Jump to content
Sign in to follow this  
kptcomp

Trojan.Vundo.H FP

Recommended Posts

I have been doing a scan on a customers machine and MBAM keeps reporting a Trojan.Vundo.H infection, claims the infection is removed and upon an immediate rescan the same reg entries are back. Did a bit of research (regmon.exe) and determined that as soon as MBAM (or any registry/startup editor) removed the "infected" keys the spoolsv.exe process simply readded them.

I have downloaded and ran two separate Vundo removal tools and neither of them report any infected registry keys/files.

Finally I ran the MS SFC to ensure that none of the system files (spoolsv.exe) had been corrupted.

Any help would be appreciated.

Cheers!

Eric

mbam_log_2008_12_29__17_11_08_.txt

mbam_log_2008_12_29__17_11_08_.txt

Share this post


Link to post
Share on other sites

Looking at that log I have to agree . I did a quick google check and both the file name and GUID don't have the loads of info all legit components have .

I see no what that this could be a FP .

Share this post


Link to post
Share on other sites
I have been doing a scan on a customers machine and MBAM keeps reporting a Trojan.Vundo.H infection, claims the infection is removed and upon an immediate rescan the same reg entries are back. Did a bit of research (regmon.exe) and determined that as soon as MBAM (or any registry/startup editor) removed the "infected" keys the spoolsv.exe process simply readded them.

I have downloaded and ran two separate Vundo removal tools and neither of them report any infected registry keys/files.

Finally I ran the MS SFC to ensure that none of the system files (spoolsv.exe) had been corrupted.

Any help would be appreciated.

Cheers!

Eric

I had the same problem with Trojan.Vundo.H, I used Malwarebytes 1.31, it said it removed the registry keys, however, after removal and a immediate rescan the same two registry entries reappeared. I used Hijack This to remove the same keys and they just reappeared immediately. I was lucky, I restored my system to an earlier date and after reboot the infections didn't appear again.

Usually doing a system restore doesn't get rid of the infections, however, this time it worked.

Seems that nothing will remove Trojan.Vundo.H. There is also a registry entry that runs a file that supports the other registry entry. It's bazoveza.dll, Malwarebytes 1.31 will delete the file, however, deleting the registry entry is fruitless, because it comes back just like the other entries.

I hope some one finds a way to get rid of the registry entries without them coming back .

Share this post


Link to post
Share on other sites

Hi terryt and welcome to Malwarebytes'. I'm glad you were able to kill it off. There are quite a few so far struggling with this one. Should you see any further signs that you might still be infected after the restore then please follow the instructions here:

http://www.malwarebytes.org/forums/index.php?showtopic=2936

and post your logs in a new topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

I hope I was helpful. Good luck and safe surfing.

Share this post


Link to post
Share on other sites

I didn't kill it off, it would still be on my system if I didn't do a system restore to before I had the infection. Nothing I tried killed the registry entries, the would immediately reappear in the registry.

I didn't try Spybot or Panda, maybe if I get it again I will try other programs.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.