Windows Defender detection of Vundo trojan

[ColBla]

Apologies if this is the wrong board for this - if so, happy to re-post in a
more appropriate place, just tell me where !

Windows Defender keeps reporting an infection with Vundo.gen!E. The advice
on the MS site says remove it using an AV program. I use McAfee, but when I
run a scan it can't find it - checking the update status of McAfee, I have
the right updates that should detect this version of Vundo. So I can't
actually follow the "how to remove" advice. So is Defender giving a false
positive, or should I be really worried because I seem to have an infection
that McAfee can't find ? Any advice on how to proceed gratefully received.

Not sure whether this is relevant or not, but since getting the first Vundo
detections, in the same account that apparently hosts Vundo, the user gets a
message on logon to the effect that the system can't find a file
opnkjghf.dll. Could this be related to the Vundo problem ?

System:
XPSP2
IE7
Windows Live Mail
Windows auto-update checked ON
AV & Firewall: McAfee, latest engines & updates installed.

Thanks in advance

 

[Maurice N ~ MVP]

It would not surprise me in the least that "opnkjghf.dll" is a trace of malware.

Use Windows' Disk Cleanup to delete all temporary files.

Download & save Malwarebytes Anti-Malware from
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in a new reply as soon as it has finished.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

MBAM is an excellent first-line program to use and keep.

Checking for/Help with Malware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

** Help at malware removal forums: Read the topmost directions at the forum and Post your logs as required by the forum to one (and only one) of the following
http://aumha.net/viewforum.php?f=30,
http://www.bleepingcomputer.com/forums/forum22.html,
http://forum.malwareremoval.com/viewforum.php?f=11
http://forums.spywareinfo.com/index.php?showforum=18
http://www.spywarewarrior.com/viewforum.php?f=5&sid=24750ebcb0d878746c0ca7ab9210f7ae,
http://forums.subratam.org/index.php?showforum=7,
http://forums.spybot.info/forumdisplay.php?f=22
or other appropriate forums for expert analysis, not here.**

Make very sure you read and follow the very topmost instructions at the forum you have selected.
Do NOT post your logs here.

--
Maurice Naggar
MS-MVP
-----

"ColBla" <ColBla@discussions.microsoft.com> wrote in message news:6DDC8686-815A-4194-BEA4-52E8D2398F67@microsoft.com...
> Apologies if this is the wrong board for this - if so, happy to re-post in a
> more appropriate place, just tell me where !
>
> Windows Defender keeps reporting an infection with Vundo.gen!E. The advice
> on the MS site says remove it using an AV program. I use McAfee, but when I
> run a scan it can't find it - checking the update status of McAfee, I have
> the right updates that should detect this version of Vundo. So I can't
> actually follow the "how to remove" advice. So is Defender giving a false
> positive, or should I be really worried because I seem to have an infection
> that McAfee can't find ? Any advice on how to proceed gratefully received.
>
> Not sure whether this is relevant or not, but since getting the first Vundo
> detections, in the same account that apparently hosts Vundo, the user gets a
> message on logon to the effect that the system can't find a file
> opnkjghf.dll. Could this be related to the Vundo problem ?
>
> System:
> XPSP2
> IE7
> Windows Live Mail
> Windows auto-update checked ON
> AV & Firewall: McAfee, latest engines & updates installed.
>
> Thanks in advance

 

[Milo]

Be advised the Vundo.Gen!E - Gen correspond to generic detection its based
on a heuristic pattern wherein a finger print code of the vundo is visible
and was seen on such file
that its why its being tagged as a part of Vundo family.

"ColBla" <ColBla@discussions.microsoft.com> wrote in message
news:6DDC8686-815A-4194-BEA4-52E8D2398F67@microsoft.com...
> Apologies if this is the wrong board for this - if so, happy to re-post in
> a
> more appropriate place, just tell me where !
>
> Windows Defender keeps reporting an infection with Vundo.gen!E. The advice
> on the MS site says remove it using an AV program. I use McAfee, but when
> I
> run a scan it can't find it - checking the update status of McAfee, I have
> the right updates that should detect this version of Vundo. So I can't
> actually follow the "how to remove" advice. So is Defender giving a false
> positive, or should I be really worried because I seem to have an
> infection
> that McAfee can't find ? Any advice on how to proceed gratefully received.
>
> Not sure whether this is relevant or not, but since getting the first
> Vundo
> detections, in the same account that apparently hosts Vundo, the user gets
> a
> message on logon to the effect that the system can't find a file
> opnkjghf.dll. Could this be related to the Vundo problem ?
>
> System:
> XPSP2
> IE7
> Windows Live Mail
> Windows auto-update checked ON
> AV & Firewall: McAfee, latest engines & updates installed.
>
> Thanks in advance

 

[PA Bear [MS MVP]]

Microsoft has established separate newsgroups for Windows Defender support
and comments. This is not one of them.

See
http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx

TIP: Access these newsgroups using your default newsreader, not your
browser. See instructions on above page.

==========================

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


ColBla wrote:
> Apologies if this is the wrong board for this - if so, happy to re-post in
> a
> more appropriate place, just tell me where !
>
> Windows Defender keeps reporting an infection with Vundo.gen!E. The advice
> on the MS site says remove it using an AV program. I use McAfee, but when
> I
> run a scan it can't find it - checking the update status of McAfee, I have
> the right updates that should detect this version of Vundo. So I can't
> actually follow the "how to remove" advice. So is Defender giving a false
> positive, or should I be really worried because I seem to have an
> infection
> that McAfee can't find ? Any advice on how to proceed gratefully received.
>
> Not sure whether this is relevant or not, but since getting the first
> Vundo
> detections, in the same account that apparently hosts Vundo, the user gets
> a
> message on logon to the effect that the system can't find a file
> opnkjghf.dll. Could this be related to the Vundo problem ?
>
> System:
> XPSP2
> IE7
> Windows Live Mail
> Windows auto-update checked ON
> AV & Firewall: McAfee, latest engines & updates installed.
>
> Thanks in advance

 

[ColBla]

Maurice

VMT for the steer about MBAM. Downloaded and have now run it 3 times:
1. Had to abort 1st scan part way through because I ran out of time. However
it found one file infected with Vundo and dealt with it.
2. 2nd scan ran all the way through and found a further infected file, again
successfully dealt with it.
3. Further scan did not find anything.
Have also run Defender without finding anything.

So I might think that the successful scans by MBAM and Defender ought to
mean the machine is now clean. But, in one of the four user accounts on the
machine - the same one in which the Vundo detections were - the user still
gets a DLL message on log-on something seems to be looking for
"opnkjghf.dll", and not finding it.

So:
Any views on whether the machine is now clean ?
If so, how can I prevent the spurious DLL error appearing ?
If not, please advise whether it's worth transferring this discussion to one
of the specialist sites & I'll carry on there.
Also, any ideas of how I can prevent re-infection - McAfee is obviously as
much use as the proverbial chocolate fireguard ?

Thanks.



"Maurice N ~ MVP" wrote:

> It would not surprise me in the least that "opnkjghf.dll" is a trace of malware.
>
> Use Windows' Disk Cleanup to delete all temporary files.
>
> Download & save Malwarebytes Anti-Malware from
> http://www.besttechie.net/tools/mbam-setup.exe or
> http://malwarebytes.gt500.org/mbam.jsp
> Double Click mbam-setup.exe to install the application.
> Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
> If an update is found, it will download and install the latest version.
> Once the program has loaded, select Perform FULL Scan, then click Scan.
> The scan may take some time to finish,so please be patient.
> When the scan is complete, click OK, then Show Results to view the results.
> Make sure that everything is checked, and click Remove Selected.
> When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
> The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
> Copy & Paste the entire report in a new reply as soon as it has finished.
> Extra Note:
> If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
> click OK to either and let MBAM proceed with the disinfection process.
> If asked to restart the computer, please do so immediately.
>
> MBAM is an excellent first-line program to use and keep.
>
> Checking for/Help with Malware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine.blogspot.com/
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> ** Help at malware removal forums: Read the topmost directions at the forum and Post your logs as required by the forum to one (and only one) of the following
> http://aumha.net/viewforum.php?f=30,
> http://www.bleepingcomputer.com/forums/forum22.html,
> http://forum.malwareremoval.com/viewforum.php?f=11
> http://forums.spywareinfo.com/index.php?showforum=18
> http://www.spywarewarrior.com/viewforum.php?f=5&sid=24750ebcb0d878746c0ca7ab9210f7ae,
> http://forums.subratam.org/index.php?showforum=7,
> http://forums.spybot.info/forumdisplay.php?f=22
> or other appropriate forums for expert analysis, not here.**
>
> Make very sure you read and follow the very topmost instructions at the forum you have selected.
> Do NOT post your logs here.
>
> --
> Maurice Naggar
> MS-MVP
> -----
>
> "ColBla" <ColBla@discussions.microsoft.com> wrote in message news:6DDC8686-815A-4194-BEA4-52E8D2398F67@microsoft.com...
> > Apologies if this is the wrong board for this - if so, happy to re-post in a
> > more appropriate place, just tell me where !
> >
> > Windows Defender keeps reporting an infection with Vundo.gen!E. The advice
> > on the MS site says remove it using an AV program. I use McAfee, but when I
> > run a scan it can't find it - checking the update status of McAfee, I have
> > the right updates that should detect this version of Vundo. So I can't
> > actually follow the "how to remove" advice. So is Defender giving a false
> > positive, or should I be really worried because I seem to have an infection
> > that McAfee can't find ? Any advice on how to proceed gratefully received.
> >
> > Not sure whether this is relevant or not, but since getting the first Vundo
> > detections, in the same account that apparently hosts Vundo, the user gets a
> > message on logon to the effect that the system can't find a file
> > opnkjghf.dll. Could this be related to the Vundo problem ?
> >
> > System:
> > XPSP2
> > IE7
> > Windows Live Mail
> > Windows auto-update checked ON
> > AV & Firewall: McAfee, latest engines & updates installed.
> >
> > Thanks in advance
>

 

[ColBla]

PA Bear

Many thanks for your interest & advice - at present though this looks like
it's a "Vundo removal issue" rather than a problem with Defender and I'm
getting useful advice from Maurice N on that. However, if it turns into a
need for support with Defender then I'll certainly open a thread over there
&/or use one of the more specialised forums.


"PA Bear [MS MVP]" wrote:

> Microsoft has established separate newsgroups for Windows Defender support
> and comments. This is not one of them.
>
> See
> http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx
>
> TIP: Access these newsgroups using your default newsreader, not your
> browser. See instructions on above page.
>
> ==========================
>
> Unexplained computer behavior may be caused by deceptive software
> http://support.microsoft.com/kb/827315
>
> Run a /thorough/ check for hijackware, including posting your hijackthis log
> to an appropriate forum.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine2.blogspot.com/
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
> conjuction with some other utilities). HijackThis will NOT fix anything on
> its own, but it will help you to both identify and remove any
> hijackware/spyware with assistance from an expert. **Post your log to
> http://aumha.net/viewforum.php?f=30,
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html, or other appropriate forums for review
> by an expert in such matters, not here.**
>
> If the procedures look too complex - and there is no shame in admitting this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
> ColBla wrote:
> > Apologies if this is the wrong board for this - if so, happy to re-post in
> > a
> > more appropriate place, just tell me where !
> >
> > Windows Defender keeps reporting an infection with Vundo.gen!E. The advice
> > on the MS site says remove it using an AV program. I use McAfee, but when
> > I
> > run a scan it can't find it - checking the update status of McAfee, I have
> > the right updates that should detect this version of Vundo. So I can't
> > actually follow the "how to remove" advice. So is Defender giving a false
> > positive, or should I be really worried because I seem to have an
> > infection
> > that McAfee can't find ? Any advice on how to proceed gratefully received.
> >
> > Not sure whether this is relevant or not, but since getting the first
> > Vundo
> > detections, in the same account that apparently hosts Vundo, the user gets
> > a
> > message on logon to the effect that the system can't find a file
> > opnkjghf.dll. Could this be related to the Vundo problem ?
> >
> > System:
> > XPSP2
> > IE7
> > Windows Live Mail
> > Windows auto-update checked ON
> > AV & Firewall: McAfee, latest engines & updates installed.
> >
> > Thanks in advance
>
>

 

[Maurice N ~ MVP]

Hello,

With Vundo infections, one has to usually run a battery of special removal
apps to remove all of it. MBAM is just one tool and I in no way meant to
convey that it would remove all infections. MBAM does do a good job of
knocking out the most common current infectors but again, it is not the
single universal answer.

I urge you to select one of the forums I mentioned, follow that forum's
requirements for posting (they each have a Read first or "topmost" sticky of
instructions).
Joining the forum is free.

Also, keep in mind, your particular case may call for customized removal via
tools or scripts. So, do not hesitate, but do this pronto, and meantime do
not surf the internet. This pc cannot be considered clean.

Prevention of re-infection will also be covered at the forums. Basically a
layered approach of apps, and user awareness.
--
Maurice N
MS-MVP
--
"ColBla" <ColBla@discussions.microsoft.com> wrote in message
news49F84B4-31A3-4992-99F2-E96C11EFB150@microsoft.com...
> Maurice
>
> VMT for the steer about MBAM. Downloaded and have now run it 3 times:
> 1. Had to abort 1st scan part way through because I ran out of time.
> However
> it found one file infected with Vundo and dealt with it.
> 2. 2nd scan ran all the way through and found a further infected file,
> again
> successfully dealt with it.
> 3. Further scan did not find anything.
> Have also run Defender without finding anything.
>
> So I might think that the successful scans by MBAM and Defender ought to
> mean the machine is now clean. But, in one of the four user accounts on
> the
> machine - the same one in which the Vundo detections were - the user still
> gets a DLL message on log-on something seems to be looking for
> "opnkjghf.dll", and not finding it.
>
> So:
> Any views on whether the machine is now clean ?
> If so, how can I prevent the spurious DLL error appearing ?
> If not, please advise whether it's worth transferring this discussion to
> one
> of the specialist sites & I'll carry on there.
> Also, any ideas of how I can prevent re-infection - McAfee is obviously as
> much use as the proverbial chocolate fireguard ?
>
> Thanks.
>
>
>
> "Maurice N ~ MVP" wrote:
>
>> It would not surprise me in the least that "opnkjghf.dll" is a trace of
>> malware.
>>
>> Use Windows' Disk Cleanup to delete all temporary files.
>>
>> Download & save Malwarebytes Anti-Malware from
>> http://www.besttechie.net/tools/mbam-setup.exe or
>> http://malwarebytes.gt500.org/mbam.jsp
>> Double Click mbam-setup.exe to install the application.
>> Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware
>> and Launch Malwarebytes Anti-Malware, then click Finish.
>> If an update is found, it will download and install the latest version.
>> Once the program has loaded, select Perform FULL Scan, then click Scan.
>> The scan may take some time to finish,so please be patient.
>> When the scan is complete, click OK, then Show Results to view the
>> results.
>> Make sure that everything is checked, and click Remove Selected.
>> When disinfection is completed, a log will open in Notepad and you may be
>> prompted to Restart.(See Extra Note)
>> The log is automatically saved by MBAM and can be viewed by clicking the
>> Logs tab in MBAM.
>> Copy & Paste the entire report in a new reply as soon as it has finished.
>> Extra Note:
>> If MBAM encounters a file that is difficult to remove, you will be
>> presented with 1 of 2 prompts.
>> click OK to either and let MBAM proceed with the disinfection process.
>> If asked to restart the computer, please do so immediately.
>>
>> MBAM is an excellent first-line program to use and keep.
>>
>> Checking for/Help with Malware
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://aumha.net/viewtopic.php?t=5878
>> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot.html
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://defendingyourmachine.blogspot.com/
>> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>>
>> ** Help at malware removal forums: Read the topmost directions at the
>> forum and Post your logs as required by the forum to one (and only one)
>> of the following
>> http://aumha.net/viewforum.php?f=30,
>> http://www.bleepingcomputer.com/forums/forum22.html,
>> http://forum.malwareremoval.com/viewforum.php?f=11
>> http://forums.spywareinfo.com/index.php?showforum=18
>>
>> http://www.spywarewarrior.com/viewforum.php?f=5&sid=24750ebcb0d878746c0ca7ab9210f7ae,
>> http://forums.subratam.org/index.php?showforum=7,
>> http://forums.spybot.info/forumdisplay.php?f=22
>> or other appropriate forums for expert analysis, not here.**
>>
>> Make very sure you read and follow the very topmost instructions at the
>> forum you have selected.
>> Do NOT post your logs here.
>>
>> --
>> Maurice Naggar
>> MS-MVP
>> -----

 

[Blackavar]

Blackavar had written this in response to
http://www.secure-gear.com/microsof...r-detection-of-Vundo-trojan-article24813-.htm
:


-------------------------------------
=?Utf-8?B?Q29sQmxh?= wrote:




> Apologies if this is the wrong board for this - if so, happy to re-post
> in a
> more appropriate place, just tell me where !

> Windows Defender keeps reporting an infection with Vundo.gen!E. The
> advice
> on the MS site says remove it using an AV program. I use McAfee, but
> when I
> run a scan it can't find it - checking the update status of McAfee, I
> have
> the right updates that should detect this version of Vundo. So I can't
> actually follow the "how to remove" advice. So is Defender
> giving a false
> positive, or should I be really worried because I seem to have an
> infection
> that McAfee can't find ? Any advice on how to proceed gratefully
> received.

> Not sure whether this is relevant or not, but since getting the first
> Vundo
> detections, in the same account that apparently hosts Vundo, the user
> gets a
> message on logon to the effect that the system can't find a file
> opnkjghf.dll. Could this be related to the Vundo problem ?

> System:
> XPSP2
> IE7
> Windows Live Mail
> Windows auto-update checked ON
> AV & Firewall: McAfee, latest engines & updates installed.

> Thanks in advance


Vundo is good at hiding. If you want to ensure that you do not have an
infection.
1. run msconfig.msc
2. Under the Startup Tab remove checkmarks next to each program
Note: vundo usually uses rundll32 to run its self at startup
3. Apply changes and reboot
4. download and install Windows Defender from Microsoft
5. download the definition file from MS.
http://www.microsoft.com/security/portal/ADL.aspx
Note: Windows update can be used to retrieve the latest definition, but
vundo disables Windows update.
6. Perform a full scan, if vundo is located you will have the option to
quarantine or remove it.
7. Once finished you may not re-enable startup programs and restart the
machine.

Note: Until vundo is killed or undable to run, it will continue to protect
its self by creating xml files in your system32 dir and renaming them to
random file names ending with the extention .dll. PKini seems to be
another related file.




##-----------------------------------------------##
Delivered via http://www.secure-gear.com
The Internet Knowledge Base for the security industry
no-spam access to your favorite newsgroup -
microsoft.public.security - 24681 messages and counting!
##-----------------------------------------------##