I'm a new Malwarebytes user. Last night I discovered that my PC was infected with the Vundo Trojan. I think Windows Defender had actually tried to stop it, but unfortunately I didn't immediately recognize the screen as being from Windows Defender and hesitated to click as directed. The screen had a large Windows colored logo in the upper left corner and a large "2009" in the upper right; it looked different than anything I'd seen before, and I hesitated. It retrospect I think it may have been authentic (from Windows Defender), but if so, I didn't recognize it, didn't click, and may have lost my chance to stop the infection right then.

I started getting numerous fake security popups, so started running scans to find out if the PC is infected. Avast runs resident, but it doesn't find anything. Spybot and Lavasoft AdAware don't either.

I had used Malwarebytes once in the past, so I tried it. The initial run found numerous problems, but also had numerous errors. It kept bringing up grey box popups saying to notify the Malwarebytes of the error codes (could it have been running in developer mode?) There were exactly the same 2 two-digit codes on every popup, but of course I thought I'd remember them and didn't write them down. I know for certain that one of them was 09, but unfortunately I'm not certain about the other one (possibly 02).

After that initial run finished I viewed the log and took the recommended actions, including rebooting. However, the problems have not completely gone away. I did a full scan, and numerous quick scans since. Malwarebytes says it will delete certain entries upon reboot, but once I reboot they are back again. Also, once I reboot something keeps turning "Automatic Updates" to "Off" in control panel Security.

I downloaded an update from Malwarebytes this afternoon, and have run a couple quick scans since then, but the entries still don't go away. I've only done the one full scan (last night - it took approximately 2 hours).

Can anyone tell me if this appears to be something the developers are already working on? Again, I'm a new user, and would greatly appreciate any help!

Thanks!

Hello.

Please read and follow the instructions provided here: Pre- HJT Post Instructions
When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

Already had Spybot installed, so checked for updates. No updates found. Switched to Advanced Mode and looked at Resident TeaTimer setting - was not checked, so did not make any change or reboot. Ran Spybot scan. Found 2 infections. Removed all items and immunized.

Had just downloaded a fresh copy of Malwarebytes' Anti-Malware yesterday, but downloaded it again by clicking on the Malwarebytes link in the above response. That sent me to Download.com to do the download (same place I got the fresh copy from yesterday). Did the install, making sure the checkmarks were there as directed. Did a Quick Scan, Show Results, Removed Selected. The resulting log is below:

Malwarebytes' Anti-Malware 1.31
Database version: 1472
Windows 5.1.2600 Service Pack 3

12/7/2008 6:31:50 PM
mbam-log-2008-12-07 (18-31-50).txt

Scan type: Quick Scan
Objects scanned: 57405
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rayaluku.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f34ad56d-c085-47d8-ad27-e77ee7217599} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f34ad56d-c085-47d8-ad27-e77ee7217599} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jazedowajo (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\rayaluku.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\rayaluku.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\rayaluku.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rayaluku.dll (Trojan.Vundo) -> Delete on reboot.

Will now work on running the scan from PandaActive.

Additional note: Have not yet restarted the machine, since the directions did not mention that, although the log results below indicate some items won't be deleted until startup. Will run the PandaActive Scan first, unless I receive different instructions.

Just downloaded Panda using the link in the above message. Installed, then tried to run a full scan. The scan failed with an error:

"ActiveScan 2.0 Update: Update error", "Sorry, updating is incomplete due to an error. Please try again."

I've tried multiple times, but keep getting same error.

I'll try the other product (ESET Online) shortly.

No worries, if some of the scans won't run just do the ones you are able to and post the logs in a topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 as this is where they need the logs to help you out. Good luck and safe surfing.