9 replies to this topic

[e3henri]

After updating to 1820 it detects A Vundo Trojan in wextract.
After a succesful removal and a new scan it is still there.
This was not present in 1819. False?
I just a removed a lots a trojans with this excellent tool (I didnt know I had them and I though I was an experienced user who doesnt get "shit" in my computer) so Im a bit angious right now to get my machine totally clean.

Great program. Finds more than Spyware doctor


(Swedish log file - sorry for that)

Malwarebytes' Anti-Malware 1.34
Databasversion: 1820
Windows 5.1.2600 Service Pack 3

2009-03-05 10:53:35
mbam-log-2009-03-05 (10-53-35).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 65168
Förfluten tid: 4 minute(s), 40 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 1

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

[e3henri]

Developer log:
Infekterade filer:
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully. [5253514247403034173621171717182334393639392422172539391822352118181717171822373
61917251717363636363636363636362535393922222535383625182437173635181717171717172
4
22181725202437181717172422173425202437182139382422172120203617383518253939242218
2
13939242218173939242217363939242217253939202234173621171717183939182235361818171
7
171822373619]

[BitsnBytes]

I have exactly the same


Malwarebytes' Anti-Malware 1.34
Database version: 1820
Windows 5.1.2600 Service Pack 3

05/03/2009 10:05:17
mbam-log-2009-03-05 (10-05-03).txt

Scan type: Quick Scan
Objects scanned: 104289
Time elapsed: 1 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> No action taken. [5253514247403034173621171717182334393639392422172539391822352118181717171822373
61917251717363636363636363636362535393922222535383625182437173635181717171717172
4
22181725202437181717172422173425202437182139382422172120203617383518253939242218
2
13939242218173939242217363939242217253939202234173621171717183939182235361818171
7
171822373619]

[Stefano Giordano]

Had the same as reported in
this thread

[e3henri]

Stefano Giordano, on Mar 5 2009, 11:35 AM, said:

Had the same as reported in
this thread

I created this new thread since it looks like the old wextract problem was solved over a week ago and this new issue is started from 1820.
But lets the admins decide what to do.
Hope to get any feedback soon.
But since there are at least 3 people reporting this in the last 30 minutes and think it is false.

[PixelPlay]

I got something similar to that as well. 3 instances of wextract.exe appeared when I performed a full scan. So now I'm just sitting here with the results page open wondering if it's safe to remove them.

Files Infected:
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> No action taken.

I am getting tired would it make a difference if I were to remove them?
Sorry if this is the wrong place to post.

[e3henri]

PixelPlay, on Mar 5 2009, 12:23 PM, said:

I got something similar to that as well. 3 instances of wextract.exe appeared when I performed a full scan. So now I'm just sitting here with the results page open wondering if it's safe to remove them.

Files Infected:
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> No action taken.

I am getting tired would it make a difference if I were to remove them?
Sorry if this is the wrong place to post.

I removed mine (in service32\) and it says successfully removed. After a new smart scan It is still there.
Dont know if the remove does anything in the case

[steveg]

I also had the same today with wextract.exe, I allowed it to be deleted, figuring I can always restore it from quarantine it it turns out to be an FP.

Steve

[PixelPlay]

e3henri, on Mar 5 2009, 03:30 AM, said:

I removed mine (in service32\) and it says successfully removed. After a new smart scan It is still there.
Dont know if the remove does anything in the case

Hmm alrighty then.
I'm just afraid if I were to shutdown and go to sleep that it'll damage my computer or if I were to delete them and it ends up as a false positive that it'll damage my computer.
I'm not to experienced in false positives so any clarification is appreciated. ^^;

[Fatdcuk]

Confirmed as F/P.

Please add to your ignore list and or restore from quarantine.

This should be fixed shortly in defs update.