Vundo Removal Please Help

By Belrum
Apr 27, 2009
  1. Been having some computer trouble with slowness and when I open windows task manager and select a process it highlights on and off as if it was selecting and de-selecting without me clicking it.

    Attached are my mbam and hijackthis log. I believe I have a Vundo H virus as detected by mbam.

    Here is my MBAM log after selecting "Remove all detected objects":

    Malwarebytes' Anti-Malware 1.36
    Database version: 2051
    Windows 5.1.2600 Service Pack 3

    4/27/2009 5:56:42 PM
    mbam-log-2009-04-27 (17-56-42).txt

    Scan type: Quick Scan
    Objects scanned: 68477
    Time elapsed: 1 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 4
    Registry Keys Infected: 7
    Registry Values Infected: 5
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\yopareza.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\lajitizo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\ranatepo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\memotoga.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2fed42c7-23d1-4516-92f0-dfc2129eca17} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2fed42c7-23d1-4516-92f0-dfc2129eca17} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2fed42c7-23d1-4516-92f0-dfc2129eca17} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6013450d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loteyeduvu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm63207691 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yopareza.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yopareza.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\memotoga.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\lajitizo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\ozitijal.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\navijijo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\memotoga.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\ranatepo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\yopareza.dll (Trojan.Vundo.H) -> Delete on reboot.

    Got a message that C:\WINDOWS\system32\lajitizo.dll




    could not be removed but would be added to the delete on reboot list.

    I am going to reboot and look forward to any further instructions that need to be taken.

    I'd very much appreciate help with this,


    - Belrum

    I'd greatly appreciate help with this, thanks.
  2. Belrum

    Belrum TS Rookie Topic Starter

    Attached is my hijackthis log after restarting.
  3. touch

    touch TS Rookie Posts: 978

    Hello Belrum

    I notice that you do not seem to be running antivirus software.This is somewhat suicidal in today's digital world. I´ll therefore suggest you ->

    Run the steps in this guide:

    8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Post attached log´s from:


    In your next reply
  4. Belrum

    Belrum TS Rookie Topic Starter

    Ok, I ran the SAS and here are the new logs.

    Are there more steps I need to do?
  5. touch

    touch TS Rookie Posts: 978

    Install Avira Free AntiVirus, from here ->

    Or: Avast

    Install, update it, run a complete scan.

    Reboot, attach fresh hijackthis log and tell how things are running ?
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...