cancel
Showing results for 
Search instead for 
Did you mean: 

Trojan Vundo, Nothing Removes It

I have a trojan on my laptop with Windows XP.

It is detected as a Vundo.

The pathname is C:\WINDOWS\system32\__c0042745.dat

So far, the trojan hasn't really affected the laptop. A few times I've opened Explorer and it has automatically shut down, but otherwise it hasn't been noticeable beyond the detection message that frequently pops up.

I downloaded the Process Explorer from Sysinternals and followed the directions McAfee provided but that didn't work.

I turned off system restore and put the computer into safe mode but that didn't work.

I downloaded two trojan vundo scanners on two different websites (couldn't tell you which ones) and neither even detected the trojan.

I heard the VundoFix V7.0 was good from Major Geeks, but it is currently unavailable b/c of defects.

Have no idea what else to do. Any suggestions would be greatly appreciated.
4 Replies

RE: Trojan Vundo, Nothing Removes It



Try this

Download Malwarebytes ' Anti-Malware from http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebyt...are_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Highlighted
Grif
Level 10
Report Inappropriate Content
Message 3 of 5

RE: Trojan Vundo, Nothing Removes It

And just in case you need it, VundoFix can be found at the link below:

http://vundofix.atribune.org/

Hope this helps.

Grif

RE: Trojan Vundo, Nothing Removes It

I downloaded the Anti-Malware from Malwarebytes and it found 6 viruses. It deleted the three I was unaware of and on reboot it deleted the one I was talking about. Thanks for all of the help!

And here was the report it gave.

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

11/3/2008 3:10:53 PM
mbam-log-2008-11-03 (15-10-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 96556
Time elapsed: 35 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c0042745.dat (Trojan.Zlob) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0042745 (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f8f1620.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f8f818c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f90670a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\__c0042745.dat (Trojan.Vundo) -> Delete on reboot.
melboy
Level 7
Report Inappropriate Content
Message 5 of 5

RE: Trojan Vundo, Nothing Removes It

I noticed that the database number for MBAM is 1306 It is currently 1361.
Are you able to update it? If not, are you running it from a standard account (ie: non-administrator)?
If you are able to update it, run another quick scan.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community