Author Topic: Virus on Vista 64 bit -Vundo (Read 4674 times)

brett701 · « **on:** March 06, 2009, 10:38:50 PM »

I have Vundo virus and my windows defender keeps finding it and deleting it i asumme. however it keeps coming back. The name is slightly changing i believe. it will go from Vundo.gen!R to vundo.gen!N.

Ive downloaded some software to remove this, however i have vista 64 bit OS and it doesnt seem to be working with 64 bit os.

Any help is greatly appreciated.

brett701 · « **Reply #1 on:** March 08, 2009, 05:15:59 AM »

help plz. i've read that you can never actually fix vundo and you have to reformat.

evilfantasy · « **Reply #2 on:** March 08, 2009, 09:05:56 PM »

http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095 <- Start here

Post the 3 logs when complete.

brett701 · « **Reply #3 on:** March 10, 2009, 11:49:04 AM »

here is the notes for superantispyware. ive completed the quick scan which took over an hour. i misread the directions about doing the full scan and looked ahead. i will continue to post and redo the full scan. currently malwarebytes is scanning and i will redo superantispyware full scan aftewards.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2009 at 04:24 AM

Application Version : 4.25.1014

Core Rules Database Version : 3788
Trace Rules Database Version: 1745

Scan type : Quick Scan
Total Scan Time : 01:24:55

Memory items scanned : 1004
Memory threats detected : 0
Registry items scanned : 507
Registry threats detected : 10
File items scanned : 27995
File threats detected : 3

Adware.Vundo Variant
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}
   HKCR\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}
   HKCR\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}\InprocServer32
   HKCR\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSWOW64\FCCBYQPI.DLL
   HKCR\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}

Adware.Tracking Cookie
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

Adware.Vundo Variant/Rel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Windows\system32\fccbYqPi.dll,#1 ]
   HKLM\SOFTWARE\Microsoft\RemoveRP

Rogue.Component/Trace
   HKLM\Software\Microsoft\02BA766D
   HKLM\Software\Microsoft\02BA766D#02ba766d
   HKLM\Software\Microsoft\02BA766D#Version

brett701 · « **Reply #4 on:** March 10, 2009, 11:51:04 AM »

This is 1st antimalware log.

Malwarebytes' Anti-Malware 1.34
Database version: 1831
Windows 6.0.6001 Service Pack 1

3/10/2009 12:47:41 PM
mbam-log-2009-03-10 (12-47-16).txt

Scan type: Quick Scan
Objects scanned: 68896
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brett701 · « **Reply #5 on:** March 10, 2009, 11:51:39 AM »

2nd antimalware log.

Malwarebytes' Anti-Malware 1.34
Database version: 1831
Windows 6.0.6001 Service Pack 1

3/10/2009 12:47:48 PM
mbam-log-2009-03-10 (12-47-44).txt

Scan type: Quick Scan
Objects scanned: 68896
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brett701 · « **Reply #6 on:** March 10, 2009, 12:04:53 PM »

HJT log

[attachment deleted by admin]

evilfantasy · « **Reply #7 on:** March 10, 2009, 12:35:02 PM »

Why is No action taken. in the MBAM logs?

brett701 · « **Reply #8 on:** March 10, 2009, 01:08:02 PM »

im not sure. i dont think i skipped a step of it. i will redo it once this superanti spyware completes its full scan. it has been going for over an hour and has like 111 gigs to scan total.

brett701 · « **Reply #9 on:** March 10, 2009, 01:49:25 PM »

here is my superantispyware Full scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/10/2009 at 02:43 PM

Application Version : 4.25.1014

Core Rules Database Version : 3790
Trace Rules Database Version: 1746

Scan type : Complete Scan
Total Scan Time : 01:35:04

Memory items scanned : 865
Memory threats detected : 0
Registry items scanned : 8002
Registry threats detected : 0
File items scanned : 188039
File threats detected : 8

Adware.Tracking Cookie
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@advertising[1].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@atdmt[1].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@atwola[2].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@doubleclick[1].txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

brett701 · « **Reply #10 on:** March 10, 2009, 02:07:04 PM »

so the no action part im a bit confused by. so i just went and removed the logs and then i rescanned and it ending up finding nothing. this is what it found with the antimalware software.

Malwarebytes' Anti-Malware 1.34
Database version: 1831
Windows 6.0.6001 Service Pack 1

3/10/2009 3:03:20 PM
mbam-log-2009-03-10 (15-03-20).txt

Scan type: Quick Scan
Objects scanned: 67930
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brett701 · « **Reply #11 on:** March 10, 2009, 02:12:20 PM »

in addition to all of the logs the things i think might be suspciious.

- active update pops up non stop and is annoying. i think it might be AOL.
-i get an error that says "Big-O Software.url" that hits shortcut refers to have been changed or moved. so this shortcut will no longer work propelry. do you want to delete this shortcut. i think this has somethin to do with the bluetooth.

-i also get a csc.exe error when i shutdown my computer. ive gotten that for awhile.

evilfantasy · « **Reply #12 on:** March 10, 2009, 05:26:41 PM »

Quote

i think this has somethin to do with the bluetooth

Have you checked add/remove programs to uninstall anything you don't use?

brett701 · « **Reply #13 on:** March 11, 2009, 08:09:20 AM »

ive looked, but there is so much on the cpu its hard to know what i use and do not use.

i will state potentially suspicious items below. They are most likely nothing.

Cam unzip 4.42
click to disc and click to disc editor(sony Corp)
microsoft silverlight ( microsoft corp) i think its some sort of "new" flash by microsoft
ORCA (microsofoft
MSXML 4.0 SP2 , parser and sdk (microsoft corp)

evilfantasy · « **Reply #14 on:** March 11, 2009, 04:35:25 PM »

Big-O Software is related to this http://www.softpedia.com/get/System/File-Management/hkSFV.shtml

Do you know what that is?

Computer Hope Forum

News:

Author Topic: Virus on Vista 64 bit -Vundo (Read 4674 times)

brett701

Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

evilfantasy

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

evilfantasy

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

evilfantasy

Re: Virus on Vista 64 bit -Vundo

brett701

Re: Virus on Vista 64 bit -Vundo

evilfantasy

Re: Virus on Vista 64 bit -Vundo