The Vundo fake-avscanner belongs to one of the most active malware families of recent years and now uses another trick to block removal. The removal of standard variants is difficult, because they may hijack various DLL-files to load these into memory afterwards. Another trick is to add itself to a registry-key that makes the DLL-file is renamed at every reboot. When the av-scanner wants to delete the file at reboot, it has already been renamed to escape that action in order to remain on the OS.
The newest variant that MS found recently spreads itself to coupled disks. Either it places itself in the rootdirectory of that disk, or creates a random directory name and places its DLL-file there. So it is advised to go off the Internet before scanning. The Vundo process in memory can download the file anew, even if the malware has been cleansed succesfully prior to that.
Vundo downloads a number of files from various sites. To block these sites through a FW is a good option:
The IP-addresses and/or domains to be blocked are:
85.12.43.102
pancolp.com
exficale.com
More info on the malware mentioned here:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3AWin32%2FVundo.A
polonus