Trojan.Vundo kills activation?

  • Thread starter Thread starter Jay Moore
  • Start date Start date
J

Jay Moore

Ok, somehow..and don't ask me how...vundo managed to slip into what i
thought was a secure system..sure, Defender detected it...but it missed the
4 other DLL's the process made and let them through...now i'm sitting here
unable to detect it with scanners.

Im determined to kill it, but as of now it's screwed with my windows
activation. I rebooted and got Error 0xC004D301 - The security processor
reported that the trusted data store was tampered.

Assuming I get this cleaned...how much of a PITA is it going to be to get my
vista back to validated or at this point am I totally screwed and it won't
be able to be reactivated?
 
nevermind...

vista didn't let the infection of vundo spread too deep...just 4 registry
entries and some dll files in a temp directory. activation asked for product
key...and reactivated.
 
Ok, somehow..and don't ask me how...vundo managed to slip into what i
thought was a secure system..sure, Defender detected it...but it missed the
4 other DLL's the process made and let them through...now i'm sitting here
unable to detect it with scanners.

Im determined to kill it, but as of now it's screwed with my windows
activation. I rebooted and got Error 0xC004D301 - The security processor
reported that the trusted data store was tampered.

Assuming I get this cleaned...how much of a PITA is it going to be to get my
vista back to validated or at this point am I totally screwed and it won't
be able to be reactivated?
Click to expand...

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.
http://www.bleepingcomputer.com/forums/topic18610.html
 
Jay Moore said:
Ok, somehow..and don't ask me how...vundo managed to slip into what i
thought was a secure system..sure, Defender detected it...but it missed
the 4 other DLL's the process made and let them through...now i'm sitting
here unable to detect it with scanners.
Click to expand...

http://www.physorg.com/news98802904.html

If you're not practicing safehex, then anything is possible. If the software
doesn't know about the other parts period, such as a signature to detect
them, as an example, then how is it suppose to detect anything, like DLL(s).

What happened to the anti-virus software, if one was installed? Why didn't
it catch anything? No solution is a stops all and ends all solution. And if
you think it's a stops all and ends all solution, then you have a false
sense of security. If the O/S can be fooled, then anything that runs with
the O/S can be fooled too.

http://www.claymania.com/safe-hex.html
Im determined to kill it, but as of now it's screwed with my windows
activation. I rebooted and got Error 0xC004D301 - The security processor
reported that the trusted data store was tampered.
Click to expand...

Things have been tampered with, then what else has been tampered with or
running that is undetected?

http://technet.microsoft.com/en-us/library/cc512587.aspx
<http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html>
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Currports (free) runs on Vista and Active Ports doesn't.
 
What happened to the anti-virus software, if one was installed? Why didn't
it catch anything? No solution is a stops all and ends all solution. And
if you think it's a stops all and ends all solution, then you have a false
sense of security. If the O/S can be fooled, then anything that runs with
the O/S can be fooled too.
Click to expand...


MS Defender did in fact pick up the original source dll..but the virus is
tricky and it actually can detect things like this....so it disguises
itself.

I've only found two or three AV programs that can pick up vundo. Norton,
McAfee, CA, Krapsersky....they will not. Spybot knows what it is, but can't
fix it.
 
Jay Moore said:
Ok, somehow..and don't ask me how...vundo managed to slip into what i
thought was a secure system..sure, Defender detected it...but it missed the
4 other DLL's the process made and let them through...now i'm sitting here
unable to detect it with scanners.

Im determined to kill it, but as of now it's screwed with my windows
activation. I rebooted and got Error 0xC004D301 - The security processor
reported that the trusted data store was tampered.

Assuming I get this cleaned...how much of a PITA is it going to be to get my
vista back to validated or at this point am I totally screwed and it won't
be able to be reactivated?
Click to expand...

Yeah, this is one sumbitch to deal with.

After YEARS of not having any problems, it slipped
in on me via an older JAVA runtime with known vulnerabiities.

Keep JAVA up to date.
 
you know, i found it apparently wasn't that hard to deal with. this is my
first go around with an infection on vista....but my second dealing with it.

vundofix, which worked last time, didn't find it...and i've posted to thier
message board with a detailed description of what happened...awaiting a
possible response.

it appars to *me*, and this is my somewhat uneducated guess, the process
tries to execute and windows explorer would crash...sometimes it'd be a DEP
issue, sometimes it would just crash. i never saw the actual popups.

i believe it wasn't able to spread too far because of this...there were some
registry entries and files..never left the temp folder...i forcably removed
the files in safe mode and and got all kinds of errors about couldn't find
'em....i did miss one, and after finding out where it was in hijackthis..got
rid of it and it's registry entries.

I haven't had any problems since then...so i was able to get rid of it using
more traditional methods without it continuing to self-replicate....no
explorer crashes....everything's running fine.
 
Back
Top