Jump to content


Photo

wextract.exe (Trojan.Vundo)


  • Please log in to reply
9 replies to this topic

#1 e3henri

e3henri

    New Member

  • Members
  • Pip
  • 5 posts

Posted 05 March 2009 - 04:57 AM

After updating to 1820 it detects A Vundo Trojan in wextract.
After a succesful removal and a new scan it is still there.
This was not present in 1819. False?
I just a removed a lots a trojans with this excellent tool (I didnt know I had them and I though I was an experienced user who doesnt get "shit" in my computer) so Im a bit angious right now to get my machine totally clean.

Great program. Finds more than Spyware doctor


(Swedish log file - sorry for that)

Malwarebytes' Anti-Malware 1.34
Databasversion: 1820
Windows 5.1.2600 Service Pack 3

2009-03-05 10:53:35
mbam-log-2009-03-05 (10-53-35).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 65168
Förfluten tid: 4 minute(s), 40 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 1

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

#2 e3henri

e3henri

    New Member

  • Members
  • Pip
  • 5 posts

Posted 05 March 2009 - 05:03 AM

Developer log:
Infekterade filer:
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully. [5253514247403034173621171717182334393639392422172539391822352118181717171822373
61917251717363636363636363636362535393922222535383625182437173635181717171717172
4
22181725202437181717172422173425202437182139382422172120203617383518253939242218
2
13939242218173939242217363939242217253939202234173621171717183939182235361818171
7
171822373619]

#3 BitsnBytes

BitsnBytes

    New Member

  • Members
  • Pip
  • 1 posts

Posted 05 March 2009 - 05:26 AM

I have exactly the same


Malwarebytes' Anti-Malware 1.34
Database version: 1820
Windows 5.1.2600 Service Pack 3

05/03/2009 10:05:17
mbam-log-2009-03-05 (10-05-03).txt

Scan type: Quick Scan
Objects scanned: 104289
Time elapsed: 1 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> No action taken. [5253514247403034173621171717182334393639392422172539391822352118181717171822373
61917251717363636363636363636362535393922222535383625182437173635181717171717172
4
22181725202437181717172422173425202437182139382422172120203617383518253939242218
2
13939242218173939242217363939242217253939202234173621171717183939182235361818171
7
171822373619]

#4 Stefano Giordano

Stefano Giordano

    New Member

  • Members
  • Pip
  • 3 posts

Posted 05 March 2009 - 05:35 AM

Had the same as reported in
this thread

#5 e3henri

e3henri

    New Member

  • Members
  • Pip
  • 5 posts

Posted 05 March 2009 - 05:38 AM

Had the same as reported in
this thread

I created this new thread since it looks like the old wextract problem was solved over a week ago and this new issue is started from 1820.
But lets the admins decide what to do.
Hope to get any feedback soon.
But since there are at least 3 people reporting this in the last 30 minutes and think it is false.

#6 PixelPlay

PixelPlay

    New Member

  • Members
  • Pip
  • 6 posts

Posted 05 March 2009 - 06:23 AM

I got something similar to that as well. 3 instances of wextract.exe appeared when I performed a full scan. So now I'm just sitting here with the results page open wondering if it's safe to remove them.

Files Infected:
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> No action taken.

I am getting tired would it make a difference if I were to remove them?
Sorry if this is the wrong place to post.

#7 e3henri

e3henri

    New Member

  • Members
  • Pip
  • 5 posts

Posted 05 March 2009 - 06:30 AM

I got something similar to that as well. 3 instances of wextract.exe appeared when I performed a full scan. So now I'm just sitting here with the results page open wondering if it's safe to remove them.

Files Infected:
C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe (Trojan.Vundo) -> No action taken.

I am getting tired would it make a difference if I were to remove them?
Sorry if this is the wrong place to post.

I removed mine (in service32\) and it says successfully removed. After a new smart scan It is still there.
Dont know if the remove does anything in the case

#8 steveg

steveg

    New Member

  • Members
  • Pip
  • 1 posts

Posted 05 March 2009 - 06:31 AM

I also had the same today with wextract.exe, I allowed it to be deleted, figuring I can always restore it from quarantine it it turns out to be an FP.

Steve

#9 PixelPlay

PixelPlay

    New Member

  • Members
  • Pip
  • 6 posts

Posted 05 March 2009 - 06:38 AM

I removed mine (in service32\) and it says successfully removed. After a new smart scan It is still there.
Dont know if the remove does anything in the case


Hmm alrighty then.
I'm just afraid if I were to shutdown and go to sleep that it'll damage my computer or if I were to delete them and it ends up as a false positive that it'll damage my computer.
I'm not to experienced in false positives so any clarification is appreciated. ^^;

#10 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 05 March 2009 - 06:47 AM

Confirmed as F/P.

Please add to your ignore list and or restore from quarantine.

This should be fixed shortly in defs update.
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users