bhs3064 Posted December 12, 2008 A week or so ago I closed an ad that ended up downloading a couple of vundo trojans. I knew it was a false ad but without thinking clicked on the "x" box that ended up downloading the virus. The regular spyware programs couldn't ID or remove it so after working with MS support I downloaded superantispyware. It removed the viruses and related adware. I have a router and firewall (which may have been down) but it turns out I was operating my computer in the default admin mode which as I understand basically gave the file permission to download when I clicked on the ad. A friend helped me set up a restricted user account which supposedly helps prevent this from happening. He recommended AVG for realtime protection and I installed that though I still use superantispyware for scans. Sorry for the preamble but here's my question/problems: While these scans no longer are finding vundo trojans they do occasionally detect adware.vundo-variant. The recent one had "trace" at the end of the file name. Is the adware vundo variant as malicious as the trojan and can it steal credit card info, etc..I guess I don't understand how it keeps cropping up every few days if I removed everything and have real time protection. Last bit of the puzzle. After my initial SAS scan that removed the trojan I purchased a ticket online. Two days later someone used my card number in Las Vegas. And it was an actual card swipe versus an online order so they apparently created a fake card with the number. Fortunately the card company alerted us and credited the amount back and we cancelled the card. Obviously the number could have been lifted from previous usage but the timing is certainly concerning. Is this virus finding a way to replicate or get through my current protections levels? And should I continue to avoid any online purchases or accessing any bank accounts on the chance something still might be lurking in the background. Thanks in advance for any information and sorry for the wordy entry! I've never had this problem before and the stress and time spent on it is making me consider getting a Mac. Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 12, 2008 Can you post your latest SUPERAntiSpyware scan log? Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 Thanks for your help. Here's the most recent log. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/11/2008 at 07:41 PM Application Version : 4.21.1004 Core Rules Database Version : 3671 Trace Rules Database Version: 1650 Scan type : Quick Scan Total Scan Time : 00:19:31 Memory items scanned : 323 Memory threats detected : 0 Registry items scanned : 442 Registry threats detected : 0 File items scanned : 6518 File threats detected : 76 Adware.Tracking Cookie C:\Documents and Settings\Perri-User\Cookies\perri-user@tacoda[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@insightexpressai[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@statcounter[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@advancedscanner[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@dynamic.media.adrevolver[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@doubleclick[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@questionmarket[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@www.burstbeacon[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@burstnet[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.digitalmedianet[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@at.atwola[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@specificmedia[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@msnportal.112.2o7[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ad.yieldmanager[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@interclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@revsci[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@bluestreak[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@bs.serving-sys[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@www.googleadservices[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adbrite[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@kontera[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@specificclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ehg-wyndhamvacationownership.hitbox[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@zedo[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.specificclick[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@overture[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@www.socialtrack[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@cgm.adbureau[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@tracking.foxnews[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adrevolver[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@apmebf[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.pointroll[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@atdmt[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@tribalfusion[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@dmtracker[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adserve.gossipgirls[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@mediaplex[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@advertising[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@www.ecoretrack[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@imrworldwide[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.cnn[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@myaccount.bellsouth[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@trafficmp[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@hitbox[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@statse.webtrendslive[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.bridgetrack[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@casalemedia[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@www.burstnet[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.euroclick[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@media.adrevolver[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@fastclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adinterax[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ascendmedia.112.2o7[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@collective-media[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@2o7[1].txt C:\Documents and Settings\od\Cookies\od@2o7[2].txt C:\Documents and Settings\od\Cookies\od@ad.yieldmanager[1].txt C:\Documents and Settings\od\Cookies\od@adopt.euroclick[1].txt C:\Documents and Settings\od\Cookies\od@adopt.specificclick[2].txt C:\Documents and Settings\od\Cookies\od@ads.pointroll[1].txt C:\Documents and Settings\od\Cookies\od@advertising[2].txt C:\Documents and Settings\od\Cookies\od@apmebf[1].txt C:\Documents and Settings\od\Cookies\od@atdmt[1].txt C:\Documents and Settings\od\Cookies\od@bluestreak[1].txt C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt C:\Documents and Settings\od\Cookies\od@insightexpressai[2].txt C:\Documents and Settings\od\Cookies\od@interclick[2].txt C:\Documents and Settings\od\Cookies\od@media.adrevolver[1].txt C:\Documents and Settings\od\Cookies\od@mediaplex[2].txt C:\Documents and Settings\od\Cookies\od@msnbc.112.2o7[1].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt C:\Documents and Settings\od\Cookies\od@specificclick[2].txt C:\Documents and Settings\od\Cookies\od@specificmedia[1].txt C:\Documents and Settings\od\Cookies\od@tacoda[2].txt C:\Documents and Settings\od\Cookies\od@tradedoubler[1].txt Adware.Vundo/Variant-Trace C:\WINDOWS\SYSTEM32\UQABYWIU.INI Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 I did another scan tonight and it popped up again towards the end of the scan. It seems to be showing up in the same location. Here's the log from tonight. I don't know if this information helps but the "od" references are the admin user account (which we don't use now when on the web) and the "perri-user" is our restricted user account. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/12/2008 at 10:14 PM Application Version : 4.21.1004 Core Rules Database Version : 3671 Trace Rules Database Version: 1650 Scan type : Quick Scan Total Scan Time : 00:15:44 Memory items scanned : 338 Memory threats detected : 0 Registry items scanned : 416 Registry threats detected : 0 File items scanned : 6546 File threats detected : 36 Adware.Tracking Cookie C:\Documents and Settings\Perri-User\Cookies\perri-user@tacoda[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@msnbc.112.2o7[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@dynamic.media.adrevolver[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@doubleclick[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@questionmarket[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@specificmedia[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@msnportal.112.2o7[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ad.yieldmanager[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.techguy[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@revsci[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@bs.serving-sys[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@specificclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@zedo[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.specificclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@protected-clicks-system[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adrevolver[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@tracking.foxnews[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@apmebf[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.pointroll[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@atdmt[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@tribalfusion[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@mediaplex[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@advertising[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@trafficmp[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@casalemedia[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@adopt.euroclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@serving-sys[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@media.adrevolver[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@fastclick[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@chitika[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@2o7[1].txt C:\Documents and Settings\od\Cookies\od@atdmt[2].txt C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[2].txt Adware.Vundo/Variant-Trace C:\WINDOWS\SYSTEM32\UQABYWIU.INI Share this post Link to post Share on other sites
Pandato Posted December 13, 2008 You are not scanning with the latest version, 4.23. 1006 Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 I updated and scanned today. The vundo file showed up in the same place. Share this post Link to post Share on other sites
Lagerx Posted December 13, 2008 Did Superantispyware remove it? Scan in safe mode. http://www.superadblocker.com/bootsafe.html Use this if you dont know how to go there. Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 It apparently didn't. I downloaded Bootsafe per your instructions and ran SAS again in safe mode and the same file was in the list of detected items. Here is the log: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/13/2008 at 11:53 AM Application Version : 4.21.1004 Core Rules Database Version : 3674 Trace Rules Database Version: 1653 Scan type : Complete Scan Total Scan Time : 01:06:17 Memory items scanned : 336 Memory threats detected : 0 Registry items scanned : 5720 Registry threats detected : 0 File items scanned : 27497 File threats detected : 17 Adware.Tracking Cookie C:\Documents and Settings\Perri-User\Cookies\perri-user@tacoda[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@doubleclick[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@questionmarket[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@at.atwola[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@msnportal.112.2o7[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@revsci[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@apmebf[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@ads.pointroll[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@atdmt[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@mediaplex[1].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@advertising[2].txt C:\Documents and Settings\Perri-User\Cookies\perri-user@casalemedia[1].txt C:\Documents and Settings\od\Cookies\od@atdmt[2].txt C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[2].txt Adware.Vundo/Variant-Trace C:\WINDOWS\SYSTEM32\UQABYWIU.INI Share this post Link to post Share on other sites
Pandato Posted December 13, 2008 You have not updated to version 4.23.1006, the above log still shows 4.21 Definitions are not the same as version of program Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 Thanks. Not sure what I missed as I clicked the update link and it downloaded today but I will try it again. Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 Apparently I wasn't in admin and it only downloaded the new definitions. I downloaded the new version and it found the same file and an additional vundo file. The scan log is below and I'm going to run another one to see if it's gone now. Thanks for your help and patience. Is this adware vundo as bad as the trojan? SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/13/2008 at 01:14 PM Application Version : 4.23.1006 Core Rules Database Version : 3674 Trace Rules Database Version: 1653 Scan type : Quick Scan Total Scan Time : 00:11:09 Memory items scanned : 529 Memory threats detected : 0 Registry items scanned : 461 Registry threats detected : 1 File items scanned : 5993 File threats detected : 4 Adware.Vundo Variant HKU\S-1-5-21-1013300348-779916470-1403716777-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A63E645F-13BD-45ED-B15F-6E8C1BD57279} Adware.Tracking Cookie C:\Documents and Settings\od\Cookies\od@atdmt[2].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt Adware.Vundo/Variant-Trace C:\WINDOWS\SYSTEM32\UQABYWIU.INI Share this post Link to post Share on other sites
Lagerx Posted December 13, 2008 Apparently I wasn't in admin and it only downloaded the new definitions. I downloaded the new version and it found the same file and an additional vundo file. The scan log is below and I'm going to run another one to see if it's gone now.Thanks for your help and patience. Is this adware vundo as bad as the trojan? SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/13/2008 at 01:14 PM Application Version : 4.23.1006 Core Rules Database Version : 3674 Trace Rules Database Version: 1653 Scan type : Quick Scan Total Scan Time : 00:11:09 Memory items scanned : 529 Memory threats detected : 0 Registry items scanned : 461 Registry threats detected : 1 File items scanned : 5993 File threats detected : 4 Adware.Vundo Variant HKU\S-1-5-21-1013300348-779916470-1403716777-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A63E645F-13BD-45ED-B15F-6E8C1BD57279} Adware.Tracking Cookie C:\Documents and Settings\od\Cookies\od@atdmt[2].txt C:\Documents and Settings\od\Cookies\od@msnportal.112.2o7[1].txt C:\Documents and Settings\od\Cookies\od@doubleclick[1].txt Adware.Vundo/Variant-Trace C:\WINDOWS\SYSTEM32\UQABYWIU.INI Please download Icesword from here http://www.antirootkit.com/software/IceSword.htm Extract this .zip file and start Icesword. On the left you will see File. If you press on it, find C:\WINDOWS\SYSTEM32\UQABYWIU.INI and choose right click on file and "force delete" Do scan with SAS again and see if it still finds it. PS: Before starting Icesword, close your running antispyware/antiviruses and firewall. Otherwise there will be some conflicts. Share this post Link to post Share on other sites
bhs3064 Posted December 13, 2008 I think I'd be getting over my head technically speaking. If I just had someone wipe the drive and reinstall the system, would that be the best guarantee of no longer having to worry about this problem? Also, if I copy my pictures, iTune songs, and basic word, excel docs, is there any way that the virus could be attached to any of them? I want to make sure that I don't just end up copying the problem back onto the clean system. Thanks again for all the advice. Share this post Link to post Share on other sites