cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Vundo,Can't Remove, Help!!!

I just registered to post on the boards and I need some help to remove vundo from my pc.

I've been reading some of the other threads about this virus and followed some of the advice that was posted previously.

Had tried stinger,didn't help. Most recent report was clear.

Tried mbam,found 4 infections-Report shown below.
--------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.36
Database version: 2106
Windows 5.1.2600 Service Pack 3

5/11/2009 2:25:08 AM
mbam-log-2009-05-11 (02-24-57).txt

Scan type: Quick Scan
Objects scanned: 91085
Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7510a64e-6741-46ad-a3f1-e7e4c3af8517} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khnoqkvx (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7510a64e-6741-46ad-a3f1-e7e4c3af8517} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\jlefmrb.dll (Trojan.Vundo.H) -> No action taken.
------------------------------------------------------------------------------------
Also tried ESET scanner. Only showed 1 issue
-------------------------------------------------------------------------------------------
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application deleted - quarantined

-------------------------------------------------------------------------------------------
My original McScan showed 4 items in quarentine but after deleting items and rebooting,a restart scan runs showing that I still have vundo.

This all started a week ago Friday (5/1), when Spyware Protect 2009 self-installed on my pc.

The pop-ups from that program stopped coming up a day later after I ran stinger the first time.

I read in another thread that it might be a rootkit and a suggestion was made to another poster to try RootRepeal v1.2.3. Would that help?

Any help would be very much appreciated.

Thanks.

P.S.: I'm running WIN XP Home/SP3.
Labels (2)
32 Replies
secured2k
Level 11
Report Inappropriate Content
Message 2 of 33

RE: Vundo,Can't Remove, Help!!!

Yes, running RootRepeal would be one of the last 2 things to try to detect anything additional that might be hiding.

However, your log shows you ran MalwareBytes without choosing a repair option. Some users miss this added step as you have to click View Results and then click Remove Selected at the bottom of the MalwareBytes results page.
secured2k
Level 11
Report Inappropriate Content
Message 3 of 33

RE: Vundo,Can't Remove, Help!!!

Since some AntiVirus programs do not detect the Vundo variant you have it would be helpful if you could send the file to VirusTotal and McAfee.

File: C:\WINDOWS\system32\jlefmrb.dll

VirusTotal: http://www.virustotal.com
McAfee Submission: http://vil.nai.com/vil/submit-sample.aspx

RE: Vundo,Can't Remove, Help!!!

After I would download RootRepeal, is there anything special that I need to do before running the scan?

Thanks.
secured2k
Level 11
Report Inappropriate Content
Message 5 of 33

RE: Vundo,Can't Remove, Help!!!

Nothing special to do except run the tool, go to the Report tab, click Scan and select all items listed.

This tool will not work in 64-bit Windows.

RE: Vundo,Can't Remove, Help!!!

I will do this later today and report back with the results.

In the meantime ,Thanks.

RE: Vundo,Can't Remove, Help!!!

Hi, I havent run RootRepeal yet. I wanted to send the infected file that you mentioned to McAfee for review first.

Per thier instructions, they say to run msconfig and look in the start-up tab for the file.

But when I went into there, I can't locate the file.

Do I need to do something else to locate that file?

Thx.
secured2k
Level 11
Report Inappropriate Content
Message 8 of 33

RE: Vundo,Can't Remove, Help!!!

The virus sets some basic flags that causes it to be hidden from Explorer. Change the option to show hidden files by following the instructions below.

To see hidden files:

1. On the Tools menu in Windows Explorer, click Folder Options.

2. Click the View tab.

3. Under Hidden files and folders, click Show hidden files and folders.

Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.

RE: Vundo,Can't Remove, Help!!!

I just did go into win explorer and selected the hidden folders option.

Do I next go back into msconfig and repeat the process or go into the folders list in explore to find the file?

RE: Vundo,Can't Remove, Help!!!

The best method is to just send the file to VirusTotal. Find the file after clicking on "Send File" at the bottom.

For McAfee, locate the file in McAfee and ZIP the file with the password "infected" and send it to Virus_Research@avert.com