Trojan.Vundo found in registry by Malwarebyte's but not by avast! or other....

[size=10pt][size=10pt][/size][/size]

Toshiba Satellite U305 VISTA Home Premium avast! Malwarebyte’s Anti-Malware Windows Defender Spybot Search & Destroy
Ad-Aware CCleaner TweakNow RegCleaner

Other than coming across cookies and a few old shortcuts and the like, all the above apps scan CLEAN except for Malwarebyte’s Anti-Malware, where I get this report:

Vendor: Trojan.Vundo
Category: Registry Key

Item(s): HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim

Name (Default) type REG_SZ date (value not set)

Name SysShell type REG_BINARY data d8 07 06 00 02 00 0a 00 0f 00 12 00 3a 00 5f 01

NO ACTION TAKEN

As noted above, this does not show up on my avast! scans. I’ve searched online virus data sources but don’t find anything helpful, especially since this involves a Registry Key and not a file. I wonder if I have a false positive or something else.

My computer competence stops at the door of the Registry, which I don’t mess with, so I need help. I’ll appreciate any thoughts, suggestions, etc.

Many thanks.

RonInRI

No action taken
did you not quarantine vundo?
do you have a sample you could upload to virus total?

update avast and schedule a boot time scan
update and re-run MBAM and quatantine
post
avast boot log
MBAM log
run Hijack this scan only and attach log
there are instructions in the first thread in this forum

as you an see there are lots of cases of vundu in this forum
there are many variants on vundu

avast doesn’t scan the registry independantly like a specialist anti-spy/malware application.

If avast finds a spyware file on the system, then as part of the clean=up it would look in the registry for any associated entries.

I don’t believe it is a false positive (as a google search seems to confirm vundo/virtumond), it may be the remnants of a previous infection. http://www.google.co.uk/search?q=HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim
Some of those hits, http://www.threatexpert.com/report.aspx?uid=abe4290b-7598-422d-81a0-d673c29323c6 and http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VIRTUM.JR&VSect=T.

I would say allow MBAM to deal with it.

I agree with DavidR. Try SuperAntiSpyware or VundoFix.

right
after you do your Avast boot scan to check for any other virii
and fixing what you can with MBAM
try SAS and then VUNDOFIX
post your logs

we would like to see what else you might have


Thanks for the above. I spent yesterday doing lengthy deep scans, including avast! boot time scan. avast! and Malwarebyte’ Anti-Malware came up with zero infections.

I did the MBAM deep scan thinking that being logged on to both of my users’ accounts and doing the scan with the administrator’s user account, that both accounts would be scanned. Last night I did a MBAM scan on my secondary account “Segundo” and came up with the following:

Malwarebytes’ Anti-Malware 1.24
Database version: 1031
Windows 6.0.6000

10:33:57 PM 8/7/2008
mbam-log-8-7-2008 segundo (22-33-35)

Scan type: Quick Scan
Objects scanned: 34599
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ref. the “No Action Taken”. The infection wasn’t put in Quarantine by MBAM and I couldn’t see any way to do it myself (and would have been hesitant to because it’s a Reg. Key). Is that because it’s a Registry Key and not a simple file?

(I tried posting my boot scan and deep MBAM scan but it couldn’t be posted b/c it was more than 1000 characters…though, as I said, the results were absolutely zero.)

I’m thinking of proceeding on the Segundo user account, scanning with my other anti-spyware programs, then going to SuperAntiSpyware and/or VundoFix.

As I mentioned before it is entirely that the registry key is a remnant not fully cleaned from a previous detection.

You can check in the registry for the presence of this key if there, first back-up the HKEY_CURRENT_USER\SOFTWARE\Microsoft\ key (export and give it a meaningful name so you will remember it) and then delete the contim part of the main HKEY_CURRENT_USER\SOFTWARE\Microsoft\ key.

I think your system other than this is OK, but I would suggest you do some reading in the links I provided from the google search and see if any of the other elements/associations are present in your system.


Thanks, David. Will follow latest suggestions.

SuperAntiSpyware and HijackThis scans show zero problems. It does seem that everything is OK other than this ‘left over’ piece in the Registry, but will back up that Registry key, delete “contim” and search through the other links.

I’ve deleted the “contim” part of the registry key (after having exported a backup copy of the key…ready to be restored if necessary). After that, the Malwarebytes’ Anti-Malware scan ran clean.

I’ll get to those other links later in the day. Apart from that, I hope this is the end of this story.

You’ve been a great help. I’ve learned a lot. Thanks.

RonInRI
USA

No problem, glad I could help.