Can't remove Vundo/MS Juan trojan

[Michael]

I tried 5 different apps but I can't keep this removed. It keeps reappearing
in the registry as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan. Is there a
fix to remove this permanently?

 

[nass]

I tried 5 different apps but I can't keep this removed. It keeps reappearing
in the registry as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan. Is there a
fix to remove this permanently?

Read these info:
http://www.castlecops.com/t224702-Help_please_vundo_MS_Juan.html

http://www.bleepingcomputer.com/forums/topic135123.html

http://forums.techguy.org/malware-removal-hijackthis-logs/721487-another-vundo-case-sorry-ms.html
http://forum.avast.com/index.php?topic=36067.15

Right click on the subfolder on that Key and select permissions and assign
yourself a full control on that key then try the deletion, does it help?

Start in safe mode and try the deletion.
Try this tool:
http://www.ccleaner.com
HTH.
nass

 

[Michael]

I can delete MS Juan but it keeps coming back.

Read these info:
http://www.castlecops.com/t224702-Help_please_vundo_MS_Juan.html

http://www.bleepingcomputer.com/forums/topic135123.html

http://forums.techguy.org/malware-removal-hijackthis-logs/721487-another-vundo-case-sorry-ms.html
http://forum.avast.com/index.php?topic=36067.15

Right click on the subfolder on that Key and select permissions and assign
yourself a full control on that key then try the deletion, does it help?

Start in safe mode and try the deletion.
Try this tool:
http://www.ccleaner.com
HTH.
nass

 

[TaurArian]

FYI - http://www.microsoft.com/security/portal/Entry.aspx?name=Win32/Vundo
Vundo (McAfee)
Trojan:Win32/Vundo.K (Microsoft)
Vundo.gen18 (Norman)
Summary
Win32/Vundo is a multiple-component family of programs that deliver 'out of context'
pop-up advertisements. They may also download and execute arbitrary files.
Vundo is often distributed as a DLL file and installed on an affected machine as a Browser
Helper Object (BHO) without a user's consent. This family uses advanced defensive and
stealth techniques to escape detection and to hinder removal.

For assistance -

Try the Security - Viruses Newsgroup

OE client -
news://msnews.microsoft.com/microsoft.public.security.virus
or
Web client -
http://www.microsoft.com/communitie...e99-3241-4584-87eb-b55d8ffb3c8c&lang=en&cr=us


--

TaurArian [MVP] 2005-2009 - Update Services
http://taurarian.mvps.org
======================================
How to ask a question: http://support.microsoft.com/kb/555375
Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco


|I can delete MS Juan but it keeps coming back.
|
| | >
| >
| > "Michael" wrote:
| >
| >> I tried 5 different apps but I can't keep this removed. It keeps
| >> reappearing
| >> in the registry as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan. Is
| >> there a
| >> fix to remove this permanently?
| >
| > Read these info:
| > http://www.castlecops.com/t224702-Help_please_vundo_MS_Juan.html
| >
| > http://www.bleepingcomputer.com/forums/topic135123.html
| >
| >
http://forums.techguy.org/malware-removal-hijackthis-logs/721487-another-vundo-case-sorry-ms.html
| > http://forum.avast.com/index.php?topic=36067.15
| >
| > Right click on the subfolder on that Key and select permissions and assign
| > yourself a full control on that key then try the deletion, does it help?
| >
| > Start in safe mode and try the deletion.
| > Try this tool:
| > http://www.ccleaner.com
| > HTH.
| > nass
| > ---
| > http://www.nasstec.co.uk
| >
|
|

 

[Elmo]

I can delete MS Juan but it keeps coming back.

But you need to boot to Safe Mode, and run at least, a good a/v program
and a good spyware program to remove whatever keeps reapplying that
registry entry.

"Safe Mode with Networking" should allow you to update your compromised
a/v software before the full scan.

And as a last resort, or just as further protection against the next
infection, Spybot S&D includes "Tea Timer" which alerts you to registry
changes. Once you set it to not allow that change, and to remember the
reply, you shouldn't see it added again. Tea Timer can also alert you
to other changes, but it is a nuisance at times.. You can turn off the
alerts at each remembered block or allow operation though.

 

[jimbo571]

I can delete MS Juan but it keeps coming back.

Read these info:
http://www.castlecops.com/t224702-Help_please_vundo_MS_Juan.html

http://www.bleepingcomputer.com/forums/topic135123.html

http://forums.techguy.org/malware-removal-hijackthis-logs/721487-another-vundo-case-sorry-ms.html
http://forum.avast.com/index.php?topic=36067.15

Right click on the subfolder on that Key and select permissions and assign
yourself a full control on that key then try the deletion, does it help?

Start in safe mode and try the deletion.
Try this tool:
http://www.ccleaner.com
HTH.
nass

Are you using any registry security programs ?- they can stop you
editing the registry .

 

[nass]

But you need to boot to Safe Mode, and run at least, a good a/v program
and a good spyware program to remove whatever keeps reapplying that
registry entry.

"Safe Mode with Networking" should allow you to update your compromised
a/v software before the full scan.

And as a last resort, or just as further protection against the next
infection, Spybot S&D includes "Tea Timer" which alerts you to registry
changes. Once you set it to not allow that change, and to remember the
reply, you shouldn't see it added again. Tea Timer can also alert you
to other changes, but it is a nuisance at times.. You can turn off the
alerts at each remembered block or allow operation though.

I think Michael need to run a thorough scan again and then Delete all
restore points then recreate a new one by doing this:
Right click on "My Computer" select properties then click on System Restore
Tab and checking this check box:
[ ] Turn OFF System Restore on all drivers

Click [Apply] then [OK].
Repeat the steps again and this time Uncheck the check Box:
[ ] Turn OFF System Restore on all drivers

Click [Apply] then [OK].
Reboot your machine, do you still see the Entry for the Trojan?

Also jimbo571 Opera (lol) given a good option that if you are running a
security software in real time can block the chamges and on Restart all comes
back to original settings.
HTH

 

[Elmo]

I fought this problem for a long time and finally figured out that
Spybot's Tea Timer was the program that was stopping me from deleting
the Vundo/Virtumonde entries in the registry. I temporarily disabled
Spybot's Tea Timer, deleted the problem entries, rebooted and it got rid
of the problem.

Yes, Tea Timer can be confusing; you can't tell at times whether the
change is what you tried, or it's the malware trying to reinsert its
registry entries.

 

[ju.c]

Please don't delete previous posts, thanks.