My McAfee version 9+ took a hit from a surprise flash from WinAntiVirus PRO
2006 this weekend. I've been frantically trying to resolve it. I ran
Ad-Aware and Spybot, found the ... thing... and Spybot (I think) cleaned it.
I got advise on a MS forum from a MVP to run VundoFix from
http://www.atribe.org. I did and found nothing.

The problem I'm having is that the Security Center and VirusScan screens of
McAfee are blank. It appears the virus software is running but the controls
are hidden.

The lead guy on the McAfee forum suggested all the things I did but when I
reported I was still left with blank screens, he suggested I run Tom
Coyote's HiJackThis program and post the log on one of 4 forums. I guess I
will... if I have to; I must get this fixed quickly.

My question here, aside from learning if anyone here has some sage advice
that will help (we'll call that "Q1"), is this:

(Q2) Will that log carry my private keys to numerous websites and software;
passwords and account numbers?

(Q3) If they are at risk, aside from not posting the log, how can I protect
the private info?

John Gregory wrote:

What "thing"?

Relying on malware removal is stupid. If it was a real, verifiable
threat, then you should flatten and rebuild ASAP.

Most likely it is because MfAcee stuff is totally fucked of with ActiveX
and MSHTML-nonsense so even disabling ActiveX in IE's security zone
"Internet" breaks it totally.

Geez, you could have already reinstalled your system. For sure if it is
for real, you won't fix it.

Anyway, why don't you give a try to automated evaluation at
http://www.hijackthis.de?

Very unlikely.

Reading the log yourself?

Thanks for the reply, Sebastian. The "thing" is whatever "WinAntiVirus PRO
2006" is. The guy at McAfee said: "I looked it up and it regarded as spyware
in most circles."

the time to do it right. I'm hoping I may not have to flatten and rebuild
because that's going to be a bit of a job for me. Years ago, I began putting
all my user files and critical program files that setup the various programs
I use into one folder set separate from "My Documents". The plan was to
automate backup of that entire file set. I bought a new machine two years
ago but never got educated on using the R/W drive. My data is all set to
go... but I haven't gone anywhere. So if I've got to reformat, I've got to
copy that critical folder set first. I know... don't even say it. What an
idiot I've been.

As for reading those logs... I don't have that level of knowledge. It has to
be done by those people on the forums.

Any suggestions you can give (and I'll take the chiding. I deserve it.)
would be appreciated.


"Sebastian Gottschalk" <seppi@seppig.de> wrote in message
news:4f7melF1h0kp3U1@news.dfncis.de...

John Gregory wrote:

If your system was compromised, then flattening and rebuilding is the
only reasonable way to regain a trusted and reliable system. And exactly
because it's so time-consuming, you should consider some things:

- When utilizing Least Privilige principle correctly, you only need to
flatten the user's account.
- Avoiding the malware in first place safes you from such circumstances.
- Backups are great!

"My Documents" is a confusing and useless redirect within the file system.

Hm... xcopy $src $dst /m /d /e /c /i /f /h /z ? What a hard plan. :-)

Point is that you cannot trust compromised data. So the programs need to
be downloaded or copied again, whereas the non-executable user data
should be carefully analyzed for sanity. For your favorite pr0n JPEG
collection or your savegames this might not make any difference, but is
relevant for f.e. a spreadsheet with money accounting data - one
addition '0' in your tax declaration could become a serious problem.

Hijackthis gives a pretty clear description what this log entries are
telling. Usually the rest is actually an interpretation based on what
you know about your system (software installation base, configuration).
F.e. I'm fully aware that my HOSTS file has been relocated and is not
writable as a restricted user :-)

Fix your quoting. :-)

From: "John Gregory" <jaygreg90@hotmail.com>

| My McAfee version 9+ took a hit from a surprise flash from WinAntiVirus PRO
| 2006 this weekend. I've been frantically trying to resolve it. I ran
| Ad-Aware and Spybot, found the ... thing... and Spybot (I think) cleaned it.
| I got advise on a MS forum from a MVP to run VundoFix from
| http://www.atribe.org. I did and found nothing.
|

< snip >

Pop-Ups for WinAntiVirus PRO, WinAntiSpyware PRO, and the AMAENA.COM web site are sure signs
of the Vundo Trojan or Virtumonde adware. This type of malware has been found to exploit
vulnerable versions of Sun Java.

Realize that this is NOT the best place for discussions like this. There are anti
virus/anti malware News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus
alt.privacy.spyware



Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/to...undoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:
--------------

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David, that's the most detailed,thorough report I've gotten in all the
forums. I appreciate this. I was just getting set to run that HijackThis log
and post it in one of those guru forums like TomCoyote. Would that be
preferred than doing all this here? Your information certainly won't go to
waste. I now have an idea of what to expect. And I learned earlier today
from someone else that Java was a possible open door through which I was
hit. My version is 2re1.4.2. Should I remove all Java files through Control
Panel/Add or Remove first then download and install? Or go to the Java site
and let the automatic download occur then remove the old?

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:a_Gjg.13278$Bj6.1265@trnddc08...

From: "John Gregory" <jaygreg90@hotmail.com>

| David, that's the most detailed,thorough report I've gotten in all the
| forums. I appreciate this. I was just getting set to run that HijackThis log
| and post it in one of those guru forums like TomCoyote. Would that be
| preferred than doing all this here? Your information certainly won't go to
| waste. I now have an idea of what to expect. And I learned earlier today
| from someone else that Java was a possible open door through which I was
| hit. My version is 2re1.4.2. Should I remove all Java files through Control
| Panel/Add or Remove first then download and install? Or go to the Java site
| and let the automatic download occur then remove the old?
|


Your version of Sun Java is certainly a vulnerable version. No doubt about that. There is
a very good chance that is how you got infected.

Go to the control panel applet "Add/Remove Programs" and remove any/all Sun Java versuions
then download and install version 5 update 7 which is the latest version.

As for HJT. It details Browser Helper Objects (BHOs) and it makes identifiyting them easy
and the Vundo Trojan/Virtumonde Adware use BHOs.

Now there is always tyhe chance you have a new version that the utilities I posted are not
aware of. This family of malware morphs reguarly.

Go through the steps I provided, if they don't work then well go from there :-)

After you run; VirtumundoBeGone.exe you could post the VBG LOG file

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

There were 3 Java entries. Two were definitely Java programs for browsers
but I'm not sure I know what the last one is; I haven't removed it. It's
called "Java Web Start", is 2.06 MB, and was last used 4-5-04 (but I'm not
sure how accurate that little tool is 'cause Quicken was last used 6-11-06
but the log says 4-22-05.)

Delete Java Web Start before I download the latest version of Java?

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:jcKjg.26192$X02.23549@trnddc02...

I think I just answered my own question: "Using Java Web Start technology,
standalone Java software applications can be deployed with a single click
over the network. Java Web Start ensures the most current version of the
application will be deployed, as well as the correct version of the Java
Runtime Environment (JRE). "

That came from the Java site. Right about now - according to that
description - you've got to be asking yourself..."If that's supposed to
ensure most current version, how this guy get zapped?" Ignorance! That's
how! I remember seeing a notice to update and I ignored it... because I
thought it's principally for gamers and I don't want those pop-ups while I'm
reading all those news services. I now understand. I'll keep Java Web Start
and install the latest version of Java now.
"John Gregory" <jaygreg90@hotmail.com> wrote in message
news:iRMjg.58959$mh.16485@tornado.ohiordc.rr.com.. .

From: "John Gregory" <jaygreg90@hotmail.com>

| There were 3 Java entries. Two were definitely Java programs for browsers
| but I'm not sure I know what the last one is; I haven't removed it. It's
| called "Java Web Start", is 2.06 MB, and was last used 4-5-04 (but I'm not
| sure how accurate that little tool is 'cause Quicken was last used 6-11-06
| but the log says 4-22-05.)
|
| Delete Java Web Start before I download the latest version of Java?
|

Yes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm