Hi i have a virus on my computer it is called TROJ VUNDO.BE,?

Question

Virus scan has found a file in c:/windows/system32/ddaba.dll. The anti virus software could not delete or quartine this file and i have been unable to find it manually. Has anyone had this virus (TROJ VUNDO.BE) and knows of a way to easily remove it

Answer 1

Description:



This memory-resident Trojan arrives as a file downloaded from the Internet by an unsuspecting user when visiting malicious Web sites. It may also arrive as a file bundled with another malware.

Upon execution, it injects itself into critical processes, such as WINLOGON.EXE and EXPLORER.EXE, to avoid easy detection and ensure its execution every time the target process executes.

This Trojan has functions, which may be used by other malware and grayware.

Solution:




Identifying the Malware Program

To remove this malware, first identify the malware program.

Scan your computer with your Trend Micro antivirus product.
NOTE the path and file name of all files detected as TROJ_VUNDO.BE.
Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.

Deleting Malware Files using Recovery Console

This procedure allows the computer to restart by using the Windows installation CD.

Insert your Windows Installation CD in your CD-rom.
Press the restart button of your computer.
When prompted, press any key to boot from the CD.
When prompted on the Main Menu, type r to enter the recovery console.
Type the drive that contains Windows, then press Enter.
Type:
del {Malware path and file name} and press Enter.
Repeat the above procedure for all files detected earlier.
Type exit to restart the system.
Deleting Malware Files using Windows Startup Disk on Windows 98 and ME

Click Start>Settings>Control Panel.
In the Control Panel, double-click Add/Remove Programs. Click on the Startup Disk tab.
Insert a new floppy disk into the floppy drive, and the Windows Installation CD in the CD drive. Click on Create Disk button.
Restart the system with the Startup Disk inserted in the floppy drive.
In the command prompt, locate the folder where the Malware files are detected.
In the folder, type the following and press Enter:
del {Malware file name}
Restart the system.
Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Keys from the Registry

Removing autostart keys from the registry prevents the malware from executing at startup.

If the registry keys below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion>Winlogon>Notify
Still in the left panel, locate and delete the key whose data value is the malware path and file name of the file(s) detected earlier without its extension name(s).
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
CurrentVersion>Explorer>Browser Helper Objects>
Still in the left panel, locate and delete the key:
{D2109132-4A4F-4EA4-A05E-04121E3C179B}
Removing Added Entries from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_CLASSES_ROOT>CLSID
Still in the left panel, locate and delete the following key:
{D2109132-4A4F-4EA4-A05E-04121E3C179B}
Close Registry Editor.
Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_VUNDO.BE. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.


http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FVUNDO%2EBE&VSect=Sn

Or You can go to Trend Micro Housecall and do a Free Virus Scan & It will automatically remove this pest for you.

Details:



This Trojan arrives as a file downloaded from the Internet by an unsuspecting user when visiting malicious Web sites. It may also arrive as a file bundled with another malware.

Upon execution, it injects itself into critical processes, such as WINLOGON.EXE and EXPLORER.EXE, to avoid easy detection and ensure its execution every time the target process executes.

It then creates the following registry key to ensure its automatic execution whenever an instance of Internet Explorer (IE) is launched:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\
{D2109132-4A4F-4EA4-A05E-04121E3C179B}

On systems running Windows 2000, XP, and Server 2003, it creates the following entry and key as another autostart technique:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\{Malware file name excluding the extension name}
DllName = "{Malware path and file name}.dll"

This Trojan also creates the following key as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{D2109132-4A4F-4EA4-A05E-04121E3C179B}

If the affected user deletes the mentioned registry keys while this Trojan is already loaded onto the system, it recreates the said keys.

This Trojan has the following functions, which may be used by other malware and grayware:

Create processes
Log on or log off affected system
Protect processes from termination and detection
It comes with its own compression. It affects systems running on Windows 98, ME, NT, 2000, XP, and Server 2003.

Answer 2

This application is a Trojan, a program with hidden functionality that may include Adware, Spyware, Malware, hacks and data mining. Troj/Agent-DJ is a downloader and spyware Trojan that will gather and transmit personal information to a remote server. It is often used to download and install the invasive Vundo adware program.
go here for removal instructions but do your research first http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127690
and it may be infecting your system restore, after cleaning, reboot, if all clear, turn off sys restore, reboot, then turn back on,
best advice get a good virus scanner Im using AVAST pro 4.7 but there free version is excellent

Answer 3

There is a special tool made just to remove Vundo called VundoFIX. It is here:
http://www.atribune.org/content/view/24/2/
Good luck.

Answer 4

might wanna get on that quick, from what i know, that virus can attack your harddrive, but not sure. Download Adaware SE personal, that should get rid of it, or what the guy above me said.

Answer 5

I suppose it is a trojan. Maybe you can try to start the pc in safe mode and delete manually.

Answer 6

download avg pro it will remove the virus ok

Answer 7

Check out the URL below.

Enjoy!

Answer 8

Go here, download and run.

http://www.symantec.com/home_homeoffice/security_response/writeup.jsp?docid=2004-112210-3747-99

Answer 9

go and download www.avast.com and have it run a boot time scan.