Jump to content
Grace

Problems removing Adware Vundo Variant

Recommended Posts

Last week I determined that my laptop had been infected by a couple of trojans, Vundo and FakeAlert. I was using Spyware Doctor and McAfee antivirus. Scans by Spyware Doctor would detect the malware and said it removed it, but the problems kept coming back. I searched several forums and many suggested trying SuperAntiSpyware. After I was satisfied that this was legitimate software, I downloaded the trial version of SAS Pro yesterday and scanned my computer. SAS found and removed several trojans, etc., but the Adware Vundo Variant keeps coming back after each reboot.

I disconnected from the internet, disabled McAfee AV, turned off system restore, booted in safe mode and ran SAS. It finds 3 occurrences of Adware Vundo Variant in the registry. After I choose to fix the problems, it says I must reboot to complete the fix. I reboot (again in safe mode) and rerun SAS to see if the malware still exists. It does. What am I doing wrong? Or what else can I do to rid my laptop of this junk?

Kind of a newbie with all of this, so be gentle....

Share this post


Link to post
Share on other sites

Update: New definitions came out after I did the scans mentioned above. I downloaded those then scanned again. Adware Vundo Variant seems to be gone now. YAY! I do have some "Unclassified.Unknown Origin" items show up now:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/30/2008 at 08:57 AM

Application Version : 4.23.1006

Core Rules Database Version : 3689

Trace Rules Database Version: 1665

Scan type : Complete Scan

Total Scan Time : 00:54:04

Memory items scanned : 636

Memory threats detected : 0

Registry items scanned : 7760

Registry threats detected : 5

File items scanned : 28408

File threats detected : 1

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\PEBAPEHE.DLL

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Should I be concerned? I am still using the trial version, but will purchase if this software proves to be able to keep my system clean.

Many thanks!

Share this post


Link to post
Share on other sites
You need to update to our 4.24.1004 version, reboot, then re-scan then reboot and you will be clean.

I will do that when I get home from work. I guess I need to do something besides click on the button to check for updates, which is what I did prior to the last scan. Does that only check for updates to the definitions?

Share this post


Link to post
Share on other sites

From within the program yes, but Right Click "check for updates" does both :) So does the update screen via preferences. :)

Share this post


Link to post
Share on other sites

Auto-updater prompted me to download the latest version when I booted laptop this evening. After update, I scanned again and all is clean. :D I will do daily scans to ensure that nothing comes back after reboots. Kudos to this product! Most likely I will purchase for continued realtime protection after the trial period.

Share this post


Link to post
Share on other sites

I have not been able to delete adware Vundo Variant. I have rebooted several times and I did go into regedit and delete the variant. It only appears again.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/31/2008 at 11:27 AM

Application Version : 4.24.1004

Core Rules Database Version : 3691

Trace Rules Database Version: 1667

Scan type : Quick Scan

Total Scan Time : 00:02:46

Memory items scanned : 562

Memory threats detected : 0

Registry items scanned : 503

Registry threats detected : 1

File items scanned : 0

File threats detected : 0

Adware.Vundo Variant

HKU\S-1-5-21-57989841-1563985344-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{0BC6E3FA-78EF-4886-842C-5A1258C4455A}

Is this a false positive?

Share this post


Link to post
Share on other sites

Am wondering if any further information is available on this. My SAS detected the same Adware.Vundo Variant within the registry and I have run the most updated SAS available along with Malwarebytes' Anti malware program. I have not like the previous poster manually deleted the item via regedit facility.

Thanks - paramonks

this maybe a tangent - but put it out there for thoughts also - a couple of days ago someone posted the python service from webshots as a potential FP. I have not seen any response whether it is or not, but I was using that version of webshots (which I did uninstal prior) to the latest upgrade of SAS yesterday.

The more I've pondered about this supposed suspect item within the registry, I have become more certain that this has something to do with Webshots and is a FP. When selecting the option to remove the supposed rogue item a text box message from Webshots appeared with wording to the effect of "another application is trying to change your home page ? from Webshots. Do you wish to continue with ...... (can remember the exact wording here) then Yes or No boxes.

Share this post


Link to post
Share on other sites

When running SAS for any scan, always remember to stop the system restore service. Otherwise the virus will copy itself to the restore point before you can delete it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...