Wednesday, May 28, 2008


Lavasoft Ad-Aware 2008 Updates today > Product Sucks!
Avira Updates today -> Product Sucks!
Normand Updates today -> Product Sucks!
BitDefender Updates today > Product Sucks!
Avast Updates today -> Found some files (incomplete, no remove)
Kaspersky Updates today -> Found nothing
NOD32 Updates today -> Found nothing

Above Antivirus Products are good in False Positive detection 30% but really Viruses detection %??? Sorry but there helps a 5 or 10 years License nothing if it doesn't protect or should it protect from using KeyGens? caused of missing unpacking features to scann exe and dll, ocx packed, protected archives thru, before showing to the user a False positive as a active real Virus but ("new" = relative old), 2 weeks maybe 1 year old viruses can not be found.
It's 2008 some Antivirus Programs still can not unpack and scan protected files done with exe/dll/... packer/protector.

Non of the above scanner do a full scan inside commercial exe and binaries packer such as Armadillo etc... because these packers are used in commercial software to protector from unpacking! The tollerance from AV firms seems to be high to skip deeper scanns inside Orleans Thermida, ASpack and co. anti hack, anti unpack packer/protectors as to see again and again, here a lot viruses inside Armadillo files.

By Freeware Packer such as Xcomp by JoKo, some AV's shown packed files as Virus - a clear false positive - signature, the imagebase have been done once with a packed infected file compressed using this packer and added to the positive virus database! All files will be shown as false positive if they are packed with XComp and do not contain any virus if the AV can not unpack it and just skip it with a note Virus found. Some may do this by all possible non commercial or not on open source based compressor/packer and cleans up the harddisk without any reassion. Lazy AV Firms does not make unpacking modules propperly to scan inside all exe, dll compressed files!!! > Customer Feedback only help to add a new founded possible Virus! I just know certain email scan modules I will never activate and any preseted auto submition. Maybe the whole software inventary list include ip identification ends by "some companie"s and I do not know what else they do with it. The storrage devices are my privacy not for any analytics marketting etc...
Setup makers like inno, nsis, 7zip based sfx, all kind of zip, rar, ace and co archives can be scanned but clean a file out from a archive or let it unpacked by scanning that the user get the option to rar, zip whatever pack it by self and pick only the infected file out before quarantaene, deleting the whole archive as the only option?

Windows Defender > found nothing

Microsoft Live OnCare > found Trojan:Win32/Vundo.gen!I

Distribution: Torrent sites / Tracker
Files: AntiVirus, AntiSpyware Cracks and downloads via Torrent and Filesharehoster
Looks like every second torrent from there is infected:
Posible this is the same virus pack here as the user report in the comment, also on Fileshare hostern the same.

Bitdefender new cracks/KeyGens
Kaspersky black to whitelist patch/crack
Nod32 Patches

Ad-Aware Pro/Plus crack and Setup file:
1. aaw2008plus.exe, 16.70 MB (seen in sizes from 16 to 20 MB). 2. CRACK.MKDEV.TEAM/lavalicense.dll, 425.33 KB...
with it's created Temp\IXP000.TMP\0000000002.exe
0000000001.exe 0000000002.exe
by running aaw2008plus.exe installer!

DVDFab 5.x + Crack .rar Vundo Generic

many more, just download and upload scan to
on torrent sites and Filesharehostern

Example: Entry Winlogon.exe via a infected dll call file efccCtrs.dll
PEiD..: Armadillo v1.xx - v2.xx
File 2: ssqPFvUn.dll
File 3: wvUoNGvW.dll
creates random dll files in windir/system32 in file sizes of: 33920 bytes

another one with PeCompact:

Active since more than 2 weeks, all AV products early warn systems failed. MS LiveOnCare as the only found Vundo and all possible variations all time long.

Kill dll by attached running processes (inside the process view), Unneded process just stop, terminate them! Shut down GUI, go dos command. You can now delete access the infected files! If nothing help, need to reboot with any boot cd, browse to the file and remove it. Check content of system restore folder,...

Latest Live OnCare:
Discussion Forum:

related links:
Process Explorer
Microsoft Windows Live OneCareSafety scanner
TrendMicro™ HijackThis™ Version 2.0.2

If you are on a Workstation Home PC, can reboot, Live OnCare cleans it 100%. It's free to download, 224 Days updates include with live account, later ~30 Euro/Year 3 or 5 PC's
Together with Spybot-S it's fixed by reboot! Clean rests in registry manually (there no targets anymore where they point to).
Some rest cleanings can be done with CCleaner v2.07.588 - Portable or Slim (all two builds are without toolbar) from:
for example:
ActiveX/COM Issue InProcServer32\C:\WINXP\system32\efccCtrs.dll HKCR\CLSID\{96134ABB-AD7C-4135-A927-329B735D524F}

By a system reboot the start up time will be longer as before. Run HijackThis and remove the last startup file entry:

Thats it, you are done!
Im very angry, its the 5th time I used another Antivirus and the protection failed, can't clean but not to bad it have at least give an alert of a few files. After I seen a running batch process dosbox, wallpaper background replaced with a fake message, screensaver installed looks like many more something like any player with the install pack I did run and lots of new files in win system dir. Sure I don't wait any longer if it's to feel that something was happen and beginn to stop running processes asap include open with process explorer and search all running dll's to terminate them. Small tools like Hijack this was not more execute, desktop background changed. The system dir I know very well. What end up there and have nothing lost in - no new dll's, exe or others than the OS and "known" files or its a bad program installer if it place files in a subfolder of \windows main dir. The temp folder should be the last moment by an installer when AV blocks it before it move out.
One more time its the day to trash an AV product cause it did not protect. I do not more belief what the other AV scanners shown more on possible founded viruses as MS Live On Care already does. It can be all false positive. I know that some scanners just dont want support to unpack and scan exe packers like Xcomp and FSG, MEW, Dwin UPack, PETITE and many more (Norman, Bitdefender, Ikarus, Rising....). The unpacking engine must work by an av. About this Im sure MS did a great job. Besides that if its a real Trojan it must be to see on the in/outgoing connection log to the net. Ikarus have a nice Lexicon of all packer what it can not unpack and list as virus. all files what have been packed with it begin by position 2099. to 2103. and continue by 2173. to 2187.: Yoda and Themida included.

For thouse who likes ads all around, vundo can make a never ending show.

Shit tooks me near one hour until its finally complete removed. To be sure wipe, clean free space + sys restore. Checking all files again in Windows subfolders if they are not modificated, File info, versions, manufacture names, (file properties) that there is really nothing left. (screensaver files include dll, ocx, exe, sys...). Run baseline analyser things like that to get an overview. Avast AV have a great list of all files in that folders by Vendor name, Version etc.. so you see what is what or gabage in use or not.
I knew that vundo in all possible kinds with exe/dll packers *PE packed, ASPack, Thermida,... sometimes done with binder in a cab renamed as one exe, 2 exe inside one. the real program start with the virus exe,... Since a while it spread but never seen in installer packs so I did not upload to check 7..14 and more mb in one exe by virustotal before executing it and I wasn't have MS live on care installed on this pc.


Anonymous said...

Interesting read my friend. You should at least submit this virus infected file to NOD/Kaspersky so they can update there databases or something so it can be detected after. I know that you mention that these AV firms don't allow deep scans in order to protect the rights of retail commercial products which also use same methods of protection against unpacking etc. but I dunno... just a suggestion. Again I liked the read :) Thanks for the news and I personally myself use ESET Smart Security even with .tors I've never seen this virus before nor have been infected by it. Might want to stay away from public tor sites ;)

Also, I wonder if Vundofix.exe can fix this perhaps? I know I had vundo virus long ago and it saved me.

IlLusioN said...

Virustotal normally give out infected files to AntiVirus companies.

IlLusioN said...

Try this:
Go to windows\system32 folder
list newer files by smallest size first.
write unknown files names in

process explorer

search (Find handle or dll)
Check if they attached in running processes ( mostly winlogon.exe , explorer.exe , iexplorer.exe ). The files are in use and can not delete if windows run.

IlLusioN said...

I have unrecoverble delete these files from Quarantiane/system restore. Can not submite them. it was much more files. the half of them the AV have found. the Vundo wasn't found by the AV. It will be not found in NOD > see analyses all sites files results on with Win32/Vundo.gen! Need to make custom search on the domain

I suggest to use process explorer as replacment to task man. see detail in all running instances. It's not possible that there run something hidden. The right tool diag shows all.

Anonymous said...

it was the fulll pack of virii I think as i suddenly found here:

ctfmonb blue screen infection

the screensaver and background but ctmonb and some more ctfmon(anyletter).exe
Avast killed already.
Make bootdisk remove files from dos with ntfs driver must work.
It might be that in this torrents the real program is embedded to the virus packs but runs together

Anonymous said...

Seems to be a new kind of Vundo "I" remove instruction for vundo a,b,c,d,e,f,g,h does not work. I'm afraid to unpack it from Themida and Armadilled. Looks like some fake signatures added and the Packer used the older version for the dll's. Freez system32 folder for changes and new added files.

Anonymous said...

Alrighty, after posting this on Kaspersky forums it seems it can detect it with the proper safe settings. Having your settings in Interactive mode and using the application filter should pick up any undetected and 0day Vundo variants out there. Hope that helps folks :)

Anonymous said...

Thanks a lot.
add to detection

Windows Defender updates june find it now too

IlLusioN said...

Ho to join Kaspersky or NOD Betatester in German, English (imperfect) or Russian Language???

It is possible to improve them products by scanning inside zip password protected archives such as done with autorun studio (used by ALL-In-One makers and some other install maker which use zip passwords) can read by all Versions unpack extract password from file, most autorun studio use always the same zip pass.

Please comment here to site author, internal will not published as comment!!!

IlLusioN said...

I try online scan with
But I get this errors:
OnlineScann Error Screenshot

Anonymous said...

try now:
Definition Update for Windows Defender - KB915597 (Definition
Install this update to revise the definition files used to detect spyware and other potentially unwanted software.

Post a Comment