I started to put this in the sticky thread on malware, but it said there to start a new one, so here goes.
In January I detailed a problem I had, possibly with malware. What happened was that, occasionally (but not always) my browser would send me someplace I hadn’t pointed to. So, following the recommendations in the referenced thread, plus a list of recommendations compiled by an IT person I used to work with, I proceeded to attempt to clean up the malware.
When I got to the “start in Safe Mode” part, I couldnt’ do it. And then I couldn’t start it any other way.
I abandoned that computer and went back to my old one, leaving the messed-up computer in the capable hands of somebody who could fix it without pay, in his own sweet time. Which is now.
So, he managed to pull up the very last Hijack This notepad (or whatever it is) that I ran; he ran some other diagnostic program and determined that I had something called the Vundo trojan horse and–this is the important part–this malware has been known to shut down a computer IF YOU TRY TO START IN SAFE MODE AFTER RUNNING HIJACK THIS (or immediately after running certain other malware search/fix programs).
Boy, this is nasty. A virus that understands the steps you will take to get rid of it, and shuts down the computer while you are doing so.
Anyway, he had never heard of this before (he doesn’t do IT professionally anymore, although he does try to keep up) and nobody here had mentioned it, so I thought I would.
(Mods–if you think this is appropriate to go into the malware thread that’s stickied, feel free to move it.)
You must remember that Vundo isn’t a single virus. There are many variations of it. Some are far worse than others. For instance, some can be cleaned by a simple renaming of Malwarebytes’ Anti-Malware and some versions of it, will simply delete Malwarebytes once you rename it back to the executable.
The virus is often in emails and browser add-ons.
In some of the worst forms once you run Hijack This, if you attempt to boot into safe mode you will get a TRUE blue screen of death (BSOD). Vundo often replaces your screen saver with a FAKE BSOD. If you run Hijack This and get a BSOD, you have to reinstall windows or restore the deleted safe mode registry. (Warning back up your registry periodically)
The virus exploits Java so make sure your Java is turned off except when you need it specifically and make sure the Java verision is current
Just as an addon, this virus is not Java specific, by that I mean simply turning off Java isn’t going to keep you 100% safe there are other ways to get it and retain it. It exploits Java but isn’t necessarily Java specific depending on the variant of the virus
Vundo is probably THE ubermalware now, and the only one I’ve not been able to defeat without a complete nuke.
That said, going to safe mode is merely a recommended solution. There’s always the next step of using a recovery disk. Someone even covered it here. You’ll have to look it up, though. I’m a bit busy.
The problem is that some versions of Vundo create rootkits. Once you have one of them, all bets are off.
I’ve had success by booting to a BartPE or WindowsPE disk (the operating system fits onto a CD, so you’re running things from that CD and the rootkit isn’t running. Then you can search the directory (usually Windows32) and rename the rootkit files (quick tip: their date stamp is about the time you got the virus. You rename just in case you accidentally picked the wrong files; you can name them back to what they were). Once the rootkits are dealt with, other cleaning procedures will work.
I’ve only had one virus in all my career. But it was a big enough pain the ass that I now have Norton Ghost and an external hard drive. I back up 3 days a week and if I ever have to I can restore and only lose a day or two.
ooogh… vundo is an awful one… and has been for quite some time, i remember fighting with some vundo variant a couple years ago. needed to manually edit registry entries and the whole 9 yards. I almost had less trouble when my box got hijacked for ransomware.
I believe it’s actually a wallpaper. I don’t know if the mouse is disabled or not. By the time it got that sophisticated, I was reading about it on my Linux box. Mine had just gotten to the point where it blocked Internet sites where you could look up how to fix it. The writers have been anticipating how people go about getting rid of it for a while.