I received an email last week from a person who had picked up a particularly nasty vundo infection. I vnc'd into his machine and pulled some samples and found that they weren't hooking winlogon.exe like the usual vundo we see, instead they were hooked into lsass.exe.

I managed to get it ripped out of the users machine and get him back on his merry way.

Since then I have had time to test out this new variant and figure out how it was loading and have now added removal of it to Vundofix.

 
While I was testing I noticed that when I tried to reboot I was receiving errors about SuperMWindow not shutting down. I did a scan on the vundo dll and found that this was in fact caused by vundo. After searching Google I came to the conclusion that quite a few people were seeing SuperMWindow but no one knew what it was or how to remove it. Vundofix now takes care of this.

Vundofix and instructions on how to use it are available from http://vundofix.atribune.org

Good Luck and Safe Surfing, Atri