Trojan.Vundo

NotreDame

Hi

I have been running my pc with Avast free version and then malwarebytes anti spyware.

Malwarebytes is showing I have a trojan - Trojan.vundo.

I have tried to delete this using malwarebytes but when pc is restarted and I run malwarebytes again it is still there. Did a full scan with avast and that said computer had no infections. Also there are loads of "PUP.Mywebsearch" showing on malwarebytes scan. Any ideas how to get rid of this trojan please?



imho

This should get rid of it .
http://www.majorgeeks.com/Symantec_Trojan.Vundo_Removal_Tool_d4430.html

nickcc

You can also try running the scan in safe mode, this has worked for me in the past.

FLAPJACK

Hi Nickcc.

I have the same problem....how do you go about running a scan in safe mode?

Cheers!

nickcc

Start your pc in safe mode by pressing F8 when you switch on then when safe mode comes up just select your virus scanner and let it run.

waddler_8

Vundo hasn't been around for a while, & the Symantec removal tool probably hasn't been updated for a while too.

What's being detected as vundo by mbam? Post the mbam log here.
Is it a SearchScopes registry entry (a CLSID)? If it is. it's likely attributed to MyWebSearch in any case.

Mbam is at it's best in normal mode.

http://helpdesk.malwarebytes.org/entries/21892442-Should-I-scan-with-Malwarebytes-Anti-Malware-in-Safe-Mode-

DUTR

NotreDame wrote: »

Hi

I have been running my pc with Avast free version and then malwarebytes anti spyware.

Malwarebytes is showing I have a trojan - Trojan.vundo.

I have tried to delete this using malwarebytes but when pc is restarted and I run malwarebytes again it is still there. Did a full scan with avast and that said computer had no infections. Also there are loads of "PUP.Mywebsearch" showing on malwarebytes scan. Any ideas how to get rid of this trojan please?



My AV popped up this afternoon saying it had detected and quarantined a virus, I have used AVG and Avast in the past, but for the £7 /year I prefer the protection that mcafee has been offering over the years of trouble free computing.

waddler_8

You're unlikely to get any more protection from Mcafee than AVG or Avast or any other, no matter how much you pay, as your post seems to suggest.

If detections are made by your AV, you need to look at how the malware is getting on the system, rather than thinking another AV is going to give you better protection.

Close the attack vectors and the AV should have nothing to do.

NotreDame

This is a copy of the malwarebytes just run a few minutes ago. I click to delete, it does, but when I run scan again it's still there?


03/03/2013 19:24:14
mbam-log-2013-03-03 (19-24-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243691
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver (PUP.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver\Images (PUP.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch (PUP.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar (PUP.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\History (PUP.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings (PUP.MyWebSearch) -> No action taken.

Files Detected: 2
C:\Program Files\u4res.dll (PUP.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (PUP.MyWebSearch) -> No action taken.

(end)

NotreDame

It's also sending out emails from my email address? Should I change my password or if there is something on my system would it just pick that up anyway?

waddler_8

As I said, it is a searchscopes entry (Trojan.Vundo). It is MyWebSearch

http://www.threatexpert.com/report.aspx?md5=96ddc950142272d13c450e0e4c9449a2

No action taken

You need to ensure all the boxes are checked for deletion, or go into the settings and change the action for PUP's.

Select the Settings tab > Scanner Settings tab
For Action for Potentially Unwanted Programs (PUP), choose Show in results list and check for removal

It's also sending out emails from my email address?

It's unlikely to be related to the mbam detections.

Should I change my password

Yes.