A client of mine recently got a Trojan.Vundo_** virus... 7 different types of
it.

MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
etc...

In IE 7 under Internat options, Privacy tab, the cookie settings are set to
Low... no matter where i change this setting... from IE or the Control Panel,
it weill reset it's self back to low, obviously making yourself very
vulnerable.

There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
In my msconfig startup there is a command = qxsenoqk.dll that returns no
matter how ofter i disable it.

Norton. MS nor ant of the search engines have any info about these files, so
I am assuming no one is aware of these issues.

I am about ready to try to manually remove these in safe mode and see if
they reappear and resolve the Low cookie setting issue.

** ALSO, this virus blocked Windows Update and Norton from updating and a
pop up kept coming up and cleaning virus etc with MS and Vista all over it...
IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
definetly been violated.

I will update if procedure above resolves.

Any input would be appreciated if anyone is aware of this. I can not apply
SP3 because it has altered something that won't allow the update page to
appear.

Let's take your concerns one at a time:

1- No setting for cookies 'obviously makes yourself very vulnerable'.
Cookies are nothing more than text files.

2- Most competent security software will try to prevent changes from
being made to browser configurations, or at least warn you, since that's
something malware tries to do. To allow changes to your browser settings
you usually need to go into your security software and find the correct
setting.

3- On the other hand, the computer in question is obviously still
infected. An infection will try to stop you from taking steps to combat
it. It's no simple task to remove infection(s). You're better off in the
hands of a professional malware fighter.

About that "security hole":

"Ultimately, the only protection against phishing, forged Web pages,
downloading malware, and other threats is the technology located between
the user's ears."

Mitch Wagner, Information Week
November 21, 2007

---
Leonard Grey
Errare humanum est

Tim T wrote:
> A client of mine recently got a Trojan.Vundo_** virus... 7 different types of
> it.
>
> MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
> etc...
>
> In IE 7 under Internat options, Privacy tab, the cookie settings are set to
> Low... no matter where i change this setting... from IE or the Control Panel,
> it weill reset it's self back to low, obviously making yourself very
> vulnerable.
>
> There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
> In my msconfig startup there is a command = qxsenoqk.dll that returns no
> matter how ofter i disable it.
>
> Norton. MS nor ant of the search engines have any info about these files, so
> I am assuming no one is aware of these issues.
>
> I am about ready to try to manually remove these in safe mode and see if
> they reappear and resolve the Low cookie setting issue.
>
> ** ALSO, this virus blocked Windows Update and Norton from updating and a
> pop up kept coming up and cleaning virus etc with MS and Vista all over it...
> IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
> definetly been violated.
>
> I will update if procedure above resolves.
>
> Any input would be appreciated if anyone is aware of this. I can not apply
> SP3 because it has altered something that won't allow the update page to
> appear.

Well, I have to disagree...
1) We all know that any file can read and have script to run script and
reference other files. Allowing 3rd party cookies from every site is not
wise!
2) We all know that the creators of these viruses are "always" 1 step ahead
of virus protection software. A virus must exist before a definition can be
created to protect us against it. MS onecare missed these reg entries... so
that tells all of us the MS nor Norton are protecting us from these.
3) I did a manual removal of the reg entries i spoke below as well as
manual removal of add on. It worked!! So, your reference to "any competent
security software" is inaccurate. The "hrnvhigg.dll" is timed activated. I
would disable, and watch and in 5 secs it would enable itself. So, if the
competent software ackwowledged that a setting was made and it automatically
changed itself... shouldn't the software acknowledge that change and make a
request that it is alright??

Anyway, point being... the files referenced below are critical. And MS,
Norton and any other security software should acknowledge those and prevent
them from being written.

Also, the virus was packaged in a .mp3 file... for fyi purposes.
TT
PS: after the manual cleaning, even with the file deleted, the add on was
still enabled but i was able to disable permanently. Also, the delete option
on the Add On screen.. was NOT available.

"Leonard Grey" wrote:

> Let's take your concerns one at a time:
>
> 1- No setting for cookies 'obviously makes yourself very vulnerable'.
> Cookies are nothing more than text files.
>
> 2- Most competent security software will try to prevent changes from
> being made to browser configurations, or at least warn you, since that's
> something malware tries to do. To allow changes to your browser settings
> you usually need to go into your security software and find the correct
> setting.
>
> 3- On the other hand, the computer in question is obviously still
> infected. An infection will try to stop you from taking steps to combat
> it. It's no simple task to remove infection(s). You're better off in the
> hands of a professional malware fighter.
>
> About that "security hole":
>
> "Ultimately, the only protection against phishing, forged Web pages,
> downloading malware, and other threats is the technology located between
> the user's ears."
>
> Mitch Wagner, Information Week
> November 21, 2007
>
> ---
> Leonard Grey
> Errare humanum est
>
> Tim T wrote:
> > A client of mine recently got a Trojan.Vundo_** virus... 7 different types of
> > it.
> >
> > MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
> > etc...
> >
> > In IE 7 under Internat options, Privacy tab, the cookie settings are set to
> > Low... no matter where i change this setting... from IE or the Control Panel,
> > it weill reset it's self back to low, obviously making yourself very
> > vulnerable.
> >
> > There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
> > In my msconfig startup there is a command = qxsenoqk.dll that returns no
> > matter how ofter i disable it.
> >
> > Norton. MS nor ant of the search engines have any info about these files, so
> > I am assuming no one is aware of these issues.
> >
> > I am about ready to try to manually remove these in safe mode and see if
> > they reappear and resolve the Low cookie setting issue.
> >
> > ** ALSO, this virus blocked Windows Update and Norton from updating and a
> > pop up kept coming up and cleaning virus etc with MS and Vista all over it...
> > IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
> > definetly been violated.
> >
> > I will update if procedure above resolves.
> >
> > Any input would be appreciated if anyone is aware of this. I can not apply
> > SP3 because it has altered something that won't allow the update page to
> > appear.
>

Well, I have to disagree...
1) We all know that any file can contain script to reference other script
to reference other files.
2) Your reference to any competent security software should acknowledge
changes is iaccurate. We all know that a virur, malware etc... must first
exist in order for these softwares to protect us against them. These
creators of this crap are always 1 step ahead of the security software. The
hrn file referenced below was time activated. Meaning once i disabled, in 5
secs it would reenable itself. Shoudln't a competent software acknowledge
this change is taking place?? It didn't!
3) The manual cleaning worked. Which means, MS Onecare and Norton do not
acknowledge these yet.

Even with the file deleted, the add on was still enabled after reboot, but
with it removed i was able to permanently disable it.

Point is... the files below are critical and need to be acknowledged by all
security software, which they are NOT!

Thanks and all beware... this was packaged in a mp3 file.
TT

"Leonard Grey" wrote:

> Let's take your concerns one at a time:
>
> 1- No setting for cookies 'obviously makes yourself very vulnerable'.
> Cookies are nothing more than text files.
>
> 2- Most competent security software will try to prevent changes from
> being made to browser configurations, or at least warn you, since that's
> something malware tries to do. To allow changes to your browser settings
> you usually need to go into your security software and find the correct
> setting.
>
> 3- On the other hand, the computer in question is obviously still
> infected. An infection will try to stop you from taking steps to combat
> it. It's no simple task to remove infection(s). You're better off in the
> hands of a professional malware fighter.
>
> About that "security hole":
>
> "Ultimately, the only protection against phishing, forged Web pages,
> downloading malware, and other threats is the technology located between
> the user's ears."
>
> Mitch Wagner, Information Week
> November 21, 2007
>
> ---
> Leonard Grey
> Errare humanum est
>
> Tim T wrote:
> > A client of mine recently got a Trojan.Vundo_** virus... 7 different types of
> > it.
> >
> > MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
> > etc...
> >
> > In IE 7 under Internat options, Privacy tab, the cookie settings are set to
> > Low... no matter where i change this setting... from IE or the Control Panel,
> > it weill reset it's self back to low, obviously making yourself very
> > vulnerable.
> >
> > There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
> > In my msconfig startup there is a command = qxsenoqk.dll that returns no
> > matter how ofter i disable it.
> >
> > Norton. MS nor ant of the search engines have any info about these files, so
> > I am assuming no one is aware of these issues.
> >
> > I am about ready to try to manually remove these in safe mode and see if
> > they reappear and resolve the Low cookie setting issue.
> >
> > ** ALSO, this virus blocked Windows Update and Norton from updating and a
> > pop up kept coming up and cleaning virus etc with MS and Vista all over it...
> > IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
> > definetly been violated.
> >
> > I will update if procedure above resolves.
> >
> > Any input would be appreciated if anyone is aware of this. I can not apply
> > SP3 because it has altered something that won't allow the update page to
> > appear.
>

Sorry for multiple posts... when i submitted... it did not show on forum...

:)

TT



"Tim T" wrote:

> A client of mine recently got a Trojan.Vundo_** virus... 7 different types of
> it.
>
> MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
> etc...
>
> In IE 7 under Internat options, Privacy tab, the cookie settings are set to
> Low... no matter where i change this setting... from IE or the Control Panel,
> it weill reset it's self back to low, obviously making yourself very
> vulnerable.
>
> There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
> In my msconfig startup there is a command = qxsenoqk.dll that returns no
> matter how ofter i disable it.
>
> Norton. MS nor ant of the search engines have any info about these files, so
> I am assuming no one is aware of these issues.
>
> I am about ready to try to manually remove these in safe mode and see if
> they reappear and resolve the Low cookie setting issue.
>
> ** ALSO, this virus blocked Windows Update and Norton from updating and a
> pop up kept coming up and cleaning virus etc with MS and Vista all over it...
> IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
> definetly been violated.
>
> I will update if procedure above resolves.
>
> Any input would be appreciated if anyone is aware of this. I can not apply
> SP3 because it has altered something that won't allow the update page to
> appear.

One last thing... after insuring system is toatally clean of the files
referenced...

Imagine that... all MS updates & Norton updates now work. No fake MS pop
ups either...

So obviously, these files were blocking the system from receiving updates.
If that is not a security hole... I would like to know is!!!

Good luck to all...
TT

"Tim T" wrote:

> A client of mine recently got a Trojan.Vundo_** virus... 7 different types of
> it.
>
> MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
> etc...
>
> In IE 7 under Internat options, Privacy tab, the cookie settings are set to
> Low... no matter where i change this setting... from IE or the Control Panel,
> it weill reset it's self back to low, obviously making yourself very
> vulnerable.
>
> There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
> In my msconfig startup there is a command = qxsenoqk.dll that returns no
> matter how ofter i disable it.
>
> Norton. MS nor ant of the search engines have any info about these files, so
> I am assuming no one is aware of these issues.
>
> I am about ready to try to manually remove these in safe mode and see if
> they reappear and resolve the Low cookie setting issue.
>
> ** ALSO, this virus blocked Windows Update and Norton from updating and a
> pop up kept coming up and cleaning virus etc with MS and Vista all over it...
> IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
> definetly been violated.
>
> I will update if procedure above resolves.
>
> Any input would be appreciated if anyone is aware of this. I can not apply
> SP3 because it has altered something that won't allow the update page to
> appear.

Don't start celebrating. I can /assure/ you that no anti-virus or
anti-spyware application can completely clean the machine (which was most
likely infected by Vundo, ZLOB, and an SDBot variant, all of which are
protected by a rootkit).

PS: The "security hole" was and continues to be your client's unsafe
browsing habits, not Vista or the security applications!

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum...or format & reinstall Windows.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/



Tim T wrote:
> A client of mine recently got a Trojan.Vundo_** virus... 7 different types
> of it.
>
> MS OneCore Live was ran and found it cleaned it and did regsitry cleaning
> etc...
>
> In IE 7 under Internat options, Privacy tab, the cookie settings are set
> to
> Low... no matter where i change this setting... from IE or the Control
> Panel, it weill reset it's self back to low, obviously making yourself
> very
> vulnerable.
>
> There is a Add-On in IE = hrnvhigg.dll that resets itself if I disable it.
> In my msconfig startup there is a command = qxsenoqk.dll that returns no
> matter how ofter i disable it.
>
> Norton. MS nor ant of the search engines have any info about these files,
> so
> I am assuming no one is aware of these issues.
>
> I am about ready to try to manually remove these in safe mode and see if
> they reappear and resolve the Low cookie setting issue.
>
> ** ALSO, this virus blocked Windows Update and Norton from updating and a
> pop up kept coming up and cleaning virus etc with MS and Vista all over
> it... IT IS FAKE! MS... you have a great law suit here!!!! Copyright has
> definetly been violated.
>
> I will update if procedure above resolves.
>
> Any input would be appreciated if anyone is aware of this. I can not
> apply
> SP3 because it has altered something that won't allow the update page to
> appear.