Contact Us

Home > I Think > I Think It's Vundo.

I Think It's Vundo.

As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged Using the site is easy and fun. That's what we use to get rid of 99% of the viruses/trojans/malware.Here's a list of utilities that we use:01/04/2009 02:20 PM

Autoruns01/04/2009 12:13 AM Confickher virus removal (april fool's Vundo really blurs the line between virus and malware.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} deleted successfully. Gold subscriber Administrator Topic Author Posts: 46224 Joined: Tue Aug 20, 2002 10:51 pm Location: Somewhere, having a beer Frikkin' Vundo trojan Quote #1 Sat Apr 11, 2009 11:59 pm So C:\found.000 folder moved successfully. I wave, but they don't slow down.-- Steven Wilson Top Forge Lord High Gerbil Posts: 8163 Joined: Wed Dec 26, 2001 7:00 pm Location: SouthEast PA Re: Frikkin' Vundo trojan

Take me to the forums! Now that was a major bitch to remove...MBAM picked up a rootkit on one of the student PCs a while back. Several functions may not work. File delete failed.

Place a check against each of the following:O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Aaron\AppData\Local\Temp\ssqQkLDv.dll,#1O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Aaron\AppData\Local\Temp\iIbayyVn.dll,cClick on Fix Checked when finished and exit HijackThis.Restart the computer normally.*/*If still having Do to the fact it attaches itself to system processes and can add registry keys to the auto-start, this special bugger can execute itself every time Windows is rebooted.? We apologize for the delay; our helpers have been very busy.If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the We have to have Java on the school PCs for some of the online classroom software we use, and some of my students are strident rejectors of any and every update

We have observed the following variants displaying this behavior: Trojan:Win32/Vundo.AF   Trojan:Win32/Vundo.AX Trojan:Win32/Vundo.BI Trojan:Win32/Vundo.CK Trojan:Win32/Vundo.FZ TrojanDownloader:Win32/Vundo.J   We have seen the variants sending the following information: Information about Outlook Express accounts Win32/Vundo might modify the following registry entry to load the newly created DLL whenever you start your PC or Internet Explorer: In subkey: HKLM\SOFTWARE\Classes\CLSID\Sets value: "InprocServer32"With data: " by Grif Thomas Forum moderator / February 26, 2008 11:45 PM PST In reply to: VUNDO problem Has any program identified it specifically to Vundo?

It gets in like malware, but it's DEEP, and it doesn't do much itself, just acts as a beach head for lots of other unwelcome visitors.Nasty nasty badness! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}\ not found. Registry key HKEY_USERS\S-1-5-21-3725485567-1614611778-3893331521-1006\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ not found. [Files/Folders - Created Within 90 days] C:\found.000\dir0000.chk folder moved successfully. Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and

and sometimes my antivirus can not detect them. I get PCs in regularly for cleaning/reimage where Windows Update has been forcibly disabled and they are still on IE6 and XP SP2, even as recently as last week.FFS, XP SP3 You either like them or hate them.Gerbils unite! We have observed the following exploits detected alongside Win32/Vundo infections: CVE-2008-5353 CVE-2009-3867 CVE-2009-3869 CVE-2010-0094 CVE-2010-0188 CVE-2010-0840 CVE-2010-0842 CVE-2010-1297 CVE-2010-4452 CVE-2011-1823 CVE-2011-3521 CVE-2011-3544 CVE-2012-0056 CVE-2012-0507 CVE-2012-1723 CVE-2012-4621 CVE-2012-4681 CVE-2012-5076 CVE-2013-0422 CVE-2013-0431 CVE-2013-1493

When finished, it will produce a report for you. What did they think was going to happen?? Explorer started successfully < End of fix log > OTScanIt by OldTimer - Version fix logfile created on 05012008_220503 Files moved on Reboot... Modifies browser behavior Variants of the family, such as Trojan:Win32/Vundo.K, might redirect certain URLs to others of their own choosing, including search engines such as

Just use as many posts as you need, that's fine. We have to have Java on the school PCs for some of the online classroom software we use, and some of my students are strident rejectors of any and every update Help us fight Enigma Software's lawsuit! (more information in the link)Follow BleepingComputer on: Facebook | Twitter | Google+ Back to top #7 NekoStar NekoStar Topic Starter Members 14 posts OFFLINE have a peek here Do not install any other programs until this if fixed.--------------------------------------------------------------------Double click on ComboFix.exe & follow the prompts.

As you can tell, this is definitely a more serious type of trojan and should not be taken lightly. This guy had done a google search for something to do with AutoCAD, just below the result he wanted was a site offering AutoCAD keygens... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3584)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\stsystra.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Dell Support Center\bin\sprtsvc.exec:\windows\system32\ZuneBusEnum.exec:\windows\ehome\mcrdsvc.exec:\windows\system32\dllhost.exec:\windows\eHome\ehmsas.exec:\program files\HP\Digital Imaging\bin\hpqSTE08.exe.**************************************************************************.Completion

First, I'd like to cover what?exactly a?Trojan?Virtumonde?is or can look like for some of our viewers who might not be so familiar with it.?

I think it's Vundo infected Started by NekoStar , Jan 15 2010 11:24 AM This topic is locked 10 replies to this topic #1 NekoStar NekoStar Members 14 posts OFFLINE Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Kernel and Hardware Abstraction Layer deleted successfully. I wave, but they don't slow down.-- Steven Wilson Top Forge Lord High Gerbil Posts: 8163 Joined: Wed Dec 26, 2001 7:00 pm Location: SouthEast PA Re: Frikkin' Vundo trojan this Topic has been closed.

Please click here if you are not redirected within a few seconds. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your I think its the vundobut cant remove. Check This Out Thank you for helping us maintain CNET's great community.

Files Infected: C:\WINDOWS\sfrvctf.dll (Trojan.Hiloti) -> Delete on reboot. What did they think was going to happen?? HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Thanks for the response! C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully. Jump to content FacebookTwitter Geeks to Go Forum Security Virus, Spyware, Malware Removal Welcome to Geeks to Go - Register now for FREE Geeks To Go is a helpful hub, where Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.

File delete failed. Click here to join today! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found. How do I get rid of it??

Network and removable drives The worm variants of Win32/Vundo, such as Worm:Win32/Vundo.A, are known to spread through network and removable drives by creating the following copies of themselves on removable drives: :\\\.dll After downloading the tool, disconnect from the internet and disable all antivirus protection. Adam Smith Glasgow, 1760 Back to top Back to Resolved or inactive Malware Removal 1 user(s) are reading this topic 0 members, 1 guests, 0 anonymous users Reply to quoted postsClear Please re-enable javascript to access full functionality.

Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. Gold subscriber Administrator Topic Author Posts: 46224 Joined: Tue Aug 20, 2002 10:51 pm Location: Somewhere, having a beer Re: Frikkin' Vundo trojan Quote #14 Sun Apr 12, 2009 1:29 pm The forbidden Firefox extension (disabled here and on certain other sites, yes) with certain filters installed is probably helpful for prevention, likewise to an extent Spybot S&D and SpywareBlaster immunizations.My wife O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll ( O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll () O3 - HKLM\..\Toolbar: (Softonic-Eng7 Toolbar) -

Click here to Register a free account now! Please don't send help request via PM, unless I am already helping you.