Hello, everyone! I'm new to posting, but I guess you could say I've lurked a bit in the past. I'd like to talk a little bit with the MBAM community about Vundo. As you're all probably aware, vundo has been a thorn in our sides for a few years now. It started out calling itself xp antivirus 2006, then 2007, etc and so fourth, but now it goes by more names than I care to count. It's had so many variants over the last few years that it makes my head spin, and not a single major AV company stops it. I've seen norton cripple it, but without professional help it just comes back. It laughs at AVG, mcaffee, panda, etc. Avast seems to be able to clean it, but not enough that it doesnt come back within a few days. MBAM, along side some regedit know-how can remove it, as long as you nuke the temp files by hand as well... but I'm tired of it! This latest version brings in TDSS with it as well, which muckles onto the master boot record and manifests as a google redirect. More of an annoyance than anything, but always manages to bring back Vundo. Now its a recovery console+mbr fix, mbam, regedit, filesystem combo to clear this up. TDSSkiller does a good job removing tdss from the drivers in windows, but not the boot record. Combofix, as a last resort, also does a good job clearing up the virus- but can also completey fubar the machine. What I'm here for, however, is information on how other sysadmins, it consultants, and anyone else in the professional community deals with being pro-active on vundo. I've got 20 some odd small businesses that rely on my support, and over the years almost everyone has gotten some form of this virus at least once- other people seem to acquire a new version almost monthly. what I don't want to do is start having to set read-only permissions on portions of the registry- it's asking for trouble. All of my users run as local administrators since small businesses tend to have power users on all of their PC's. (or at least they think they're power users!) Another option I'm considering (And it breaks my heart) is teaching everybody how to use deep freeze. Not cool! Last week, cleaning up a typical vundo/tdss infection one of the users, who had been trying to clean it up themselves, had printed up a document from this forum in which one user claimed something along the lines of "If you had the licensed MBAM installed, this infection never would have gotten this far"- That caught my eye. Does the licensed MBAM actually prevent vundo/tdss infections? If it does, I'd LOVE to know how it does it. if it does it by monitoring for new registry changes that happen to point to a file in the users temp area, then it's certainly a start. Any information on this is certainly appreciated.
