Trojan.Vundo-Variant/F

Image shows location. You can see the multiple times i have tried to remove with SAS and it keeps coming back. i don’t know where it came from but i have a feeling it might have come from YouTube. i did this search in YT i heard about “worlds most infected computer” and like an idiot i tried it, thinking my firewall and AV could handle it. Avast blocked it but now i have this. how do i get rid of it?

http://i695.photobucket.com/albums/vv313/sirMAXX77/misc/TrojanVundoVariantF.jpg

and here’s another pic from what i saw in the avast popup.

http://i695.photobucket.com/albums/vv313/sirMAXX77/misc/maliciousyoutubesearch.jpg

i request u to run the tools and follow the instructions given here for your vundo removal:

http://forum.avast.com/index.php?topic=53253.0

thank you i have gone to the link u provided and followed the instructions… the only thing is the logs are too long to post. malwarebytes found nothing, OTS log is so long and can hardly summarize what im looking at

so is your problem fixed i suppose? ;D

no, its still there, someone needs to look at it and see what it is

Sirmaxx,

Please don’t follow Shreyas’ suggestions. He doesnt know what he is doing. Please wait until someone else posts or please follow the first post in this topic: http://forum.avast.com/index.php?topic=53253.0 (which is from a malware expert unlike shreyas who is here on forum trying to break other users computers.)

malwarebytes found nothing
did you update it before you scanned ?
OTS log is so long and can hardly summarize what im looking at
post OTS log as a attachment

lower left corner > Additional Options > Attach

if it is to big to attach, then upload to Mediafire and post the download link here http://www.mediafire.com/

How to remove Virtumonde http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde

Vundo aka virtumonde is a vary nasty piece of malware as the latest variants are a bit like of file file infectors.
http://www.securelist.com/en/blog/208187466/Virtumonde_Vundo_goes_file_infector

“The authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Could you upload the log to Mediafire and post the sharing link.

[quote author=Pondus link=topic=82514.msg673997#msg673997 date=1312294117]

malwarebytes found nothing
did you update it before you scanned ?

yes

OTS log is so long and can hardly summarize what im looking at
post OTS log as a attachment

http://www.mediafire.com/?cgh3tbi7p38rjyi

well this sucks. i read the other link too, i still wonder where i got it. i might need more help on how to use stopzilla, seems a little involved.

from other stuff i read that happens is that certain sites get blocked, google and facebook still work.

one thing that happened that was weird is that the windows action center was telling my firewall was disabled

I wouldn’t waste time with other tools or suggestions and follow only essexboy’s instructions and and hopefully you won’t have missed him

The reason not to waste time is essexboy has limited time available to be on the forums, around 7-11 pm UK time, now 10:40pk in the UK. So if you miss out he won’t be back on-line for some time.

poo. well i can only wait i guess.
well okay essex, i uploaded to mediafire. i’ll watch out for any weird activity and let u know if i see anything. i try to keep my machine as clean as possible, i update regularly or automatically if it allows. i use win 7(64bit), avast, comodo firewall, malwarebytes, hitman pro, superantispyware, ccleaner, firefox with WOT add-on.
i dont click on ads, install or use any tool bars or install any other strange plugins.

Hopefully he may be back on-line before going to bed, I have sent him a PM with a link to the mediafire upload you made in reply #10 above.

maybe i should have asked first but should i install java? i think i was only using flash and i dont think my machine had java on it at all. there was something i saw that mentioned that java being out of date could be targets for vundo.

If you have been getting by without JAVA installed, then I see no point in installing it.

If you haven’t got it installed, then you don’t have an old version and you don’t have a vulnerability/target for exploit ?

i decided to post a video of it, of me trying it again to show what im seeing.
http://www.youtube.com/watch?v=FUCL2fLNkhg

What are your current problems ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2920811595-138694612-3144721724-1002\] > -> HKEY_USERS\S-1-5-21-2920811595-138694612-3144721724-1002\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files - No Company Name]
NY ->  clip0001.avi -> C:\Users\Preston\Documents\clip0001.avi
NY ->  Olcodec.dll -> C:\Windows\SysWow64\Olcodec.dll
NY ->  OLSBMIX.DLL -> C:\Windows\SysWow64\OLSBMIX.DLL
[Files/Folders - Unicode - All]
NY -> C:\Windows\SysNative\?3 -> C:\Windows\SysNative\ꌐ3
NY -> C:\Windows\SysNative\?3 -> C:\Windows\SysNative\ꌐ3
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

awesome thanks :slight_smile:
i still yet to run the fix but before i start, to answer your first question; as far as PC performance no problems actually, the only malware on my whole machine is OLSBMIX.dll that shows as a vundo but i dont think its doing anything, yet.

ok so when i run the fix do i paste the script and follow the same steps as in the first scan customizing the controls? or do i just paste and run it?