Adware Vundo Variant

[bhs3064]

A week or so ago I closed an ad that ended up downloading a couple of vundo trojans. I knew it was a false ad but without thinking clicked on the "x" box that ended up downloading the virus. The regular spyware programs couldn't ID or remove it so after working with MS support I downloaded superantispyware. It removed the viruses and related adware.

I have a router and firewall (which may have been down) but it turns out I was operating my computer in the default admin mode which as I understand basically gave the file permission to download when I clicked on the ad. A friend helped me set up a restricted user account which supposedly helps prevent this from happening.

He recommended AVG for realtime protection and I installed that though I still use superantispyware for scans.

Sorry for the preamble but here's my question/problems: While these scans no longer are finding vundo trojans they do occasionally detect adware.vundo-variant. The recent one had "trace" at the end of the file name. Is the adware vundo variant as malicious as the trojan and can it steal credit card info, etc..I guess I don't understand how it keeps cropping up every few days if I removed everything and have real time protection.

Last bit of the puzzle. After my initial SAS scan that removed the trojan I purchased a ticket online. Two days later someone used my card number in Las Vegas. And it was an actual card swipe versus an online order so they apparently created a fake card with the number. Fortunately the card company alerted us and credited the amount back and we cancelled the card. Obviously the number could have been lifted from previous usage but the timing is certainly concerning.

Is this virus finding a way to replicate or get through my current protections levels? And should I continue to avoid any online purchases or accessing any bank accounts on the chance something still might be lurking in the background. Thanks in advance for any information and sorry for the wordy entry! I've never had this problem before and the stress and time spent on it is making me consider getting a Mac.

[SUPERAntiSpy]

Can you post your latest SUPERAntiSpyware scan log?

[bhs3064]

Thanks for your help. Here's the most recent log.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/11/2008 at 07:41 PM

Application Version : 4.21.1004

Core Rules Database Version : 3671

Trace Rules Database Version: 1650

Scan type : Quick Scan

Total Scan Time : 00:19:31

Memory items scanned : 323

Memory threats detected : 0

Registry items scanned : 442

Registry threats detected : 0

File items scanned : 6518

File threats detected : 76

Adware.Tracking Cookie

C:\Documents and Settings\Perri-User\Cookies\perri-user@tacoda[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@insightexpressai[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@statcounter[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@advancedscanner[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@dynamic.media.adrevolver[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@doubleclick[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@questionmarket[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@www.burstbeacon[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@burstnet[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.digitalmedianet[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@at.atwola[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@specificmedia[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@msnportal.112.2o7[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ad.yieldmanager[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@interclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@revsci[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@bluestreak[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@bs.serving-sys[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@www.googleadservices[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adbrite[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@kontera[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@specificclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ehg-wyndhamvacationownership.hitbox[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@zedo[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.specificclick[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@overture[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@www.socialtrack[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@cgm.adbureau[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@tracking.foxnews[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adrevolver[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@apmebf[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.pointroll[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@atdmt[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@tribalfusion[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@dmtracker[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adserve.gossipgirls[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@mediaplex[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@advertising[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@www.ecoretrack[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@imrworldwide[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.cnn[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@myaccount.bellsouth[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@trafficmp[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@hitbox[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@statse.webtrendslive[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.bridgetrack[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@casalemedia[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@www.burstnet[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.euroclick[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@media.adrevolver[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@fastclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adinterax[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ascendmedia.112.2o7[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@collective-media[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@2o7[1].txt

C:\Documents and Settings\od\Cookies\od@2o7[2].txt

C:\Documents and Settings\od\Cookies\od@ad.yieldmanager[1].txt

C:\Documents and Settings\od\Cookies\od@adopt.euroclick[1].txt

C:\Documents and Settings\od\Cookies\od@adopt.specificclick[2].txt

C:\Documents and Settings\od\Cookies\od@ads.pointroll[1].txt

C:\Documents and Settings\od\Cookies\od@advertising[2].txt

C:\Documents and Settings\od\Cookies\od@apmebf[1].txt

C:\Documents and Settings\od\Cookies\od@atdmt[1].txt

C:\Documents and Settings\od\Cookies\od@bluestreak[1].txt

C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt

C:\Documents and Settings\od\Cookies\od@insightexpressai[2].txt

C:\Documents and Settings\od\Cookies\od@interclick[2].txt

C:\Documents and Settings\od\Cookies\od@media.adrevolver[1].txt

C:\Documents and Settings\od\Cookies\od@mediaplex[2].txt

C:\Documents and Settings\od\Cookies\od@msnbc.112.2o7[1].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt

C:\Documents and Settings\od\Cookies\od@specificclick[2].txt

C:\Documents and Settings\od\Cookies\od@specificmedia[1].txt

C:\Documents and Settings\od\Cookies\od@tacoda[2].txt

C:\Documents and Settings\od\Cookies\od@tradedoubler[1].txt

Adware.Vundo/Variant-Trace

C:\WINDOWS\SYSTEM32\UQABYWIU.INI

[bhs3064]

I did another scan tonight and it popped up again towards the end of the scan. It seems to be showing up in the same location. Here's the log from tonight. I don't know if this information helps but the "od" references are the admin user account (which we don't use now when on the web) and the "perri-user" is our restricted user account.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/12/2008 at 10:14 PM

Application Version : 4.21.1004

Core Rules Database Version : 3671

Trace Rules Database Version: 1650

Scan type : Quick Scan

Total Scan Time : 00:15:44

Memory items scanned : 338

Memory threats detected : 0

Registry items scanned : 416

Registry threats detected : 0

File items scanned : 6546

File threats detected : 36

Adware.Tracking Cookie

C:\Documents and Settings\Perri-User\Cookies\perri-user@tacoda[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@msnbc.112.2o7[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@dynamic.media.adrevolver[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@doubleclick[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@questionmarket[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@specificmedia[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@msnportal.112.2o7[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ad.yieldmanager[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.techguy[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@revsci[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@bs.serving-sys[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@specificclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@zedo[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.specificclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@protected-clicks-system[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adrevolver[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@tracking.foxnews[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@apmebf[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.pointroll[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@atdmt[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@tribalfusion[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@mediaplex[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@advertising[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@trafficmp[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@casalemedia[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.euroclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@serving-sys[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@media.adrevolver[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@fastclick[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@chitika[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@2o7[1].txt

C:\Documents and Settings\od\Cookies\od@atdmt[2].txt

C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[2].txt

Adware.Vundo/Variant-Trace

C:\WINDOWS\SYSTEM32\UQABYWIU.INI

[Pandato]

You are not scanning with the latest version, 4.23. 1006

[bhs3064]

I updated and scanned today. The vundo file showed up in the same place.

[Lagerx]

Did Superantispyware remove it?

Scan in safe mode.

http://www.superadblocker.com/bootsafe.html

Use this if you dont know how to go there.

[bhs3064]

It apparently didn't. I downloaded Bootsafe per your instructions and ran SAS again in safe mode and the same file was in the list of detected items. Here is the log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/13/2008 at 11:53 AM

Application Version : 4.21.1004

Core Rules Database Version : 3674

Trace Rules Database Version: 1653

Scan type : Complete Scan

Total Scan Time : 01:06:17

Memory items scanned : 336

Memory threats detected : 0

Registry items scanned : 5720

Registry threats detected : 0

File items scanned : 27497

File threats detected : 17

Adware.Tracking Cookie

C:\Documents and Settings\Perri-User\Cookies\perri-user@tacoda[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@doubleclick[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@questionmarket[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@at.atwola[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@msnportal.112.2o7[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@revsci[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@apmebf[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.pointroll[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@atdmt[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@mediaplex[1].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@advertising[2].txt

C:\Documents and Settings\Perri-User\Cookies\perri-user@casalemedia[1].txt

C:\Documents and Settings\od\Cookies\od@atdmt[2].txt

C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[2].txt

Adware.Vundo/Variant-Trace

C:\WINDOWS\SYSTEM32\UQABYWIU.INI

[Pandato]

You have not updated to version 4.23.1006, the above log still shows 4.21

Definitions are not the same as version of program

[bhs3064]

Thanks. Not sure what I missed as I clicked the update link and it downloaded today but I will try it again.

[bhs3064]

Apparently I wasn't in admin and it only downloaded the new definitions. I downloaded the new version and it found the same file and an additional vundo file. The scan log is below and I'm going to run another one to see if it's gone now.

Thanks for your help and patience. Is this adware vundo as bad as the trojan?

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/13/2008 at 01:14 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674

Trace Rules Database Version: 1653

Scan type : Quick Scan

Total Scan Time : 00:11:09

Memory items scanned : 529

Memory threats detected : 0

Registry items scanned : 461

Registry threats detected : 1

File items scanned : 5993

File threats detected : 4

Adware.Vundo Variant

HKU\S-1-5-21-1013300348-779916470-1403716777-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}

Adware.Tracking Cookie

C:\Documents and Settings\od\Cookies\od@atdmt[2].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt

C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt

Adware.Vundo/Variant-Trace

C:\WINDOWS\SYSTEM32\UQABYWIU.INI

[Lagerx]

Apparently I wasn't in admin and it only downloaded the new definitions. I downloaded the new version and it found the same file and an additional vundo file. The scan log is below and I'm going to run another one to see if it's gone now.

Thanks for your help and patience. Is this adware vundo as bad as the trojan?

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/13/2008 at 01:14 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674

Trace Rules Database Version: 1653

Scan type : Quick Scan

Total Scan Time : 00:11:09

Memory items scanned : 529

Memory threats detected : 0

Registry items scanned : 461

Registry threats detected : 1

File items scanned : 5993

File threats detected : 4

Adware.Vundo Variant

HKU\S-1-5-21-1013300348-779916470-1403716777-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}

Adware.Tracking Cookie

C:\Documents and Settings\od\Cookies\od@atdmt[2].txt

C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt

C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt

Adware.Vundo/Variant-Trace

C:\WINDOWS\SYSTEM32\UQABYWIU.INI

Please download Icesword from here

http://www.antirootkit.com/software/IceSword.htm

Extract this .zip file and start Icesword.

On the left you will see File. If you press on it, find C:\WINDOWS\SYSTEM32\UQABYWIU.INI and choose right click on file and "force delete"

Do scan with SAS again and see if it still finds it.

PS: Before starting Icesword, close your running antispyware/antiviruses and firewall. Otherwise there will be some conflicts.

[bhs3064]

I think I'd be getting over my head technically speaking. If I just had someone wipe the drive and reinstall the system, would that be the best guarantee of no longer having to worry about this problem?

Also, if I copy my pictures, iTune songs, and basic word, excel docs, is there any way that the virus could be attached to any of them? I want to make sure that I don't just end up copying the problem back onto the clean system.

Thanks again for all the advice.