It seems to be unstoppable. You dont even have to click on anything.

It happened to me 3 times last month and it has hit a few people at work.
I have tried a few removal programs, but none seem to work and obviously our antivirus doesnt detect it (new type maybe?) The end result is a reimage of the machine.

Is XP more susceptible than Vista? What about Vista 64?

Is removal impossible?

I THINK i was able to remove it from my server....

I used Malwarebytes, AdAware (to block the ads), AntiVir scan (also blocks access), spyware S+D.

But there are also a few online tools, and i think a program called onefix? (Batch file and some small scanners/etc).

It is a PITA, I was getting it from Nova.......

Is removal impossible?
No, just time consuming. Alot of reading, trial and error on what program can detect/delete the vundo variant-if it can at all, manually deleting files, finding the "watcher" file (You think you fixed it but it just returns on a reboot),,etc.

Google "sysinternals vundo" and start reading.:D

How to avoid: I imagine sometimes you can't. But your browsing/downloading habbits are usually the number one cause.
So surf smart and secure-make sure updates are done-Windows,IE,JAVA,etc.
http://www.techspot.com/vb/topic119024.html

I have no problems with preventing it and removing it on systems that find it. Maybe it's just my surfing habits, but SuperAntiSpyware combined with Antivir seems to stop all of it. Antivir is amazing; it actually checks the HTML pages you visit, and if any code execution stuff resembling vundo is on it, it qill quarantine the page BEFORE you get hit.

If you're (still) either dumb, lazy, or not-in-the-know enough to QUIT using AVG, THEN STOP NOW, and go get Antivir.

Meanwhile, without direct access, chances are I couldn't clean it off your system, BUT, most of its files are hid in System32 folder (and are executed at startup via Winlogon\Notify section of the registry), so if you understand file permissions, you can just go into System32, sort the folder by 'accessed/modified' date with most recent date at top, and start hitting Google on the DLL and other file names...if it comes back with no hits, remove all permissions from the file and continue the process for all others. After you're done with those, you'll want to crack open your registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and highlight each key under this section; look for bogus, random-named DLLs (and again, Google for them first before deleting!) because this is where they will load - to save some effort, these are normal system notifiers:

crypt32chain
cryptnet
cscdll
dimsntfy
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
wlballoon

After you completed those steps, reboot, log back in, delete all those files you changed permissions on, then double-check Winlogon\Notify for return visitors.

SAS or AntiVir should pick up straggler files.

I've never heard of AntiVIr before, I've been using AVG or AVAST on systems I work on

Guess it comes with strong recommendations from you shifty? :) The reviews I've read have been positive, minus obtrusive advertisements after update downloads, and no automatic response to threats it finds. what do you think?

You can "remove avira pop-up", just google it.
And the splash screen too I believe-why you'ld want to do that, you got me.

I've never heard of AntiVIr before, I've been using AVG or AVAST on systems I work on

Guess it comes with strong recommendations from you shifty? :)

Very strong. I liked it so much I bought 100 licenses for our north American offices and installed it network-wide. I rarely ever switch from software titles like that.

www.free-av.com

Like 5150 said, you can get rid of the pop-ups on the free version, just remove execute permissions from the avnotify.exe program.

PS - I loved AVG till they released v8.0. It's been bloatware ever since, just like Norton and McAfee and the others (but AVG still detects more than those two, sad, eh?)

no, sad is that my company uses McAfee and I am seeing more Vundo issues.

My company wont be changing to Antivir anytime soon either.

McAfee is ****ware. I would install AntiVir on it at the same time. But that's just me.

****ware=?
bloat
scum
spam

Woops, too many letters on BLOAT-
Give me a clue!?

it's the "bad" version of 'poop'

He is just talking about crapware.

He is just talking about crapware.

Very stinky kind of ****ware! :p

I love Antivir. I actually had it pop up warnings on some news sites I was linked to. The NY Post was one of the sites and even imdb popped up a warning.

McAfee is ****ware. I would install AntiVir on it at the same time. But that's just me.

in a company of over 10k people.... i dont have a say in that lol

In a company of less than 200 I do not have a say in that.. :(

I just had to rename a set of files to get rid of a print monitor on my system (yes, they are counting printouts and BILLING them!).

I am running basically Outlook, one analysis proggie (not running, just open) Explorer and IE and I am at 1.4 G of memory being used!

I shut down PCM (I will see what that does), but they run McAffe here, and a bunch of other crap (like internet phone from ShoreTel....not bad really). Everything is a resource hog!

you have free printing now! ;p

Free?

Nah.

They just aren't nickel and diming my clients.

here's a fun one i caught on one of our PCs today which redirected DNS for sites like Google, and had other impacts: http://www.myantispyware.com/2009/04/22/how-to-remove-gxvxcservsys-trojan-redirect-virus/

gxvxcserv.sys (aka 'gxvxc')

replicates and spreads by USB devices. totally hides itself using hidden files and hidden registry keys - literally, the .sys driver file was hidden from the GUI totally, even with "show all files" selected, we still couldn't see them.

the instructions at that site were a lifesaver to getting rid of that thing.

How did it hide itself?

What command code was necessary to make that happen? Was it really listed somehow, but buried? (attached to something else?)

Being able to hide from an Admin GUI is a bit scary....

no, it was hidden from the windows GUI. the keys were there, but there is absolutely NO WAY to show them until you can manage to kill the process from running, but you can't even see or get to the .sys file, it's hidden too, so you're pretty much ****ed.

So how would you see it?

Would it be possible to remote on a machine and do it? Or a command line (command)? Boot disk?

You would have to boot from another disk, either a CD or another system where the infected drive was not the system drive. Then, if you knew what you were looking for, I would imagine that it would show up.

RootkitRevealer showed me.

And MalwareBytes actually did a good job of getting rid of some of it.

I believe booting into ERD and mounting the registry of the infected machine would allow unobstructed access to the hidden keys after finding them with RootkitRevealer.