A friend's computer seemed to be infected with some really bad malware. The main infection appeared to be a new Vundo variant rootkit. It apparently infected his system last week from a web based email file that he mistakingly opened. His system was running CA AV (w/ definitions updated but it is a several year old version of the program), CA Pestpatrol, Spybot S&D v1.4x, Spywareblaster 3.5.x, AVG Antispyware (current free version), Windows Defender, ZA free v6.1.x..

CA AV and Pestpatrol detected the main Vundo infection but had not blocked its installation. Spybot S&D detected many of the infections and appeared to remove them and partially cripple some of them but the main infection still seemed active after a system reboot. During this time ZA free was continuously detecting and blocking from accessing the "Trusted Zone" the numerous "tmp...exe named" virus executable files that the virus was continuously generating. From safe mode I ran online virus and anti-spyware scans including ESET AV (online version only) and the main infection was detected and a reboot was required. Although the virus was seriously crippled the Vundo variant still seemed partially active.

I downloaded SAS (SuperAntiSpyware) free version on a different (non-infected) computer and was able to install it from a CD-R in normal Windows mode. After installing the latest updates I ran the scan and SAS free effectively detected and apparently removed all of the remaining Vundo variants as well as several other Trojans, Adware, malware, tracking cookies, etc.. (157 total items removed). I noticed that most of the removed threats had just recently been added to the SAS detection databases from 5/21 to 5/30. All these malware items were found by SAS even after I had ran at least six different other programs and online scans in Windows safe mode. Finally after another reboot the system appeared to be running normal. There were a few startup entries with an invalid path that had to be disabled (using msconfig and then by editing the registry entries). I disabled the Windows system restore to help eliminate the chance of re-infection from backed up files. I ran several more various online scans and no more traces of the infections were found.

I wanted to give a big thumbs up to SAS and its high level of effectiveness at removing these threats. After this experience my friend purchased the SAS Pro subscription. SAS displayed one of the most impressive performances in recent memory that I have seen by an anti-virus, anti-spyware, or anti-malware application! Thanks to the SAS team for the prompt updates and continued development of this excellent security software! :thumb:

That's good news.

SAS pro won't affect system performance either. It barely uses any ram, about 500K. :thumb:

Yes, I've read this before that scanners fail to remove vundo completely and detecting vundo isn't the same as removing vundo. Somewhere at Wilders is a post where 5 scanners didn't remove vundo either, because it's a very nasty one. In such cases you better use SAS right away. :)

@SoCal, great job on your end as well and SAS.:thumb:

{QUOTE-> @SoCal, great job on your end as well and SAS.:thumb: <-QUOTE}

Thanks djohn! In the past I have seldom started my own threads about these things but this time I wanted to give some major credit to SAS since most other security applications were not able to completely remove this threat. SAS simply attacked the source of the problems and provided the knock out punch. I have been running SAS Pro along with numerous other security applications on my own system and have heard about how well it works but my system has been running clean for years. This time I was finally able to see how effective SAS can be at attacking current threats like these Vundo variants.

I noticed from your signature that you are a fan of Avira (AntiVir). I have seen good results from AntiVir AV Personal free when I have installed it on other friend's computers. I might recommend to my friend that he use the newer AntiVir AV Personal free version instead of the older version of CA AV that he has on his system.

yes I do like avira for its lightness and scan speed more so then the protection aspect but thats a good thing to.since I am not the nervous type, I some times run with out any antivirus by means of sandboxie and or returnil.I truely believe a Antivirus program is not needed with other means of protection In place.ps my signature changes by the minute I guess I get board quickly.;D

{QUOTE-> Yes, I've read this before that scanners fail to remove vundo completely and detecting vundo isn't the same as removing vundo. Somewhere at Wilders is a post where 5 scanners didn't remove vundo either, because it's a very nasty one. In such cases you better use SAS right away. :) <-QUOTE}

I can say that "nasty" is an understatement to describe this particular Vundo variant. I got a good sense it was really bad after several hours of running different online scanners and after every reboot it reared its ugly head over and over again. Another issue I saw was that it seemed to be blocking the AV's and the common anti-spyware applications such as Spybot S&D from functioning properly. Strangely it seemed to even be effecting Windows while in safe mode.... It's difficult to understand how that was happening but it was. Therefore when SAS effectively ran, detected and removed all the remaining parts of this virus/malware it was very impressive. You are right that I could have saved allot of time by running SAS right away.

@Socalreviews,
The removal was successful, but that is not really the issue.
Your friend has to ask himself, how vundo succeeded to install itself permanently on his computer, until you found it. :)

Thank you all for the support and I am glad SAS was able to cure the infected system!

Several off topic posts removed. This is strictly about SAS period.

Pete

I do not use spyware programs on a regular basis but when I do run a scan,SAS is my first choice.very good product free or paid.my opinion this one product that deserves our support as well.

{QUOTE-> @Socalreviews,
The removal was successful, but that is not really the issue.
Your friend has to ask himself, how vundo succeeded to install itself permanently on his computer, until you found it. :) <-QUOTE}

I asked him that exact same question as well. His description was that he was opening an attached email file that another friend had sent him. Of course most users in this forum know that just because an email attachment is from a known sender it does not mean that it can't be malicious. Unfortunately some people need to experience having their system infected before they decide to believe this. He uses web based email usually with FF but for whatever reason he happened to be using IE to read web based email at the time. From what I have learned about Vundo varients they seem to require some active user decision making to fully install. I also don't quite understand how the full Vundo variant infection happened without some very poor decision making along the way.

Most probably he made a desition along the way and he just don't remembers... some people are happy-clickers and don't even read what they are accepting

{QUOTE-> Thank you all for the support and I am glad SAS was able to cure the infected system! <-QUOTE}

Thank you again Nick for your effort and the work that all the other developers have put into SAS. I had read many posts in the past about the success stories regarding the effectiveness of SAS against some of the most malicious malware. After directly witnessing SAS take out this rootkit when so many other security applications couldn't I have now become a true believer! :)

{QUOTE-> I asked him that exact same question as well. His description was that he was opening an attached email file that another friend had sent him. <-QUOTE}
Let's hope, your friend learned from this adventure, otherwise it won't be the last time, he asks for help. :)

@ member John Lock,

For better assistance and to remain on topic, your post and numerous exchanges have been moved to a thread of their own.

continued here---> I hope someone can help me sort out my Vundo (http://www.wilderssecurity.com/showthread.php?t=211176)

Bubba

{QUOTE-> Let's hope, your friend learned from this adventure, otherwise it won't be the last time, he asks for help. :) <-QUOTE}

This wasn't the first time he asked for help with an infected system and I know it won't be the last. More than six years ago after he installed a high speed cable connection his Windows XP system got hit with some serious "wrath from the internet". He wasn't even using a router or a software firewall at the time...just PC-Cillin with an expired subscription and outdated definitions. His computer had become a zombie virus server. After that and later incidents requiring a full XP re-installation I was able to convince him to at least use a router and run some subscription based security software as well as a ZA firewall. I considered his computer's set of security applications progress. ::)

Like many people he sometimes has an affinity to surf the "dark side" of the web. The best I can do is convince him to purchase subscriptions for the best AV, anti-spyware, anti-malware that I can recommend. His system only had a few minor malware problems in the past few years up until this Vundo infection happened. He has been using an older CA AV and PestPatrol because it has lifetime updates and it came free with his system. SAS Pro is a good start after this latest incident. I just added ThreatFire to his system as well. Maybe I can convince him to go with a top rated AV while this Vundo adventure is still on his mind. :(

I normally charge for computer support like this but once in a while I try to help friends and family. If any more of these incidents happen I might refer him to support at the local computer and electronics store instead. 8)

{QUOTE-> This wasn't the first time he asked for help with an infected system and I know it won't be the last. More than six years ago after he installed a high speed cable connection his Windows XP system got hit with some serious "wrath from the internet". He wasn't even using a router or a software firewall at the time...just PC-Cillin with an expired subscription and outdated definitions. His computer had become a zombie virus server. After that and later incidents requiring a full XP re-installation I was able to convince him to at least use a router and run some subscription based security software as well as a ZA firewall. I considered his computer's set of security applications progress. ::)

Like many people he sometimes has an affinity to surf the "dark side" of the web. The best I can do is convince him to purchase subscriptions for the best AV, anti-spyware, anti-malware that I can recommend. His system only had a few minor malware problems in the past few years up until this Vundo infection happened. He has been using an older CA AV and PestPatrol because it has lifetime updates and it came free with his system. SAS Pro is a good start after this latest incident. I just added ThreatFire to his system as well. Maybe I can convince him to go with a top rated AV while this Vundo adventure is still on his mind. :(

I normally charge for computer support like this but once in a while I try to help friends and family. If any more of these incidents happen I might refer him to support at the local computer and electronics store instead. 8) <-QUOTE}

Stick him on a limited account with a disallowed by default SRP (http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fwww.mechbgon.com%2Fsrp%2F&ei=_fBDSP9lo4qIAfTh9J4D&usg=AFQjCNHA5bJWNkMWayMe5TTIZPmgmbnxhw&sig2=LAr7HR1B8n7HNPCRd2GHgQ). ;D

I have used SAS for about 2 1/2 years and have nothing but praise for this outstanding team. They are a credit to the industry. Thanks so much Nick!

2 pro keys.

{QUOTE->
If any more of these incidents happen I might refer him to support at the local computer and electronics store instead. 8) <-QUOTE}
Do that, helping people is beautiful, but some users need constant help, because they refuse to learn something. They need to learn it the hard way, even when it costs money. Make him a member of Wilders too, he needs it. ;D