Welp, I've done a LOT of research on this. Stripping the hook out of LSASS really does the trick more than anything, but I have updated my Vundo fix page as well. Only thing about your last reply on this is that Safe Mode does not work. The file is still considered a "Windows Safe File" and will still get used by LSASS even in safe mode. BleepingComputer's fix is not necessarily the right way to go. I have used the most recent version of their fix and this trojan still laid dormant. This prompted me to write my Vundo fix page because Bleeping's wasn't working for me and plus I really wanted to find out how this ticked. but anyways, Wendy's laptop got hit with it a few days ago and the only caveat, which I have hence updated my page with, is that you MUST boot to a BartPE or ERD Commander (Ultimate Boot Disc) to delete the .DLL or .EXE and then in notepad, create the same filename as a text file and then make them Read Only. Also, it borked with her startup items like loading "googletalk .exe" (notice the space before the .exe) so I had to recreate a new account and copy her stuff over. Best fix i've seen for Vundo yet. Do me a favor and on the computer you fixed, check that Lsa reg entry and see if anything is there. That was one of the problems I had with Bleeping's fix was that the damn thing laid dormant and you'd think you got rid of it only to find out later you were wrong. (happened to me a few times) There was actually several ways Vundo gets on your computer. Java and Quicktime. Firefox does use the same java as IE and by default will allow Vundo to get in. Check to make sure Java is updated to Update 3. That will fix it. Crap Cleaner is an Excellent tool for removing registry entries that are invalid or non-existant. Perhaps you should read my fix on Vundo a little better as I think you just skimmed through it.. :) Crap Cleaner does not get rid of viruses nor did I claim it to. Crap Cleaner is an excellent tool and should be on everyone's Windows PC, next to the Anti Virus of their choosing. Bear in mind that the only thing that Wendy does on her laptop is check email, Craigslist and MySpace. Nothing else and it was a fresh reload of the OS as well. I checked her Java version before cleanup and it was Java build 1.6.0_02. Here are some links in reference: Link 1 Link 2 Link 3 As much as I want to blame Microsoft for this, it's not an IE Exploit that Vundo gets in. Not a Firefox exploit as well. Simply it's either Java or Quicktime that hasn't been updated. Very simple really.. :) Also, about the RegEdit denied workaround in there. I think you are taking my page out of context and I really think you skimmed it. The question was posed to me by a reader and was wanting to get into Regedit. The link noted is a workaround by microsoft to allow the user to get into RegEdit. Of course you and I both know we can boot up to Ultimate Boot CD or whatever and work around this issue, but sometimes we're dealing with people that don't know too much about computers or have never seen a C64 boot screen.. :) And my method on that page has been double checked, triple-checked. I use this method for every Vundo removal I run into. I have hence removed the Unlocker, because it's not needed, but it's still a very good tool. I have over the last 2 weeks simplified my methods and with wendy's Laptop just solidified it. As I stated before, I used Bleeping's programs and while they worked (or so I thought), it came back. My method is a sure-fire, multiple tested way to get rid of Vundo. next time you run into it again, try my method. |