Definitely sounds like a spyware infection; did you update MBAM before you ran it?
Since the access was blocked, I couldn’t update my AVs.
Sorry, I was thinking about SASP. Though I don’t really remember, I suppose I probably updated Malwarbytes.
If you have access to another computer, you can download thelatest database here onto a flash drive, then copy it into the Malwarebytes directory in your Program Files directory.
Forget about it. Vundo came back. 
I’m not sure why it didn’t after the first reboot, but did after the second.
Asking again : is there any potential risk associated with temporarily disabling the System restore?
Sorry for the hijack, but I don’t want to open a thread just for this…
Would it have been a virus at her workplace that caused my friend’s email account to send out her last message once a minute, every minute, for about 18 hours?! It was very, very annoying to have to delete 1000+ emails, especially since Thunderbird refused to learn to recognize it as junk! I’m assuming her workplace IT people took care of it (it ended at about 8:30 am), but I’m wondering what could have caused it. Does anyone know?
It will delete all of your existing restore points, so system restore will have nothing to go back to until you create a new one. Other than that, it will not affect the operation of Windows.
The system restores are invariably infected as well.
Q#1 are you scanning in safe mode?
Q#2 SDfix yet?
Mostly its Vundo variants lately but I have seen that. The poor guys screen was filling with little notifications from norton that it was scanning outbound emails for viruses.
Sonofabitch… sonofabitch… I don’t f**king believe it… drachillix—please fax a full frontal shot and a full profile shot at your earliest convenience. And go pick up a six-pack of your favorite microbrew and bill me for it. *Sonofabitch…
*
No. As a matter of fact, when dealing with this kind of code, that’s often something you have to do to get rid of it. I’d call it a standard procedure when dealing with some kind of malicious code.
(I’m not a certified Deal With Maliciuos Code expert, but I’ve been a systems administrator for nearly ten years and gone through a few battles myself; I’m only talking from my own experience.)
OK. I’m still confused.
I ran again Superantispyware, and it didn’t find anything this time. I looked up in the quarantined items from the last run (where a Vundo had appeared again) and noticed it was in a system restore file. I deleted the item and ran cleanmgr, which should have deleted all the restore points apart from the last one (I assume created very recently, for instance this morning when I started my computer). Could I assume that Vundo had been completely removed at this point or am I mistaken?
I’m going to note that I’m reluctant to just disable system restore because yesterday, after removing infected items, I was unable to reboot (black screen) except in safe mode, where I had to disable the system services to be able to reboot in normal mode. It did not happen again, but I’m afraid of disabling the system restore, and being then completely unable to reboot. Note that I don’t really understand what I’m speaking about and what I did.
Now, the confusing part : I just ran Ad-Aware. During the scan, I got an AVG alert screen about a detected threat. The process involved was Ad-Aware, and the infected file was a system restore file with some version of Vundo in it. I ignored the warning, not being sure of what it meant and what AVG would do.
So, what did this warning mean? That Ad-Aware checked a file in system restore and because of that, AVG looked too into the file and noticed that it was infected?That AVG believed it had found something funny in Ad-Aware itself? Something else? 
And if the first explanation is the correct one (when I use Ad-Aware, AVG looks into the files Ad-Aware is currently checking), why is Vundo still in the restore system files after I deleted the infected files and ran clanmgr?
In my experience some files (malicious) are only deletable if system restore is disabled, as in:
- Delete file.
- Reboot.
- File’s back.
A) Disable System Restore.
B) Delete file.
C) Reboot.
D) File is indeed deleted.
E) Enable System Restore.
But I’m unable to give you the technical background to this.
Also, if you scan your computer with antivirus/antispyware software 1, while antivirus/antispyware 2 is active, you often get false positives. As a matter of fact, many scanning softwares ask you to turn any other of before beginning.
And while I am at it, something else : spybot, AVG, etc… find a number of tracking cookies in
C\Documents and settings\Owner\Application\Data\Mozilla\Firefox\profiles\abcdefgh.default
And they keep reappearing. Spybot (or Ad-Aware, can’t remember now) removed them some hours ago, and AVG finds them again now.
So, what is this Mozilla\Firefox\profiles folder and should I feel concerned about tracking cookies keeping reappearing there?
Thanks in advance.
Ad-aware can isolate certain infections and sotre them in another folder and render the bug inactive.
If you then run another scanner it will recognise the stored bug and report it.
Its possible that you ran some other malwar remover which has isolated the bug in a file and ad-aware has found it and reported it.
The reason for storing suspicious files in such a backop is that if your system doesn’t run properly following a scan, there is a chance something important was put into this file - a false positive so you have the option then to restore it.
Its a good practive following a scan to check everything works as it should before deleting scan file backups.
If vundo is as I think a variant of or adjunct to virtumonde, I’ve had this same problem. It is a persistent SOB.
I researched and researched, and it gets complicated. You might try Googling vundo or virtumonde – I found a number of BBs where smart and helpful people would try to diagnose and tell you how to fix your problems. The only drawback was you had to start with reading the contents of your registry, post it to the BB, then they would recommend suggestions for editing the registry. That was a bit above what I had the time (or ability) to do, so – given that it happened at work – I just punted and had IT wipe my HDD and re-image (I don’t really have too many personal files on the HDD, and those I just backed up on a thumb drive). If as I suspect you are doing this at home, that’s obviously not such an easy option.
You should also check TrendMicro’s free online HouseCall service, as well as the free Windows Live security scan. I won’t guarantee they’ll cure your problems, but they did find things that AdAware and SpyBot missed out on.
Is it time for a complete re-install of the OS? If you can get clean copies of your personal files off of the drive, I’d just do a full format and re-install.
That is indeed the home-based version of my having IT re-image my HDD. Unfortunately it’s time consuming and let’s hope she still has all the original CDs and validation codes for her apps.
That’s what I used to do with my former computer. But only because a computer-savy friend had installed something that would install Windows from a partition of my hard drive and had taught my computer to boot from this partition.
But now, I’ve absolutely no clue about how to reinstall Windows, so I’d rather avoid that.
Moral of the story : always stay in touch with computer-savy friends.
Tracking cookies are of no serious security concern. I usually disbable cookie scan when running these programs, because cookies are harmless.