Home > Yet Another > Yet Another Trojan.vundo

Yet Another Trojan.vundo

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, Vundo may cause many websites to be inaccessible. Close all programmes leaving only HijackThis running. Do not make any changes to default settings and when the program has finished installing, make sure you leave Launch Malwarebytes Anti-Malware checked. http://popupjammer.com/yet-another/yet-another-trojan-vundo-victim.html

Writeup By: Henry Bell and Eric Chien Summary| Technical Details| Removal Search Threats Search by nameExample: [email protected] INFORMATION FOR: Enterprise Small Business Consumer (Norton) Partners OUR OFFERINGS: Products Products A-Z Services Vundo. By using this site, you agree to the Terms of Use and Privacy Policy. Trojan.Vundo may also be downloaded by other malware.

GEOGRAPHICAL DISTRIBUTION Symantec has observed the following geographic distribution of this threat. Privacy policy About Wikipedia Disclaimers Contact Wikipedia Developers Cookie statement Mobile view Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files Calendar Please help improve this article by adding citations to reliable sources. It stores all the keystrokes in %Windir%\Temp\CD1A40 .txt file created by itself.

These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1 ------------------------------------ Older variants bears the following characteristics: decrypts and drops a DLL file to the victim machine. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

Do Not use it yet Next, we need to disable SpySweeper. To do this, please download RKill to your desktop from the following link. Aliases Microsoft - Trojan:Win32/Vundo.gen!AV Symantec - Trojan.Vundo!gen9 Kaspersky - Trojan.Win32.Monder.nzxr Characteristics “Vundo” is detection for a Trojan. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32\: "path to the trojan DLL file" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} Create a winlogon key with random filename. My instructions to delete it follow: O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe RISKWARE! As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged your new log is clean.

Once your computer has rebooted, and you are logged in, please continue with the rest of the steps. If you get a message that RKill is an infection, do not be concerned. Check out the forums and get free advice from the experts. Mods, please let me know if I cross the line as to what I am supposed to post here.

Follow the instructions in step five of this guide, and reply here with your log.Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or http://popupjammer.com/yet-another/yet-another-vundo-victim.html Here is the MBAB log...even though the infections have been quarantined and deleted, the same values always come back. Back to top Back to Am I infected? If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Check Local Disc C. This message is just a fake warning given by Trojan.vundo and Virtumonde when it terminates programs that may potentially remove it. The program could not find the malware and other potentially unwanted software on this computer. have a peek here Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Back to top #4 edrock13 edrock13 Topic Starter Members 4 posts OFFLINE Local time:11:39 AM Posted 21 April 2009 - 12:26 PM It seems that I am the only one Reload to refresh your session. You signed in with another tab or window.

All rights reserved.

I'm dealing with a pretty stubborn Vundo Variant. Terms Privacy Security Status Help You can't perform that action at this time. Registry changes Vundo maintains most of the original characterstics, few of the registry changes are mentioned below. Malwarebytes' Anti-Malware's executable may be deleted as soon as it is installed (depending on your infection).

Installs adware that sometimes is pornographic. Username Forum Password I've forgotten my password Remember me This is not recommended for shared computers Sign in anonymously Don't add me to the active users list Privacy Policy

News Place a checkmark or tick against the following:O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)O20 Check This Out O4 - Startup: PowerReg Scheduler.exe This is not required at start up, but it is a valid program O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE This is a

Gathers unknown information. Please ensure your data is backed up before proceeding. Here is my new log. Your computer will reboot and check to see if the file is gone.