Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.H Variant


  • Please log in to reply
4 replies to this topic

#1 tricky17

tricky17

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 14 January 2009 - 08:19 PM

Hello,
My computer is infected with the Vundo H trojan. I've tried removing it with updated versions of Malwarebytes and Superantispyware. I've also tried to remove infected registry files under the name of MS Juan. However, after reboot, they reinstall themselves and the computer performance and ad-ware issues re-appear. On subsequent scans, the same infected files appear in Malewarebytes and Superantispyware. Your help is appreciated.
Thanks.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:51 AM

Posted 14 January 2009 - 09:45 PM

Super Antispyware updated about 90 minutes ago.
For best results using SAS, update in regular mode then boot into safe mode to run the scan.

MBAM's latest update is 1654. Check your log to see if that is what you scanned with. Be sure to reboot after scanning with MBAM to remove the malware it finds.

As you may know, Vundo is constantly changing to hide from the security programs. It may take a day or two for them to update to your particular variant.

You should run a scan with Secunia online scanner to find missing security updates for all of your programs. Vundo is known to exploit older versions of Sun Java so after updating Java go to Add/Remove program and remove ALL older versions of Java. http://secunia.com/vulnerability_scanning/online/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 tricky17

tricky17
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 15 January 2009 - 01:50 PM

Thanks for the reply. I have updated all programs using the Secunia scanner. I updated both malwarebytes and superspyware to the most recent versions.

I rebooted the computer to safe mode and ran ATF Cleaner to remove temporary files. While in safe mode I ran superantispyware of the entire drive. This is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2009 at 01:28 PM

Application Version : 4.24.1004

Core Rules Database Version : 3710
Trace Rules Database Version: 1685

Scan type : Quick Scan
Total Scan Time : 00:57:23

Memory items scanned : 169
Memory threats detected : 0
Registry items scanned : 438
Registry threats detected : 7
File items scanned : 50390
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1993962763-1844237615-725345543-1003\SOFTWARE\Microsoft\fias4013


I removed the infected files and rebooted back into safe mode and am running malwarebytes now... which has already found more infected files...

#4 tricky17

tricky17
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 15 January 2009 - 04:21 PM

It appears I have removed Vundo. After rebooting in safe mode, I ran malwarebytes. It reported a number of files and needed to reboot to remove a couple. I rebooted into Normal mode and the files are gone. I've double checked my registry files and scanned with both superspyware and malwarebytes with no problems. Thanks for the help.

#5 buddy215

buddy215

  • Moderator
  • 13,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:51 AM

Posted 15 January 2009 - 04:43 PM

That is good to hear.
It would be a good idea for the next few days to run a scan with SAS after updating.

Read post #4 and #6 in the links below to learn how to avoid the malware in the future.
http://www.bleepingcomputer.com/forums/ind...t&p=1087873
http://www.bleepingcomputer.com/forums/ind...t&p=1087945

Some of your restore points are infected and need to be deleted. The way to do that is to delete all restore points and set a new one. If needed, see info in link below.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users