cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Vundo,Can't Remove, Help!!!

I just registered to post on the boards and I need some help to remove vundo from my pc.

I've been reading some of the other threads about this virus and followed some of the advice that was posted previously.

Had tried stinger,didn't help. Most recent report was clear.

Tried mbam,found 4 infections-Report shown below.
--------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.36
Database version: 2106
Windows 5.1.2600 Service Pack 3

5/11/2009 2:25:08 AM
mbam-log-2009-05-11 (02-24-57).txt

Scan type: Quick Scan
Objects scanned: 91085
Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7510a64e-6741-46ad-a3f1-e7e4c3af8517} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khnoqkvx (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7510a64e-6741-46ad-a3f1-e7e4c3af8517} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\jlefmrb.dll (Trojan.Vundo.H) -> No action taken.
------------------------------------------------------------------------------------
Also tried ESET scanner. Only showed 1 issue
-------------------------------------------------------------------------------------------
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application deleted - quarantined

-------------------------------------------------------------------------------------------
My original McScan showed 4 items in quarentine but after deleting items and rebooting,a restart scan runs showing that I still have vundo.

This all started a week ago Friday (5/1), when Spyware Protect 2009 self-installed on my pc.

The pop-ups from that program stopped coming up a day later after I ran stinger the first time.

I read in another thread that it might be a rootkit and a suggestion was made to another poster to try RootRepeal v1.2.3. Would that help?

Any help would be very much appreciated.

Thanks.

P.S.: I'm running WIN XP Home/SP3.
Labels (2)
32 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 33

RE: Vundo,Can't Remove, Help!!!

Yes, running RootRepeal would be one of the last 2 things to try to detect anything additional that might be hiding.

However, your log shows you ran MalwareBytes without choosing a repair option. Some users miss this added step as you have to click View Results and then click Remove Selected at the bottom of the MalwareBytes results page.
Highlighted
Level 11
Report Inappropriate Content
Message 3 of 33

RE: Vundo,Can't Remove, Help!!!

Since some AntiVirus programs do not detect the Vundo variant you have it would be helpful if you could send the file to VirusTotal and McAfee.

File: C:\WINDOWS\system32\jlefmrb.dll

VirusTotal: http://www.virustotal.com
McAfee Submission: http://vil.nai.com/vil/submit-sample.aspx
Highlighted

RE: Vundo,Can't Remove, Help!!!

After I would download RootRepeal, is there anything special that I need to do before running the scan?

Thanks.
Highlighted
Level 11
Report Inappropriate Content
Message 5 of 33

RE: Vundo,Can't Remove, Help!!!

Nothing special to do except run the tool, go to the Report tab, click Scan and select all items listed.

This tool will not work in 64-bit Windows.
Highlighted

RE: Vundo,Can't Remove, Help!!!

I will do this later today and report back with the results.

In the meantime ,Thanks.
Highlighted

RE: Vundo,Can't Remove, Help!!!

Hi, I havent run RootRepeal yet. I wanted to send the infected file that you mentioned to McAfee for review first.

Per thier instructions, they say to run msconfig and look in the start-up tab for the file.

But when I went into there, I can't locate the file.

Do I need to do something else to locate that file?

Thx.
Highlighted
Level 11
Report Inappropriate Content
Message 8 of 33

RE: Vundo,Can't Remove, Help!!!

The virus sets some basic flags that causes it to be hidden from Explorer. Change the option to show hidden files by following the instructions below.

To see hidden files:

1. On the Tools menu in Windows Explorer, click Folder Options.

2. Click the View tab.

3. Under Hidden files and folders, click Show hidden files and folders.

Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.
Highlighted

RE: Vundo,Can't Remove, Help!!!

I just did go into win explorer and selected the hidden folders option.

Do I next go back into msconfig and repeat the process or go into the folders list in explore to find the file?
Highlighted

RE: Vundo,Can't Remove, Help!!!

The best method is to just send the file to VirusTotal. Find the file after clicking on "Send File" at the bottom.

For McAfee, locate the file in McAfee and ZIP the file with the password "infected" and send it to Virus_Research@avert.com

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community