Suspicious.Vundo

Hi

 

In the submission history of Norton 360 I noticed something being submitted called "Suspicious.Vundo". Norton is calling it a sample submission and the file location is c:\windows\ehome\ehtray.exe. This isn't showing up in quarentine or anywhere else and I have never heard of this version of vundo before. Is this a mistake or am I infected with this threat, I have run malwarebytes and nothing was found. Any information would be helpfull.

 

tm100

So how do I get rid of this infection, I have ran malwarebytes and nothing was found and the computer seems to behaving normaly. What should I do?

I would wait un-til tomorrow afternoon, then do a Full System Scan.

 

Message Edited by Floating_Red on 01-24-2009 09:50 PM

Hi

 

In the submission history of Norton 360 I noticed something being submitted called "Suspicious.Vundo". Norton is calling it a sample submission and the file location is c:\windows\ehome\ehtray.exe. This isn't showing up in quarentine or anywhere else and I have never heard of this version of vundo before. Is this a mistake or am I infected with this threat, I have run malwarebytes and nothing was found. Any information would be helpfull.

 

tm100

Hi

 

Looks like an FP 

 

"c:\windows\ehome\ehtray.exe" The file belongs to Windows Media Centre. http://www.bleepingcomputer.com/startups/ehtray.exe-1525.html

 

 

You could place the file in the exclusions list so that Norton no longer detects this file.

 

Quads  

Hi Guys

 

Late last night, I had an HP desktop machine to look at, and the detection arised in that machine to.  

 

In this case the program had been installed on the computer ever since the guy had purchased it, 2 years ago, So I placed it in the "exclusions" lists.

 

 Quads

Hi Quads, do you have any thoughts on as to why Norton is reading this as a .Vundo recently? it seems to scare many users =[.


Joey wrote:
Hi Quads, do you have any thoughts on as to why Norton is reading this as a .Vundo recently? it seems to scare many users =[.
 
Hi
 There would have been a definition update for Norton products that has the "Suspicious.Vundo" signature included/ or updated,  After that Norton via Auto-Protect or Scans detects the program/file. 
Just happens that in this case it looks as though it's caused an F.P. (false positive).
Maybe an employee can explain or answer better.
 
Quads 

 

Are you able to reproduce the file and send it to Symantec for testing?

Malware Submission 

I think on the other thread about this, it states it has been submitted.

 

I actually don't have the program on my PC.  

 

Quads 

Hi

 

I submitted the file to symantec and recieved the tracking number. I think the file is a genuine windows file, located at

c:\windows\ehome\ehtray.exe belonging to the media center as pointed out by Quads, but it's strange why norton detects it as a vundo infection.

 

tm100

Does it still say it is vundo?

It will probably be solved after the Security Response team looked at it

I had this happen to me twice last night.  Norton had this in my history as “sample submission:  suspicious.vundo” and the status was as of last night that it was processing.  I don’t know if this is a trojan or not.  I was able to talk to three different Norton support service people who didn’t help me at all.  I wasn’t able to download the live update until one of the tech support people had me to do this online and to restart my computer.  The tech people weren’t able to tell me if I had a trojan or not but wanted to charge me $100 to check my computer for one.  After I downloaded the live update, I keep checking the Norton history and I didn’t get that suspicious.vundo message again.  If this is indeed a trojan, how come I didn’t get a trojan/virus alert message?  If I didn’t check the history, I would have never known about this.  Should I be worry that this is a trojan?  My computer was working fine before and after the live download.  How do I run malwarebytes if I only have Norton installed on my compter.  I was on the computer for three hours last night and all olf thetechd keep swirching me from tech to tech with one telling me that they didn’t think that I had a trojan/virus without checking my computer based on the information  that I gave them.  I hope someone in here can help.  Thanks! 

Hi tm100,

 

There is a possiblility of false positive, not sure. The file "c:\windows\ehome\ehtray.exe" belongs to Windows Media Centre. Refer to the information in the link below:

http://www.bleepingcomputer.com/startups/ehtray.exe-1525.html

 

You could place the file "ehtray.exe" in the exclusions list(Autoprotect & Scan) so that Norton no longer detects this file. Norton suspects that particular File as a Trojan.Vundo due to it's signature and that is why it is marked as "Suspicious.Vundo". Since it is just a suspicion, Norton program will submit a sample of that file to the Symantec Security response automatically for further analysis and react upon the feedback from Symantec Security response accordingly. If the submitted file is found to be a threat during analysis, you will be informed by Symantec Security response on how to proceed further. If the submitted file is found to be clean, then the related entry will be removed from the History automatically.

 

Yogesh