Problems removing Adware Vundo Variant

[Grace]

Last week I determined that my laptop had been infected by a couple of trojans, Vundo and FakeAlert. I was using Spyware Doctor and McAfee antivirus. Scans by Spyware Doctor would detect the malware and said it removed it, but the problems kept coming back. I searched several forums and many suggested trying SuperAntiSpyware. After I was satisfied that this was legitimate software, I downloaded the trial version of SAS Pro yesterday and scanned my computer. SAS found and removed several trojans, etc., but the Adware Vundo Variant keeps coming back after each reboot.

I disconnected from the internet, disabled McAfee AV, turned off system restore, booted in safe mode and ran SAS. It finds 3 occurrences of Adware Vundo Variant in the registry. After I choose to fix the problems, it says I must reboot to complete the fix. I reboot (again in safe mode) and rerun SAS to see if the malware still exists. It does. What am I doing wrong? Or what else can I do to rid my laptop of this junk?

Kind of a newbie with all of this, so be gentle....

[Grace]

Update: New definitions came out after I did the scans mentioned above. I downloaded those then scanned again. Adware Vundo Variant seems to be gone now. YAY! I do have some "Unclassified.Unknown Origin" items show up now:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/30/2008 at 08:57 AM

Application Version : 4.23.1006

Core Rules Database Version : 3689

Trace Rules Database Version: 1665

Scan type : Complete Scan

Total Scan Time : 00:54:04

Memory items scanned : 636

Memory threats detected : 0

Registry items scanned : 7760

Registry threats detected : 5

File items scanned : 28408

File threats detected : 1

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\PEBAPEHE.DLL

HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Should I be concerned? I am still using the trial version, but will purchase if this software proves to be able to keep my system clean.

Many thanks!

[SUPERAntiSpy]

You need to update to our 4.24.1004 version, reboot, then re-scan then reboot and you will be clean.

[Grace]

You need to update to our 4.24.1004 version, reboot, then re-scan then reboot and you will be clean.

I will do that when I get home from work. I guess I need to do something besides click on the button to check for updates, which is what I did prior to the last scan. Does that only check for updates to the definitions?

[Pandato]

From within the program yes, but Right Click "check for updates" does both So does the update screen via preferences.

[Grace]

Auto-updater prompted me to download the latest version when I booted laptop this evening. After update, I scanned again and all is clean. I will do daily scans to ensure that nothing comes back after reboots. Kudos to this product! Most likely I will purchase for continued realtime protection after the trial period.

[Pandato]

Thanks for the report. We look forward to having you as a satisfied customer HAPPY NEW YEAR!

[larryrk]

I have not been able to delete adware Vundo Variant. I have rebooted several times and I did go into regedit and delete the variant. It only appears again.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/31/2008 at 11:27 AM

Application Version : 4.24.1004

Core Rules Database Version : 3691

Trace Rules Database Version: 1667

Scan type : Quick Scan

Total Scan Time : 00:02:46

Memory items scanned : 562

Memory threats detected : 0

Registry items scanned : 503

Registry threats detected : 1

File items scanned : 0

File threats detected : 0

Adware.Vundo Variant

HKU\S-1-5-21-57989841-1563985344-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{0BC6E3FA-78EF-4886-842C-5A1258C4455A}

Is this a false positive?

[h2eau]

Run both SAS and Malwarebytes on all user accounts.

Download Malwarebytes here and get updates before scanning.

http://www.malwarebytes.org/

[paramonks]

Am wondering if any further information is available on this. My SAS detected the same Adware.Vundo Variant within the registry and I have run the most updated SAS available along with Malwarebytes' Anti malware program. I have not like the previous poster manually deleted the item via regedit facility.

Thanks - paramonks

this maybe a tangent - but put it out there for thoughts also - a couple of days ago someone posted the python service from webshots as a potential FP. I have not seen any response whether it is or not, but I was using that version of webshots (which I did uninstal prior) to the latest upgrade of SAS yesterday.

The more I've pondered about this supposed suspect item within the registry, I have become more certain that this has something to do with Webshots and is a FP. When selecting the option to remove the supposed rogue item a text box message from Webshots appeared with wording to the effect of "another application is trying to change your home page ? from Webshots. Do you wish to continue with ...... (can remember the exact wording here) then Yes or No boxes.

[Shanna]

When running SAS for any scan, always remember to stop the system restore service. Otherwise the virus will copy itself to the restore point before you can delete it.