Ok, somehow..and don't ask me how...vundo managed to slip into what i
thought was a secure system..sure, Defender detected it...but it missed the
4 other DLL's the process made and let them through...now i'm sitting here
unable to detect it with scanners.

Im determined to kill it, but as of now it's screwed with my windows
activation. I rebooted and got Error 0xC004D301 - The security processor
reported that the trusted data store was tampered.

Assuming I get this cleaned...how much of a PITA is it going to be to get my
vista back to validated or at this point am I totally screwed and it won't
be able to be reactivated?

nevermind...

vista didn't let the infection of vundo spread too deep...just 4 registry
entries and some dll files in a temp directory. activation asked for product
key...and reactivated.

"Jay Moore" <dewdude******.com> wrote in message
news:0EF5F82E-53BA-4D95-AD91-F2C99F2C6B55@microsoft.com...
> Ok, somehow..and don't ask me how...vundo managed to slip into what i
> thought was a secure system..sure, Defender detected it...but it missed
> the 4 other DLL's the process made and let them through...now i'm sitting
> here unable to detect it with scanners.
>
> Im determined to kill it, but as of now it's screwed with my windows
> activation. I rebooted and got Error 0xC004D301 - The security processor
> reported that the trusted data store was tampered.
>
> Assuming I get this cleaned...how much of a PITA is it going to be to get
> my vista back to validated or at this point am I totally screwed and it
> won't be able to be reactivated?

On Sun, 29 Jun 2008 02:17:18 -0400, Jay Moore wrote:

> Ok, somehow..and don't ask me how...vundo managed to slip into what i
> thought was a secure system..sure, Defender detected it...but it missed the
> 4 other DLL's the process made and let them through...now i'm sitting here
> unable to detect it with scanners.
>
> Im determined to kill it, but as of now it's screwed with my windows
> activation. I rebooted and got Error 0xC004D301 - The security processor
> reported that the trusted data store was tampered.
>
> Assuming I get this cleaned...how much of a PITA is it going to be to get my
> vista back to validated or at this point am I totally screwed and it won't
> be able to be reactivated?

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.
http://www.bleepingcomputer.com/forums/topic18610.html

"Jay Moore" <dewdude******.com> wrote in message
news:0EF5F82E-53BA-4D95-AD91-F2C99F2C6B55@microsoft.com...
> Ok, somehow..and don't ask me how...vundo managed to slip into what i
> thought was a secure system..sure, Defender detected it...but it missed
> the 4 other DLL's the process made and let them through...now i'm sitting
> here unable to detect it with scanners.

http://www.physorg.com/news98802904.html

If you're not practicing safehex, then anything is possible. If the software
doesn't know about the other parts period, such as a signature to detect
them, as an example, then how is it suppose to detect anything, like DLL(s).

What happened to the anti-virus software, if one was installed? Why didn't
it catch anything? No solution is a stops all and ends all solution. And if
you think it's a stops all and ends all solution, then you have a false
sense of security. If the O/S can be fooled, then anything that runs with
the O/S can be fooled too.

http://www.claymania.com/safe-hex.html

>
> Im determined to kill it, but as of now it's screwed with my windows
> activation. I rebooted and got Error 0xC004D301 - The security processor
> reported that the trusted data store was tampered.

Things have been tampered with, then what else has been tampered with or
running that is undetected?

http://technet.microsoft.com/en-us/l.../cc512587.aspx
<http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_i n_a_Windows_Environment.html>
http://technet.microsoft.com/en-us/s...s/default.aspx

Currports (free) runs on Vista and Active Ports doesn't.

"Kayman" <kaymanDeleteThis@operamail.com> wrote in message
news:eLGJRmb2IHA.3884@TK2MSFTNGP05.phx.gbl...
> On Sun, 29 Jun 2008 02:17:18 -0400, Jay Moore wrote:
>

>
> How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.
> http://www.bleepingcomputer.com/forums/topic18610.html

traditional methods DID NOT work. This is my second tango with this virus
dude.

"Jay Moore" <dewdude******.com> wrote in message
news:0EF5F82E-53BA-4D95-AD91-F2C99F2C6B55@microsoft.com...
> Ok, somehow..and don't ask me how...vundo managed to slip into what i
> thought was a secure system..sure, Defender detected it...but it missed the
> 4 other DLL's the process made and let them through...now i'm sitting here
> unable to detect it with scanners.
>
> Im determined to kill it, but as of now it's screwed with my windows
> activation. I rebooted and got Error 0xC004D301 - The security processor
> reported that the trusted data store was tampered.
>
> Assuming I get this cleaned...how much of a PITA is it going to be to get my
> vista back to validated or at this point am I totally screwed and it won't
> be able to be reactivated?
>

Yeah, this is one sumbitch to deal with.

After YEARS of not having any problems, it slipped
in on me via an older JAVA runtime with known vulnerabiities.

Keep JAVA up to date.

> What happened to the anti-virus software, if one was installed? Why didn't
> it catch anything? No solution is a stops all and ends all solution. And
> if you think it's a stops all and ends all solution, then you have a false
> sense of security. If the O/S can be fooled, then anything that runs with
> the O/S can be fooled too.


MS Defender did in fact pick up the original source dll..but the virus is
tricky and it actually can detect things like this....so it disguises
itself.

I've only found two or three AV programs that can pick up vundo. Norton,
McAfee, CA, Krapsersky....they will not. Spybot knows what it is, but can't
fix it.

you know, i found it apparently wasn't that hard to deal with. this is my
first go around with an infection on vista....but my second dealing with it.

vundofix, which worked last time, didn't find it...and i've posted to thier
message board with a detailed description of what happened...awaiting a
possible response.

it appars to *me*, and this is my somewhat uneducated guess, the process
tries to execute and windows explorer would crash...sometimes it'd be a DEP
issue, sometimes it would just crash. i never saw the actual popups.

i believe it wasn't able to spread too far because of this...there were some
registry entries and files..never left the temp folder...i forcably removed
the files in safe mode and and got all kinds of errors about couldn't find
'em....i did miss one, and after finding out where it was in hijackthis..got
rid of it and it's registry entries.

I haven't had any problems since then...so i was able to get rid of it using
more traditional methods without it continuing to self-replicate....no
explorer crashes....everything's running fine.
"V Green" <vanceg@nowhere.net> wrote in message
news:eYNKmQf2IHA.4492@TK2MSFTNGP02.phx.gbl...
>
> "Jay Moore" <dewdude******.com> wrote in message
> news:0EF5F82E-53BA-4D95-AD91-F2C99F2C6B55@microsoft.com...
>> Ok, somehow..and don't ask me how...vundo managed to slip into what i
>> thought was a secure system..sure, Defender detected it...but it missed
>> the
>> 4 other DLL's the process made and let them through...now i'm sitting
>> here
>> unable to detect it with scanners.
>>
>> Im determined to kill it, but as of now it's screwed with my windows
>> activation. I rebooted and got Error 0xC004D301 - The security processor
>> reported that the trusted data store was tampered.
>>
>> Assuming I get this cleaned...how much of a PITA is it going to be to get
>> my
>> vista back to validated or at this point am I totally screwed and it
>> won't
>> be able to be reactivated?
>>
>
> Yeah, this is one sumbitch to deal with.
>
> After YEARS of not having any problems, it slipped
> in on me via an older JAVA runtime with known vulnerabiities.
>
> Keep JAVA up to date.
>
>