.. :) Crap Cleaner does not get rid of viruses nor did I claim it to. Crap Cleaner is an excellent tool and should be on everyone's Windows PC, next to the Anti Virus of their choosing.

Bear in mind that the only thing that Wendy does on her laptop is check email, Craigslist and MySpace. Nothing else and it was a fresh reload of the OS as well. I checked her Java version before cleanup and it was Java build 1.6.0_02.

Here are some links in reference:

Link 1
Link 2
Link 3

As much as I want to blame Microsoft for this, it's not an IE Exploit that Vundo gets in. Not a Firefox exploit as well. Simply it's either Java or Quicktime that hasn't been updated. Very simple really.. :)

Also, about the RegEdit denied workaround in there. I think you are taking my page out of context and I really think you skimmed it. The question was posed to me by a reader and was wanting to get into Regedit. The link noted is a workaround by microsoft to allow the user to get into RegEdit. Of course you and I both know we can boot up to Ultimate Boot CD or whatever and work around this issue, but sometimes we're dealing with people that don't know too much about computers or have never seen a C64 boot screen.. :)

And my method on that page has been double checked, triple-checked. I use this method for every Vundo removal I run into. I have hence removed the Unlocker, because it's not needed, but it's still a very good tool. I have over the last 2 weeks simplified my methods and with wendy's Laptop just solidified it. As I stated before, I used Bleeping's programs and while they worked (or so I thought), it came back. My method is a sure-fire, multiple tested way to get rid of Vundo. next time you run into it again, try my method.

RE: Vundo/VirtuMonde removal tool

Thread [4]


  
 
Powered By Industrial Memetics		RSS2.0