windows defender



I have windows defender installed on my Vista system which has found the
Vundo.gen!H on my system. When it tries to remove if fails with Code
The system has the most recent updates and the latest definintions.

What really annoys me is Microsoft fails to tell me WHERE this file is so I
can go into safe mode and delete it. Typically the usuall reason why
defender cannot delete a Virus is because it is in use. Now real usefull
information would be WHAT is using it. Then I can kill that program first
thus allowing me to delete the virus.

Does anyone have any suggestions?

Bill Sanderson

I would suggest restarting in safe mode, and seeing if Defender can do the
removal in that mode.


Thanks for your response Joan, none of my other antivirus programs see this
Vundo.gen!H, So defender may be making a mistake, but can I take the risk?

If only defender told me where the file was I could then take some action.

Thanks again fr your suggestion.


Excellent suggestion Bill. Booted in safe mode re-ran scan on defender.
Same thing finds the Vundo.gen!H but generates a new code trying to remove
0x805001001 One or more actions could not be completed succesfully.

So no help in that direction

Obviously no hacker is going to use the name Vundo.gen!H (I did a scan
search just incase) Defender has found what it thinks is the vundo virus
signature in a file, if only Defender actually gave the name of the file I
would be a 1000% better off. It must know the files name but Microsoft in
its wisdom does NOT tell us what the files name is. Very Frustrating. Is
it a real Vundo Virus or is it just case of mistaken signature identification.
Thanks again for your suggestion Bill


Dave M


Did you check to see if you could spot that location in the System Event
log by filtering on Windows Defender events around the time that the
detection occurred? If Defender detects malware in locations that it
cannot clean due to adjacent breakage, you will get these types of errors.
Locations such as archive files, system restore areas, and mail data stores
are always prime suspects.... along with others. Make sure hidden (all*)
records/events are viewable in the Event Viewer.

Bill Sanderson

Dave M has given the right advice, I think--look in the log records (search
for the time of the original detection, or filter--not sure what name is
used, but it will be in the filter list--I think for the System event log.)


Hello Engel
Thanks for your suggestion, unfortunately due to Defender's inability to
remove Vundo.gen!H or tell me where the file was I now have a full blown
VUNDO virus on my system with advertisments poping up at the rate of 50 a day.

I will look at the information you provided but it is now to late as the
system is totally infected with VUNDO.

I blame Microsoft, not that I have the virus, but the fact that Microsoft
KNEW the virus was there but failed to tell me the NAME of the FILE or where
the file was.

Thanks again Engel - at this stage I have a far more urgent matter of the
removal of Vundo. I do have some experience in this and are very aware that
the latest variations of VUNDO (which now number over 5,000 variations) and
can get around virtually every method of removal. My advice to anyone else
that happened to get one of thses new variants would be to erase their disk,
run a full pattern test on the drive and re-install the OS and every
application again. It will be quicker.

If anyone tells you they have a Vundo removal program (for the latest
variants) and its definition updates are more than 12 hours old then it's out
of date.

Thanks again Engel

Bill Sanderson

Feel free to call Microsoft and get their help removing this:

In the U.S. and Canada, call 1-866-pcsafety.

Elsewhere, call the nearest local number for paid support, and ask for the
free support for virus and security patch issues.

I'd recommend calling them.


Thanks for the suggestion Bill but I have more knowledge about the current
variants of Vundo than the whole of Microsoft.

Most of my knowledge I learnt from Brian **** one of the the worlds experts
in computers both hardware and software. (This is a guy that managed the
installation of 7,000 desktops between midday Friday and 9:00am Monday a
total of 69 hours) He has more experience and capabilities than a 1,000 of
Microsoft's best.

I'll use Brian's techniques to remove the full blown Vundo.

Although I am still very annoyed that defender found the Vundo.gen!H but
would NOT tell me where it was or delete it.


Bill Sanderson

I'm startled that with that level of knowledge you managed to get infected.

Did you ever look in the systen logs to get the details of the
detection---that's where that information would be.


Good suggestion Bill but I'm afraid the hackers had already thought of that
one. The system event log shows nothing.

Durring bootup I start task manager but I also on one occasion of someone
elses system infected with the new Vundo I started the event viewer to see
what errors were occuring. In that case there were 3 timeout errors
regarding PC Tools Security Service timing out.
Event viewer is the primary log of the system, the only way that it can be
cleared is because the user clears ALL events.

Well the Vundo hackers have found a method to delete individual evidence,
because 2 minute later the entries had disapeared.

On one system, I found one of the new Vundo variants had implanted itself
in the restore point of the drive D: System Volume Information. So when a
restore was made the Vundo would begin to infect the whole system.

In my case it would not make any difference as I turn off the save and
restore points on all my system, prefering to use independant backup systems.

My mistake was not beleiving Defender has seen Vundo.gen!H, i.e. many
antivirus programs mistakenly beleive that have seen a Virus signature where
none exist. Had I beleived Defender I could have restored my total C: drive
in 8 minutes.

So even with 40 years experience I can still make mistakes.


I'm sorry Stu I don't understand your comment.

I have 5 systems, one is infected (my fault for not beleiving Defender) I
also had 9 systems from friends who had also been infected, 4 of which was
with one of the new variants and want me to help. The other 5 were the old
Vundo and were easily fixed within 10-15 minutes.

I still continue my research on the Internet on my other systems, so as I
said the Vundo infected system will have to wait as it is NOT a primary
system more of a test bed for Vista Ultimate. The other systems are totally
scanned 4 times a day and C: drive backed up at least every 2 days.


Bill Sanderson

So--clearly you need help getting this cleaned up. The best avenues I can
recommend are to either call Microsoft--I believe I've mentioned before in
this thread that they will help with this situation at no charge--and via a
toll-free call in the U.S. or Canada--or by using a third-party forum, such
as those hosted by, say castlecops.

Do you need more information about where to get competent help to get this
cleaned up?


Oh Ye Of Litle Faith
There are around 15 people in the world that have more knowledge than I
regarding the new breed of Vundo variants. I know them all, Microsoft, and
the group usual experts are certainly NOT amongst them. They can get rid on
the old Vundo but will have very serious problems with the new varaiants.

Anyway my system is now 100% clean, it took me 4 hours and most of that time
was searching for specific types of files. Like .txt files that do NOT
contain text but exe data. Or .jpg files that are not images etc. The
hackers change the name prior to use. Files of a specific size, for some
reason the hackers make some of the files exactly the same size which makes
them easy to find. You cannot take the file dates as an indicator the
hackers create false Created, Modified and Accessed dates.

In the middle of this a friend brought in his system telling me that
Defender has identified Vundo.gen!H on his system. Their own IT people cound
not fix the problem and as the system was only accessable by people that were
acceptable under the official secrets act. It limited who could investigate
the problem.

It turned out Defender was seeing Vundo where there was none. If fact
Microsoft were requesting certain files be sent to Mcroisoft for further
investigation. The files in question came under the official secrets act.
i.e Defender though the files had Vundo

Just how easy it it to pick up this new variant. In europe a public service
department had 3 staff that spent their days researching medical information.
One got infected which eventually spread through over 2,000 systems. I was
never involved, Brian **** tracked the problem back to a medical facility
that had got infected, it inadvertedly passed it on. The whole public
service is now using Brian ****'s security system.

As I am semi retired I don't do fixes commercially but will assist with
friends systems. I will give the occasional advice but will never divulge all
my techniques.

Bill Sanderson

I'm glad you were willing to share.

So--presumably in the case covered by the official secrets act, folks were
able to see what was detected, and determine that it was a false positive.


The information I have shared is a miniscule amount regarding the new
variants of Vundo. In thousands of instances people get infected with the old
Vundo which is easy to remove. Of the new variants you may, if you are very
lucky and pray lot, you may never see one. But once it gets into a network
computer it can spread very quickly as the European public service department
found. 2000 systems over the space of 4 days. (the country is not disclosed
to prevent embarasment)

The false positive could have been Microsoft saw the signature in one of the
files or
concern regarding a specific file it found. The file was an .exe Keycode
Generator, this is used to encrypt documents being sent to other offices. So
every document has a different keycode to decrypt.

Thanks Bill for all your suggestions, but maybe you and other members have a
little more understanding of the new variants of Vundo.


Bill Sanderson

What I've known about Vundo, in general, is that when I find it, I need to
research before messing with it--I don't see enough of it to know the right
thing to do--so indeed you've helped some there.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question