Grace Posted December 30, 2008 Last week I determined that my laptop had been infected by a couple of trojans, Vundo and FakeAlert. I was using Spyware Doctor and McAfee antivirus. Scans by Spyware Doctor would detect the malware and said it removed it, but the problems kept coming back. I searched several forums and many suggested trying SuperAntiSpyware. After I was satisfied that this was legitimate software, I downloaded the trial version of SAS Pro yesterday and scanned my computer. SAS found and removed several trojans, etc., but the Adware Vundo Variant keeps coming back after each reboot. I disconnected from the internet, disabled McAfee AV, turned off system restore, booted in safe mode and ran SAS. It finds 3 occurrences of Adware Vundo Variant in the registry. After I choose to fix the problems, it says I must reboot to complete the fix. I reboot (again in safe mode) and rerun SAS to see if the malware still exists. It does. What am I doing wrong? Or what else can I do to rid my laptop of this junk? Kind of a newbie with all of this, so be gentle.... Share this post Link to post Share on other sites
Grace Posted December 30, 2008 Update: New definitions came out after I did the scans mentioned above. I downloaded those then scanned again. Adware Vundo Variant seems to be gone now. YAY! I do have some "Unclassified.Unknown Origin" items show up now: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/30/2008 at 08:57 AM Application Version : 4.23.1006 Core Rules Database Version : 3689 Trace Rules Database Version: 1665 Scan type : Complete Scan Total Scan Time : 00:54:04 Memory items scanned : 636 Memory threats detected : 0 Registry items scanned : 7760 Registry threats detected : 5 File items scanned : 28408 File threats detected : 1 Unclassified.Unknown Origin HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4} HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32 HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel C:\WINDOWS\SYSTEM32\PEBAPEHE.DLL HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4} Should I be concerned? I am still using the trial version, but will purchase if this software proves to be able to keep my system clean. Many thanks! Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 30, 2008 You need to update to our 4.24.1004 version, reboot, then re-scan then reboot and you will be clean. Share this post Link to post Share on other sites
Grace Posted December 30, 2008 You need to update to our 4.24.1004 version, reboot, then re-scan then reboot and you will be clean. I will do that when I get home from work. I guess I need to do something besides click on the button to check for updates, which is what I did prior to the last scan. Does that only check for updates to the definitions? Share this post Link to post Share on other sites
Pandato Posted December 30, 2008 From within the program yes, but Right Click "check for updates" does both So does the update screen via preferences. Share this post Link to post Share on other sites
Grace Posted December 31, 2008 Auto-updater prompted me to download the latest version when I booted laptop this evening. After update, I scanned again and all is clean. I will do daily scans to ensure that nothing comes back after reboots. Kudos to this product! Most likely I will purchase for continued realtime protection after the trial period. Share this post Link to post Share on other sites
Pandato Posted December 31, 2008 Thanks for the report. We look forward to having you as a satisfied customer HAPPY NEW YEAR! Share this post Link to post Share on other sites
larryrk Posted December 31, 2008 I have not been able to delete adware Vundo Variant. I have rebooted several times and I did go into regedit and delete the variant. It only appears again. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/31/2008 at 11:27 AM Application Version : 4.24.1004 Core Rules Database Version : 3691 Trace Rules Database Version: 1667 Scan type : Quick Scan Total Scan Time : 00:02:46 Memory items scanned : 562 Memory threats detected : 0 Registry items scanned : 503 Registry threats detected : 1 File items scanned : 0 File threats detected : 0 Adware.Vundo Variant HKU\S-1-5-21-57989841-1563985344-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{0BC6E3FA-78EF-4886-842C-5A1258C4455A} Is this a false positive? Share this post Link to post Share on other sites
h2eau Posted December 31, 2008 Run both SAS and Malwarebytes on all user accounts. Download Malwarebytes here and get updates before scanning. http://www.malwarebytes.org/ Share this post Link to post Share on other sites
paramonks Posted January 3, 2009 Am wondering if any further information is available on this. My SAS detected the same Adware.Vundo Variant within the registry and I have run the most updated SAS available along with Malwarebytes' Anti malware program. I have not like the previous poster manually deleted the item via regedit facility. Thanks - paramonks this maybe a tangent - but put it out there for thoughts also - a couple of days ago someone posted the python service from webshots as a potential FP. I have not seen any response whether it is or not, but I was using that version of webshots (which I did uninstal prior) to the latest upgrade of SAS yesterday. The more I've pondered about this supposed suspect item within the registry, I have become more certain that this has something to do with Webshots and is a FP. When selecting the option to remove the supposed rogue item a text box message from Webshots appeared with wording to the effect of "another application is trying to change your home page ? from Webshots. Do you wish to continue with ...... (can remember the exact wording here) then Yes or No boxes. Share this post Link to post Share on other sites
Shanna Posted September 28, 2012 When running SAS for any scan, always remember to stop the system restore service. Otherwise the virus will copy itself to the restore point before you can delete it. Share this post Link to post Share on other sites