Antivirus 2009 / Trojan.Vundo.H

Dell / Dimension 4700...
January 21, 2009 at 15:23:05
Specs: Microsoft Windows XP Professional, 3.192 GHz / 502 MB
I have been fighting an issue for a few days with a virus / malware that generates a pop up window titled "Antivirus 2009." I ran Malwarebytes' (several times) and it locates something called Trojan.Vundo.H. The log says that it will be removed upon re-boot and but it does not remove it all and the "Antivirus 2009" pop up keeps returning.

Here is the log from my latest scan. Can someone walk me through a removal?

Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

01/21/2009 5:21:23 PM
mbam-log-2009-01-21 (17-21-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 115760
Time elapsed: 55 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 11
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\subapade.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\voriyeji.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\pefedamu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ugohwe.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39458c53-4dae-471a-a480-e3bc0b1d7dd9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39458c53-4dae-471a-a480-e3bc0b1d7dd9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65d46614-611d-4af2-aa13-a34fc317a96e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{65d46614-611d-4af2-aa13-a34fc317a96e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39458c53-4dae-471a-a480-e3bc0b1d7dd9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc262f68 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lejulibeye (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmbf151cf4 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\voriyeji.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\voriyeji.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\ugohwe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\subapade.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\edapabus.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\voriyeji.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\pefedamu.dll (Trojan.Vundo.H) -> Delete on reboot.

See More: Antivirus 2009 / Trojan.Vundo.H

Report •

January 21, 2009 at 15:27:13
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report •

January 21, 2009 at 15:49:29
What do you make of this. How do i know if you are an "expert?"

DO NOT post a HiJackThis log here unless an expert has requested it. Instead, please ask in plain english about what is wrong with your computer. You also may want to look at the automated HiJackThis analyzer by clicking here.

Report •

January 21, 2009 at 18:52:07
Now that is a good question, guess you'll have to take a chance if you want that computer cleaned.

Report •

Related Solutions

January 22, 2009 at 07:43:22
Run update in Malwarebytes. The current Database version (as of this morning) is 1675. Reboot the PC in safe mode (press F8 button on startup - you probably know this but there will be others who don't!) then run the scan.

Hope this helps

Report •

January 24, 2009 at 21:32:29
you should run Super anti spyware instead of running malware bytes
also try this manual removal help

Report •

January 26, 2009 at 06:24:32

did you solve your problem? If not, try to read this article:

Report •

Ask Question