Jump to content
Guest

Vundo Anti-Spyware not fully detected?

Recommended Posts

Guest

Hi All,

Must say excellent work on the product it seems to work quite well and detected a few things others like Spybot, Ewido etc did not pick up.

I was trying to post this under the Anti-Spyware section but I don't have the forum permissions.

I have been trying to get rid of Vundo and even used the free Vundo Fix utility which detected a few DLL's that SuperAntiSpyware did not, however it had less success than SuperAntiSpyware in the actual removal process.

It was unable to remove a few dll's:

hgdeb.dll

vtuttqo.dll

The VundoFix ended up crashing the lsass as the dll's are hooked into winlogon and explorer and thus the machine restarted and VundoFix executed at first login, unfortunately it was still unable to catch it fast enough as it hooks into the Login/Logoff via the winlogon notify and it was also running in explorer...

So after that unsuccessful attempt I figured I would try SuperAntiSPyware and as mentioned it found a few additional entries which others did not find. It did detect Vundo but only parts of it. For example it has removed the "vtuttqo.dll" injection but not the "hgdeb.dll" which I can still see in the registry. I do believe from looking around it's related to Vundo and so hopefully this can be added to the next definition update?

For now I guess I'll have to manually remove the entries, any help on whether or not this is actually related to Vundo would be appreciated, thank you and keep up the great work.

Share this post


Link to post
Share on other sites
Guest

Hmm on closer inspection the file did get picked up but the registry entries related to it were left in place.

Unfortunately they have been deleted by another admin before I could write all the locations down, however one was in the winlogon Notify.

Share this post


Link to post
Share on other sites
Guest

It did not detect "ueaufhfs.dll" which was also part of Vundo, however I did not want it to spread as it was a pain in the ass to get rid of so I deleted it fast before getting a sample together to send.

Share this post


Link to post
Share on other sites

Does the lsass crash you're describing give you that 'Windows is Shutting Down in (insert timer here) seconds' warning?

If so, you can stop that shutdown process by typing 'shutdown -a' (no quote marks) in the Start | Run line.

I've found that I usually have to let the processes actually run (load), before the spyware scanners can pick off all the files and registry bits. Since an lsass crash forces a reboot, Vundo and many other trojan variants can be tough to kill completely. Shutdown -a will let you continue the fight, without having that reboot forced on you.

I'm not sure if it's relevant, but I hope that helps!

-Lee

http://www.pillowpc.com

Spyware Warrior and SuperAntiSpyware Affiliate

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...