Jump to content

Vundo Trojan


Recommended Posts

I'm a new Malwarebytes user. Last night I discovered that my PC was infected with the Vundo Trojan. I think Windows Defender had actually tried to stop it, but unfortunately I didn't immediately recognize the screen as being from Windows Defender and hesitated to click as directed. The screen had a large Windows colored logo in the upper left corner and a large "2009" in the upper right; it looked different than anything I'd seen before, and I hesitated. It retrospect I think it may have been authentic (from Windows Defender), but if so, I didn't recognize it, didn't click, and may have lost my chance to stop the infection right then.

I started getting numerous fake security popups, so started running scans to find out if the PC is infected. Avast runs resident, but it doesn't find anything. Spybot and Lavasoft AdAware don't either.

I had used Malwarebytes once in the past, so I tried it. The initial run found numerous problems, but also had numerous errors. It kept bringing up grey box popups saying to notify the Malwarebytes of the error codes (could it have been running in developer mode?) There were exactly the same 2 two-digit codes on every popup, but of course I thought I'd remember them and didn't write them down. I know for certain that one of them was 09, but unfortunately I'm not certain about the other one (possibly 02).

After that initial run finished I viewed the log and took the recommended actions, including rebooting. However, the problems have not completely gone away. I did a full scan, and numerous quick scans since. Malwarebytes says it will delete certain entries upon reboot, but once I reboot they are back again. Also, once I reboot something keeps turning "Automatic Updates" to "Off" in control panel Security.

I downloaded an update from Malwarebytes this afternoon, and have run a couple quick scans since then, but the entries still don't go away. I've only done the one full scan (last night - it took approximately 2 hours).

Can anyone tell me if this appears to be something the developers are already working on? Again, I'm a new user, and would greatly appreciate any help!

Thanks!

Link to post
Share on other sites

Already had Spybot installed, so checked for updates. No updates found. Switched to Advanced Mode and looked at Resident TeaTimer setting - was not checked, so did not make any change or reboot. Ran Spybot scan. Found 2 infections. Removed all items and immunized.

Had just downloaded a fresh copy of Malwarebytes' Anti-Malware yesterday, but downloaded it again by clicking on the Malwarebytes link in the above response. That sent me to Download.com to do the download (same place I got the fresh copy from yesterday). Did the install, making sure the checkmarks were there as directed. Did a Quick Scan, Show Results, Removed Selected. The resulting log is below:

Malwarebytes' Anti-Malware 1.31

Database version: 1472

Windows 5.1.2600 Service Pack 3

12/7/2008 6:31:50 PM

mbam-log-2008-12-07 (18-31-50).txt

Scan type: Quick Scan

Objects scanned: 57405

Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\rayaluku.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f34ad56d-c085-47d8-ad27-e77ee7217599} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f34ad56d-c085-47d8-ad27-e77ee7217599} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jazedowajo (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\rayaluku.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\rayaluku.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\rayaluku.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\rayaluku.dll (Trojan.Vundo) -> Delete on reboot.

Will now work on running the scan from PandaActive.

Link to post
Share on other sites

Just downloaded Panda using the link in the above message. Installed, then tried to run a full scan. The scan failed with an error:

"ActiveScan 2.0 Update: Update error", "Sorry, updating is incomplete due to an error. Please try again."

I've tried multiple times, but keep getting same error.

I'll try the other product (ESET Online) shortly.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.