Trojan.Vundo-Variant/F

oh boy, what did i do now?
Image shows location. You can see the multiple times i have tried to remove with SAS and it keeps coming back. i don’t know where it came from but i have a feeling it might have come from YouTube. i did this search in YT i heard about that gives you a virus if you type in the words “worlds most infected computer” in the YT search, and like an idiot i tried it, thinking my firewall and AV could handle it. Avast blocked it (image at bottom) but now i have this. how do i get rid of it? i used OTS and the log is really long but if someone can make sense of it i can send it.

have you told that to youtube?
you say, if i search a video in youtube with a special search word combination, my computer gets automatically infected with a really bad variant. that would mean, it is possible to let people get infected with any search words which would lead to such a file in the future.

if thats a fact, it would be a serious thing. and should be adressed to the right place.

EDIT: so, i did the same search in a sandbox. i got a result page like normal. is there a special video to select, or does the search alone allready infects you, according to the “legend”?

upload the files in question to virustotal for compared testing of many engines.

maybe its still a false positive of SAS, like it has been mentioned when you search for this variant together with SAS.

what i still dont understand, what has avast blocked (an URL)?

i did.
you don’t have to select anything, all you do is type in the words and whamo.
i did think of using hypercam to show it again and kinda tempted to try it but im not sure that would be a smart idea.

i see if i can submit the file, avast blocked the url.
in the parent window that YouTube was in, Avast poped up that it blocked a malicious url and loaded a blank page in the parent window to stop any more loading of the page.

my guess now:

on youtube, your avast blocked a page because there was a malicious “code text”, ineffective as a part of the description of a given video. thats why you got the blocking as you searched for “worlds most infected computer”, and not for a search like “everyone is interested in this popular video”.
but a virus author would choose the last example, to spread his newborn before it gets caught.
you showed a way how to scare avast users, maybe :wink:
while there are definitely scenarios where avast would protect you with this feature.

after you were alarmed by this happening of blocking together with the horror story, you found something totally unrelated:
a) a false positive (find out with virus total and the quarantined files)
or
b) a real trojan, what you can be lucky of to have found out by this unrelated URL blocking incident.

two good on demand scanners for such situations as second opinion:
malwarebytes antimalware [free version] (for not yet usual detected threats; thats why the database seems to be very small)
and
a-squared free/ now named emsisoft antimalware (for scanning with two engines).

both free versions do not have a guard, what makes them ideal candidates for on demand second opinions.

good bit of insight.
i tried it two more times to see if it would duplicate its self, i still got the same alerts but still only have one and i cant get rid of it.

i use win 7(64bit) avast, comodo firewall, malwarebytes, hitman pro, superantispyware, ccleaner, OTS (for diagnosis), firefox with the WOT add-on. i dont click on any ads, if i get a popup i close it straight away, WOT usually jumps in and blocks it if it has a bad rating. i dont use any toolbars or install strange plugins. i use flash to display stuff on my browser and i haven’t had java on my machine. wish i could find out where this trojan came from.

okay, so i decided to try it again. but this time i recorded it. here is the video of me trying it again to show what im seeing.

what is telling you about having a trojan? is it just SAS? or does virustotal (many products) and malwarebytes and a-squared free tell you the same?

if you really have a trojan, i would reinstall the system, with a before format of the operation system part. thats why you should be sure that its not a false alarm!

and what you showed in the video can still be a web shield (of avast) which finds written code on a page. but this code can just be a normal text which isnt executed.
my antivirus didnt ask anything about a virus, my defense+ blocked nothing, and my sandbox contained no file like mentioned.
its most likely not youtube who spreads it. and your main concern should be now, to determine if your computer is really infected with a trojan (and all the stuff he may have done, like a backdoor ect), or if its a false alarm. find out with comparing of files scan, and running at least two additional scans with different on demand programs.

when you reinstalled after infection, visit youtube again, and i am sure, you dont get that infection by visiting a search page of youtube :slight_smile:

-use host intrusion protection in the future, so files can not excute without a question. comodo has defense+. i dont know if avast has something like that.
-noscript add on for firefox (make the right settings). its very usefull. and you decide the pages that are allowed to execute scripts.

there are news about thousands of normal pages (which were using the same “site-making kit”) have been injected with code to infiltrate users computers by trying (5) different vulnerabillities… for example flash.
with no script, your white listed pages must get hacked until they even can try it. then you have a host intrusion protection, then you have an antivirus, then you might use a sandboxie…
the key to be better protected is “adding layers”.

i went through the related result page on youtube. there is indeed one video where a malicious code example is written in the description.
as this code might be a threat if it gets executed, avast blocked the page which contained this description.

so we need just to continue to find out if you have a real trojan on your computer (wherever it came from).

I would not worry too much about having only a file of a possible malware sitting on the hard drive. It is not running in memory nor are there registry keys to make it start with Windows.

In case of doubt let various scanners check your computer.

that file can not be removed from appearing, as the OP says. so there must be something to worry in a way.

See if it can be removed in Safe Mode either manually or with a scanner.

none of my other scanners or my AV say anything, just SAS shows it.
reinstalling windows is not an option for me unless my OS is completely destroyed and i dont want to buy a new computer.
i think the youtube alert i get from avast is from just written code in the description. i still think YT shouldn’t allow that kind of conduct.
i’ll see about the noscript add on.
i did make some changes on my computer i set avast’s heuristics sensitivity to high, comodos alerts to high but not max and selected to use comodo’s secure DNS servers, on SAS i selected a browser anti-hijacker option, firefox i checked the option to not accept any tracking cookies and the WOT add on i increased the sensitivity so when i click on any hyperlinks or if i get redirected it doesn’t load anything instead it first checks the urls reputation score first and automatically blocks any url with less than an average rating.
as far as layers all i have so far is avast, comodo firewall, firefox itself, WOT and then what ever alerts windows can muster.

i would like to know where the vundo came from.

i know that OLSBMIX.dll is not doing anything. but it is odd that it does repawn. i havent tried safe mode yet.

i just ran a scan (updated first) ran ccleaner for junk files and registry errors, avast, malwarebytes, hitman pro found nothing. SAS just found that one file again. i ran a fix with OTS and i have the log. i never checked the status of that file after OTS ran the fix. i dont even know if its gone yet.

its gone :slight_smile: i think the OTS fix got rid of it

hey clockwork, so i added no script, is there any changes i should make? also there is this other add on for firefox called adblock plus, is it any good? for comodo how do i do enable protection from host intrusion?

adblock plus is nice. but when you use pages which you want to support, disable adblock for that pages. right click on the icon.
choose a few filters for it from its list (for example easy list+easy privacy)

for everything is this rule valid: make the settings, go through all windows and look what is there. for noscript the same. otherwise you dont know what something does. i dont know the default, so i cant tell you the changes. make it safe :wink: . there are some tabs, and tabs in tabs.

host intrusion protection is something like defense+, and in a way a firewall.

hello,sirmaxx ;D

this is no virus when i went into investigation i found that the description of the video contained some script that disabled the keyboard…well,this triggered avast! to block the site…this is no virus just a stupid script…vundo has to be removed if it is present on your computer…but it didnt come from this site i am sure…so if u want to remove vundo download and run this tool:

download link:
http://majorgeeks.com/downloadget.php?id=4430&file=9&evp=1810324786e2e981a7ef3af23d31b2f2

i copied and pasted the link in google search. doenst look like anything i want to click on.