Jump to content
BlueEyedFox

Vundo keeps coming back, Help me delete it please

Recommended Posts

I cant delete Vundo, I tried and I scanned again and it was back. Please help me out. The only diffrence is my NOD 32 keep detecting urqOFWMD.dll and kept qurantining it and after the SUPERAntivirus cleaned it the counter stopped going up

NOD 32 Quantine Box ( Numbers kept going up ): nodscandt5.jpg

Now the first log is the log for my first scan after this I removed them and did a reboot

-------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/05/2008 at 11:18 PM

Application Version : 4.1.1032

Core Rules Database Version : 3453

Trace Rules Database Version: 1445

Scan type : Complete Scan

Total Scan Time : 00:10:06

Memory items scanned : 361

Memory threats detected : 2

Registry items scanned : 3329

Registry threats detected : 12

File items scanned : 6698

File threats detected : 37

Trojan.Vundo-Variant/F

C:\WINDOWS\SYSTEM32\URQOFWMD.DLL

C:\WINDOWS\SYSTEM32\URQOFWMD.DLL

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\urqOFWMD

Adware.Vundo Variant/Resident

C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL

C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL

Adware.Vundo Variant

HKLM\Software\Classes\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}

HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}

HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}\InprocServer32

HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C14E6230-757D-4246-81CE-B34E2940C722}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C14E6230-757D-4246-81CE-B34E2940C722}

HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}

Adware.Vundo-Variant

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64D32272-2033-45F3-8061-7FD612BC8B6B}

HKCR\CLSID\{64D32272-2033-45F3-8061-7FD612BC8B6B}

HKCR\CLSID\{64D32272-2033-45F3-8061-7FD612BC8B6B}\InprocServer32

HKCR\CLSID\{64D32272-2033-45F3-8061-7FD612BC8B6B}\InprocServer32#ThreadingModel

-------------------------------------------------------------------------------------

Now this is my log the second time around after the reboot

-------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/05/2008 at 11:25 PM

Application Version : 4.1.1032

Core Rules Database Version : 3453

Trace Rules Database Version: 1445

Scan type : Quick Scan

Total Scan Time : 00:03:46

Memory items scanned : 351

Memory threats detected : 1

Registry items scanned : 296

Registry threats detected : 4

File items scanned : 3078

File threats detected : 2

Adware.Vundo Variant/Resident

C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL

C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL

Adware.Vundo-Variant

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24179403-B80E-4139-B656-1894792BEB52}

HKCR\CLSID\{24179403-B80E-4139-B656-1894792BEB52}

HKCR\CLSID\{24179403-B80E-4139-B656-1894792BEB52}\InprocServer32

HKCR\CLSID\{24179403-B80E-4139-B656-1894792BEB52}\InprocServer32#ThreadingModel

-------------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

using SAS i detect first time this Vundo/rel junk

i try this way , vundo is blocked but you cant delete it on next startup and SAS scan ,SAS find again ...and again...and again ,

in combinaton of SAS Avira, take control and unlocker i delete blocked junk

in program files i find a folder named "Common Files" , open it... there you can find a folder "Wise Installation Wizard" there i find 2 installers , i copied name of that installers and check on google.. result was "vundo" junk.. i delete it..

next...using avira i find 2 dll blocked by Avira "fkuuvlax.dll and dlqoniq.dll

you can not delete it manualy because you need to be system administrator (you are i know) ... BUT :idea: (there is always a but) first i use "take controll"software to take controll over this 2 dll-s and rename it to "fkuuvlax.dll.old and dlqoniq.dll.old"

unlock using unlocker , unlocker tell me that i have already unlocked... and click delete on next startup.. voila

after 2 days fighting with this vundo sh.. i finally win :D

sorry for my bad english

Share this post


Link to post
Share on other sites
using SAS i detect first time this Vundo/rel junk

i try this way , vundo is blocked but you cant delete it on next startup and SAS scan ,SAS find again ...and again...and again ,

in combinaton of SAS Avira, take control and unlocker i delete blocked junk

in program files i find a folder named "Common Files" , open it... there you can find a folder "Wise Installation Wizard" there i find 2 installers , i copied name of that installers and check on google.. result was "vundo" junk.. i delete it..

next...using avira i find 2 dll blocked by Avira "fkuuvlax.dll and dlqoniq.dll

you can not delete it manualy because you need to be system administrator (you are i know) ... BUT :idea: (there is always a but) first i use "take controll"software to take controll over this 2 dll-s and rename it to "fkuuvlax.dll.old and dlqoniq.dll.old"

unlock using unlocker , unlocker tell me that i have already unlocked... and click delete on next startup.. voila

after 2 days fighting with this vundo sh.. i finally win :D

sorry for my bad english

Please submit a ticket here if you are still infected - we can run a diagnostic as described above:

https://www.superantispyware.com/support.html

Share this post


Link to post
Share on other sites

Just want to say that this program and danijel31's post helped me rid the virus. Because of the steps involved it's hard to know which step did it or if them all together was the answer.

I had tried just SAS but even though it gave me the most accurate results, removal was temporary or partial. I really think the manual removal or shredding of certain files did it for me.

I also used Hijack This and SAS together in safe mode and shredded 2 System32 files (that were reported) manually after renaming them.

Thanks again SAS and forum helpers.

Share this post


Link to post
Share on other sites
Just want to say that this program and danijel31's post helped me rid the virus. Because of the steps involved it's hard to know which step did it or if them all together was the answer.

I had tried just SAS but even though it gave me the most accurate results, removal was temporary or partial. I really think the manual removal or shredding of certain files did it for me.

I also used Hijack This and SAS together in safe mode and shredded 2 System32 files (that were reported) manually after renaming them.

Thanks again SAS and forum helpers.

No problem - we are always here to help - FYI - if you had submitted the support request and let us run the diagnostic (takes just a few mins) we would have updated our definitions to remove the remaining part of the infection - keep that in mind in the future :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×