Defender finds but doesn't clear

[Guest]

I have run the latest version of Defender as well as the most current of
McAffe Virus scan Enterprise 7.1.

They both detect a virus but don't seem to be able to get rid of it.

The following is the cut and paste of the detection ion report form Defender:

***********************************************
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER
OBJECTS\{827DC836-DD9F-4A68-A602-5812EB50A834}

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ddccy

bho:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER
OBJECTS\{827DC836-DD9F-4A68-A602-5812EB50A834}

regkey:
HKLM\Software\Classes\MSEvents.MSEvents.1

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}

regkey:
HKLM\SOFTWARE\Classes\MSEvents.MSEvents

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}

file:
C:\WINDOWS\system32\ddccy.dll

*********************************************

Any ideas on how to get rid of the item?

Thanks in advance for your help.

 

[Bill Sanderson MVP]

What error message do you get from Defender?
Can you remove the BHO via the tools in Internet Explorer?

First suggestion would be to restart Windows in safe mode and see whether
either the antivirus or Windows Defender can do better.

 

[Guest]

That's not enough. It's Winfixer/Vundo
http://www.bleepingcomputer.com/for...janVundoB-Search42com-MSevents-tx18610-0.html

 

[Guest]

Jayman you probably have the mcafee security center like I do with my comcast
service...If u have the mcafee security center, they try to get you away from
microsoft security center and that just chaps me...I choose to use ZA in lieu
of mcafee firewall.. MS security center recognizes 3rd pary virus programs,
firewalls etc...whereas mcafee does not....I had the same problem, I just
make sure that my virus protection is enabled and functioning and deleted the
mcafee params to point the mcafee security....hope this helps.

 

[Guest]

The problem here is removal of the vundo trojan, not some conflict between
the McAFee Security Center and the Windows Security Center. It is quite
normal for a 3rd party security suite to temporatily take over some functions
of the Windows security center, but the Windows security center still monitor
where those 3rd party applications are enabled. Vundo can evade normally
functioning security programs and is often manually installed. The most
common installation methods involve system or security exploitation, and
unsuspecting users manually executing unknown programs. Distribution channels
include email, malicious or hacked web pages, Internet Relay Chat (IRC),
peer-to-peer networks, etc.Sometimes one of the DLLs is loaded within the
legitimate EXPLORER.EXE process, which may lead to misleading alerts from any
software firewall when the remote connections are initiated.The
Explorer.exe, Winlogon.exe, and rundll32.exe processes sometimes have to be
suspended to complete removal. The automatic vundo fix tools make this easier
for the ordinary user.There is also evidence that Vundo is exploiting older
versions of Java to gain entry, even after the newest Java has been
installed.
http://vil.nai.com/vil/content/v_127690.htm
http://www.bleepingcomputer.com/for...janVundoB-Search42com-MSevents-tx18610-0.html

 

[Bill Sanderson MVP]

Thanks!

--

That's not enough. It's Winfixer/Vundo
http://www.bleepingcomputer.com/for...janVundoB-Search42com-MSevents-tx18610-0.html

 

[Bill Sanderson MVP]

So--I haven't been through the fix process--do they get you to the latest
Java version, and ensure that the older vulnerable versions are removed, or
is that additional advice that needs to be posted?

--

 

[Guest]

The Java info is addtional and needs to be posted. CastleCops and others are
stressing it. But it is still controversial because Sun is not addressing it
and folks are afraid that old applications will not work without the old
versions of Java. I trashed my old ones. But it looks like there's no real
consensus on that.

 

[Guest]

http://wiki.castlecops.com/Malware_Removal:_Virtumundo
http://castlecops.com/t149024-Full_system_scan_blue_screen_error.html
http://castlecops.com/t147135-Ad_Aware_reboots_computer_during_the_scan.html
http://castlecops.com/t149749-computer_crashes_when_i_try_to_update.html
These are not answers to your question, but it shows symptoms in Ad AwareSE
that are tips offs to Vundo infection.

 

[Guest]

Hi all,

Here is the link

Java
Version 5.0
Update 6
http://java.com/en/download/installed.jsp

 

[Bill Sanderson MVP]

Excellent--but the user also needs to go through add and remove programs and
remove all the old versions--the naming structure has changed over time, so
they are not all together.

--

 

[Guest]

This may not be up to date, but it is a place to start:
Bugtraq ID: 13958
Class: Unknown
CVE: CAN-2005-1974

Remote: Yes
Local: No
Published: Jun 14 2005 12:00AM
Updated: Feb 13 2006 10:18PM
Credit: Adam Gowdiak reported this issue to the vendor.
Vulnerable: Sun Java 2 Standard Edition SDK 1.5 .0_01
Sun Java 2 Standard Edition SDK 1.5
Sun Java 2 Standard Edition SDK 1.4.2 _07
Sun Java 2 Standard Edition SDK 1.4.2 _06
Sun Java 2 Standard Edition SDK 1.4.2 _05
Sun Java 2 Standard Edition SDK 1.4.2 _04
Sun Java 2 Standard Edition SDK 1.4.2 _03
Sun Java 2 Standard Edition SDK 1.4.2 _02
Sun Java 2 Standard Edition SDK 1.4.2 _01
Sun Java 2 Standard Edition SDK 1.4.2
Sun Java 2 Runtime Environment 1.5 _01
Sun Java 2 Runtime Environment 1.5
Sun Java 2 Runtime Environment 1.4.2 _07
Sun Java 2 Runtime Environment 1.4.2 _06
Sun Java 2 Runtime Environment 1.4.2 _05
Sun Java 2 Runtime Environment 1.4.2 _04
Sun Java 2 Runtime Environment 1.4.2 _03
+ Oracle Oracle10g Application Server 10.1 .0.2
+ Oracle Oracle10g Enterprise Edition 10.1 .0.2
+ Oracle Oracle10g Personal Edition 10.1 .0.2
+ Oracle Oracle10g Standard Edition 10.1 .0.2
Sun Java 2 Runtime Environment 1.4.2 _02
Sun Java 2 Runtime Environment 1.4.2 _01
Sun Java 2 Runtime Environment 1.4.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
Novell Linux Desktop 9
HP OpenView VantagePoint for Solaris 6.0
HP OpenView VantagePoint for HP-UX 6.0
HP OpenView Operations for UNIX 8.0
HP OpenView Operations for UNIX 7.0
HP OpenView Operations for Solaris 8.0
HP OpenView Operations for Solaris 7.0
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux
Conectiva Linux 10.0
Blackdown Java 2 Standard Edition SDK 1.4.2 -01
Blackdown Java 2 Standard Edition SDK 1.4.2
Blackdown Java 2 Standard Edition SDK 1.4.1
Blackdown Java 2 Runtime Environment 1.4.2 -01
Blackdown Java 2 Runtime Environment 1.4.2
Blackdown Java 2 Runtime Environment 1.4.1

Not Vulnerable: Sun Java 2 Standard Edition SDK 1.5 .0_02
Sun Java 2 Standard Edition SDK 1.4.2 _08
Sun Java 2 Runtime Environment 1.5 _02
Sun Java 2 Runtime Environment 1.4.2 _08
Blackdown Java 2 Standard Edition SDK 1.4.2 -02
Blackdown Java 2 Runtime Environment 1.4.2 -02


http://www.securityfocus.com/bid/13958
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
vulnerability in the Java Runtime Environment may allow an untrusted applet
to elevate its privileges. For example, an applet may grant itself
permissions to read and write local files or execute local applications that
are accessible to the user running the untrusted applet.
Note: It is recommended that affected versions be removed from your system.
For more information, please see the installation notes on the respective
java.sun.com download pages.

http://java.sun.com/j2se/1.5.0/download.jsp
http://java.sun.com/j2se/1.4.2/download.html

 

[Guest]

http://isc.sans.org/diary.php?storyid=1039

-- http://www.dslreports.com/faq/13619
Old Rebel: Old, but not too old to learn new tricks!

 

[Bill Sanderson MVP]

Yeah--it's that very last sentence that is the "source" for the advice to
remove the old versions--its in all the vuln articles they publish--hasn't
changed. The likelyhood of the average windows user reading that sentence,
let alone figuring out how to act on the advice effectively, seems
infinitesmal.

--

 

[Bill Sanderson MVP]

I think that its likely that what I cleaned on Friday evening was Vundo--I
recall seeing Winfixer as a filename involved. Blacklight did all the heavy
work--I didn't use any of the specialized tools.

I'll get back there tomorrow, and maybe I'll try the specialized tools to
see what's left--at least the Symantec tool for sure. I didn't touch the
registry, so there's likely still evidence there.

Yeah--I'm sure that one of the first things I did on that system after
attempting cleaning (months ago) was to update the Java version. I'm
reasonably sure that it was on a known vulnerable one--i.e. I can't claim
proof that something happened via having older versions still installed. As
I recall the date on the hidden subdirectory was November 26, 2005, so this
was a pretty old infection. Robear Dyer and others had said that it was
Vundo from my symptom descriptions, but I wanted to leave it alone and see
when and if standard commercial stuff would deal with it. It had up to date
Symantec installed--but not the latest--probably antivirus 2002 or so-no
spyware coverage I suspect.
--

 

[Guest]

I have been seeing Vundo infections with fake warnings about Blackworm all
over the AOL messsage boards. I have tried to help several posters. I don't
think all of them visit bad web sites. One was a 53 year old grandmother with
no computer knowledge. The AOL Safety and SEcurity Center with McAFee and
ASP(Pest Patrol) does not seem to protect these folks. It is supposed to
update automatically, but I finding that it has failed or maybe been
disabled. The other active infection there is the banking trojan placing a
fake AOL account information screen(phishing) on folks computers. McAFee is
supposed to protect from it, but seems to be failing. We have been using
HijackThis to disable it. Ewido has been unknown there, but is becoming more
popular with the folks who post on the messge boards. I know very few who are
using Defender. Many are still holding on to MSAS. They are afraid of the
reported troubles with Defender because they have been "burned" by the AOL
SSC and its promise of comprehensive protection. The most reported problem
with the SSC is update failure and looping update alerts.

 

[plun]

Hi Old Rebel and Bill

As you probably noticed with the Messenger Plus debate the bad guys
have a new warning for Beagle now as a complement for Blacklight at
Amaena.com. I have send that URL to (e-mail address removed).

And this fake warning is so easy to put up within a webpage or mail.

I have not tested it but it´s absolutely necessary that WD makes a RTP
block with both Winantivurs and Winantispyware from Amaena.

regards
plun