BlueEyedFox Posted May 6, 2008 I cant delete Vundo, I tried and I scanned again and it was back. Please help me out. The only diffrence is my NOD 32 keep detecting urqOFWMD.dll and kept qurantining it and after the SUPERAntivirus cleaned it the counter stopped going up NOD 32 Quantine Box ( Numbers kept going up ): Now the first log is the log for my first scan after this I removed them and did a reboot ------------------------------------------------------------------------------------- SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/05/2008 at 11:18 PM Application Version : 4.1.1032 Core Rules Database Version : 3453 Trace Rules Database Version: 1445 Scan type : Complete Scan Total Scan Time : 00:10:06 Memory items scanned : 361 Memory threats detected : 2 Registry items scanned : 3329 Registry threats detected : 12 File items scanned : 6698 File threats detected : 37 Trojan.Vundo-Variant/F C:\WINDOWS\SYSTEM32\URQOFWMD.DLL C:\WINDOWS\SYSTEM32\URQOFWMD.DLL Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\urqOFWMD Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL Adware.Vundo Variant HKLM\Software\Classes\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722} HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722} HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}\InprocServer32 HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C14E6230-757D-4246-81CE-B34E2940C722} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C14E6230-757D-4246-81CE-B34E2940C722} HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722} Adware.Vundo-Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64D32272-2033-45F3-8061-7FD612BC8B6B} HKCR\CLSID\{64D32272-2033-45F3-8061-7FD612BC8B6B} HKCR\CLSID\{64D32272-2033-45F3-8061-7FD612BC8B6B}\InprocServer32 HKCR\CLSID\{64D32272-2033-45F3-8061-7FD612BC8B6B}\InprocServer32#ThreadingModel ------------------------------------------------------------------------------------- Now this is my log the second time around after the reboot ------------------------------------------------------------------------------------- SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/05/2008 at 11:25 PM Application Version : 4.1.1032 Core Rules Database Version : 3453 Trace Rules Database Version: 1445 Scan type : Quick Scan Total Scan Time : 00:03:46 Memory items scanned : 351 Memory threats detected : 1 Registry items scanned : 296 Registry threats detected : 4 File items scanned : 3078 File threats detected : 2 Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL C:\WINDOWS\SYSTEM32\WVUNMCBA.DLL Adware.Vundo-Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24179403-B80E-4139-B656-1894792BEB52} HKCR\CLSID\{24179403-B80E-4139-B656-1894792BEB52} HKCR\CLSID\{24179403-B80E-4139-B656-1894792BEB52}\InprocServer32 HKCR\CLSID\{24179403-B80E-4139-B656-1894792BEB52}\InprocServer32#ThreadingModel ------------------------------------------------------------------------------------- Share this post Link to post Share on other sites
irish1371 Posted May 6, 2008 I'm in the same boat SAS got rid of this trojan last week for me but not this time Share this post Link to post Share on other sites
Pandato Posted May 6, 2008 Please submit a customer support request for assistance. Share this post Link to post Share on other sites
SUPERAntiSpy Posted May 6, 2008 Please submit a ticket here: https://www.superantispyware.com/support.html Share this post Link to post Share on other sites
danijel31 Posted May 24, 2008 using SAS i detect first time this Vundo/rel junk i try this way , vundo is blocked but you cant delete it on next startup and SAS scan ,SAS find again ...and again...and again , in combinaton of SAS Avira, take control and unlocker i delete blocked junk in program files i find a folder named "Common Files" , open it... there you can find a folder "Wise Installation Wizard" there i find 2 installers , i copied name of that installers and check on google.. result was "vundo" junk.. i delete it.. next...using avira i find 2 dll blocked by Avira "fkuuvlax.dll and dlqoniq.dll you can not delete it manualy because you need to be system administrator (you are i know) ... BUT (there is always a but) first i use "take controll"software to take controll over this 2 dll-s and rename it to "fkuuvlax.dll.old and dlqoniq.dll.old" unlock using unlocker , unlocker tell me that i have already unlocked... and click delete on next startup.. voila after 2 days fighting with this vundo sh.. i finally win sorry for my bad english Share this post Link to post Share on other sites
SUPERAntiSpy Posted May 25, 2008 using SAS i detect first time this Vundo/rel junki try this way , vundo is blocked but you cant delete it on next startup and SAS scan ,SAS find again ...and again...and again , in combinaton of SAS Avira, take control and unlocker i delete blocked junk in program files i find a folder named "Common Files" , open it... there you can find a folder "Wise Installation Wizard" there i find 2 installers , i copied name of that installers and check on google.. result was "vundo" junk.. i delete it.. next...using avira i find 2 dll blocked by Avira "fkuuvlax.dll and dlqoniq.dll you can not delete it manualy because you need to be system administrator (you are i know) ... BUT (there is always a but) first i use "take controll"software to take controll over this 2 dll-s and rename it to "fkuuvlax.dll.old and dlqoniq.dll.old" unlock using unlocker , unlocker tell me that i have already unlocked... and click delete on next startup.. voila after 2 days fighting with this vundo sh.. i finally win sorry for my bad english Please submit a ticket here if you are still infected - we can run a diagnostic as described above: https://www.superantispyware.com/support.html Share this post Link to post Share on other sites
Jimdish255 Posted June 18, 2008 Just want to say that this program and danijel31's post helped me rid the virus. Because of the steps involved it's hard to know which step did it or if them all together was the answer. I had tried just SAS but even though it gave me the most accurate results, removal was temporary or partial. I really think the manual removal or shredding of certain files did it for me. I also used Hijack This and SAS together in safe mode and shredded 2 System32 files (that were reported) manually after renaming them. Thanks again SAS and forum helpers. Share this post Link to post Share on other sites
SUPERAntiSpy Posted June 18, 2008 Just want to say that this program and danijel31's post helped me rid the virus. Because of the steps involved it's hard to know which step did it or if them all together was the answer.I had tried just SAS but even though it gave me the most accurate results, removal was temporary or partial. I really think the manual removal or shredding of certain files did it for me. I also used Hijack This and SAS together in safe mode and shredded 2 System32 files (that were reported) manually after renaming them. Thanks again SAS and forum helpers. No problem - we are always here to help - FYI - if you had submitted the support request and let us run the diagnostic (takes just a few mins) we would have updated our definitions to remove the remaining part of the infection - keep that in mind in the future Share this post Link to post Share on other sites