Unsolved
This post is more than 5 years old
6 Posts
0
20869
Trojan.vundo
Hi i downloaded fix vundo from systemantec and i ran it about 10 times and norton is still indicating that trojan.vundo is still on my computer can some one help me please?
Unsolved
This post is more than 5 years old
6 Posts
0
20869
Top
dnee
3 Posts
0
December 2nd, 2005 00:00
dnee
3 Posts
0
December 2nd, 2005 00:00
tiajah
4 Posts
0
December 2nd, 2005 00:00
dnee
3 Posts
0
December 2nd, 2005 01:00
tiajah
4 Posts
0
December 2nd, 2005 01:00
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
December 2nd, 2005 13:00
Download [but do *NOT* yet run] FixVundo from
http://securityresponse.symantec.com/avcenter/FixVundo.exe
[we'll have you run it later]
Note: If you have previously download this file on another occasion, please download it again, to be absolutely sure you have the most current version.
********************
Next, download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"*********************
After rebooting, it's now time to run FixVundo (which you had downloaded earlier).
Make sure all other programs, including your Internet Browser, are closed.
Double-click the FixVundo.exe file to start the removal tool.
Click Start to begin the process, and then allow this tool to run.
Important: Do not launch any new applications while the tool is running!
Reboot your computer.
Run the FixVundo removal tool again to ensure that the system is clean.
*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here.
[ It would also be prudent to follow-up on this, by generating and posting a HiJackThis log, in the HJT forum.]
Nastassia
6 Posts
0
December 2nd, 2005 15:00
[12/01/2005, 21:28:34] - Looking for Browser Helper Object [MSEvents Object]
[12/01/2005, 21:28:34] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[12/01/2005, 21:28:34] - 2: {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - Drop Spam Toolbar
[12/01/2005, 21:28:34] - 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[12/01/2005, 21:28:34] - WARNING: 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[12/01/2005, 21:28:34] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll)
[12/01/2005, 21:28:34] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[12/01/2005, 21:28:34] - 4: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[12/01/2005, 21:28:34] - 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class
[12/01/2005, 21:28:34] - 6: {B313D637-F405-4052-AC37-E2119AB3C8F8} - MSEvents Object
[12/01/2005, 21:28:34] - Found MSEvents Object!
[12/01/2005, 21:28:34] - File location: C:\WINDOWS\system32\jkhfc.dll
[12/01/2005, 21:28:34] - Attempting to kill C:\WINDOWS\system32\jkhfc.dll
[12/01/2005, 21:28:34] - Terminating Process: RUNDLL32.EXE
[12/01/2005, 21:28:35] - Terminating Process: IEXPLORE.EXE
[12/01/2005, 21:28:38] - Disabling Automatic Shell Restart
[12/01/2005, 21:28:39] - Terminating Process: EXPLORER.EXE
[12/01/2005, 21:28:41] - Suspending the NT Session Manager System Service
[12/01/2005, 21:28:41] - Terminating Windows NT Logon/Logoff Manager
[12/01/2005, 21:28:41] - Re-enabling Automatic Shell Restart
[12/01/2005, 21:28:42] - Renaming C:\WINDOWS\system32\jkhfc.dll -> C:\WINDOWS\system32\jkhfc.dll.vir
[12/01/2005, 21:28:42] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[12/01/2005, 21:28:42] - Removing Registry references to {B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/01/2005, 21:28:42] - Adding Internet Explorer Protection (Kill ActiveX) for {B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/01/2005, 21:28:42] - Removing Winlogon Notify Entry: jkhfc
[12/01/2005, 21:28:42] - BHO list has been changed! Starting over...
[12/01/2005, 21:28:42] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[12/01/2005, 21:28:42] - 2: {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - Drop Spam Toolbar
[12/01/2005, 21:28:42] - 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[12/01/2005, 21:28:42] - WARNING: 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[12/01/2005, 21:28:42] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll)
[12/01/2005, 21:28:42] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[12/01/2005, 21:28:42] - 4: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[12/01/2005, 21:28:42] - 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class
[12/01/2005, 21:28:42] - 6: {BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class
[12/01/2005, 21:28:42] - Finished searching for [MSEvents Object]
[12/01/2005, 21:28:42] - Finishing up...
[12/01/2005, 21:28:42] - Enabling Automatic Reboot on STOP Error.
[12/01/2005, 21:28:42] - Attempting to Restart via STOP error (Blue Screen!)
[12/01/2005, 21:31:46] - Looking for Browser Helper Object [MSEvents Object]
[12/01/2005, 21:31:46] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[12/01/2005, 21:31:46] - 2: {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - Drop Spam Toolbar
[12/01/2005, 21:31:46] - 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[12/01/2005, 21:31:46] - WARNING: 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[12/01/2005, 21:31:46] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll)
[12/01/2005, 21:31:46] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[12/01/2005, 21:31:46] - 4: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[12/01/2005, 21:31:46] - 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class
[12/01/2005, 21:31:46] - 6: {BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class
[12/01/2005, 21:31:46] - Finished searching for [MSEvents Object]
[12/01/2005, 21:31:46] - Nothing found! Exiting.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
December 2nd, 2005 15:00
http://majorgeeks.com/download3155.html
you must create a separate folder and place it there.... people commonly use C:\HJT. Note: Please do *NOT* use a TEMP (temporary) folder, *NOR* your DESKTOP, as HJT will be generating log files and backup files in the folder from which it is run... you risk accidentally losing these if you use a TEMP folder, and you will generate extreme clutter if you use your DESKTOP.
The file above comes as a compressed .ZIP file... you have to UNzip it (hopefully, you have an UNzip utility built into your Windows Explorer. If for any reason, you're unable to UNzip it, you can download the already-unzipped .EXE file from http://downloads.malwareremoval.com/HijackThis.exe )
After Unzipping, double click on HiJackThis.EXE
Click on Do a System Scan and Save a LogFile
This will automatically open NotePad
Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy
Then go to the new forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:
http://forums.us.dell.com/supportforums/board?board.id=si_hijack
Be sure to include a detailed description of any problems/errors/warnings you are encountering.
Hopefully, one of the HJT experts will get to it as quickly as possible.
====================================================
POST SCRIPT: It has come to my attention that many people are unfamiliar with how to create the recommended sub-directory/folder C:\HJT ;
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
December 2nd, 2005 18:00
jvnut
2 Posts
0
December 2nd, 2005 18:00
vanessa-pok
7 Posts
0
December 3rd, 2005 04:00
[12/02/2005, 23:59:46] - Starting Process...
[12/02/2005, 23:59:46] - Looking for Browser Helper Object [MSEvents Object]
[12/02/2005, 23:59:46] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[12/02/2005, 23:59:46] - 2: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[12/02/2005, 23:59:46] - 3: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class
[12/02/2005, 23:59:46] - 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[12/02/2005, 23:59:46] - 5: {B313D637-F405-4052-AC37-E2119AB3C8F8} - MSEvents Object
[12/02/2005, 23:59:46] - Found MSEvents Object!
[12/02/2005, 23:59:46] - File location: C:\WINDOWS\system32\gebyw.dll
[12/02/2005, 23:59:46] - Attempting to kill C:\WINDOWS\system32\gebyw.dll
[12/02/2005, 23:59:46] - Terminating Process: RUNDLL32.EXE
[12/02/2005, 23:59:46] - Terminating Process: IEXPLORE.EXE
[12/02/2005, 23:59:46] - Disabling Automatic Shell Restart
[12/02/2005, 23:59:46] - Terminating Process: EXPLORER.EXE
[12/02/2005, 23:59:47] - Suspending the NT Session Manager System Service
[12/02/2005, 23:59:47] - Terminating Windows NT Logon/Logoff Manager
[12/02/2005, 23:59:48] - Re-enabling Automatic Shell Restart
[12/02/2005, 23:59:48] - Renaming C:\WINDOWS\system32\gebyw.dll -> C:\WINDOWS\system32\gebyw.dll.vir
[12/02/2005, 23:59:48] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[12/02/2005, 23:59:48] - Removing Registry references to {B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/02/2005, 23:59:48] - Adding Internet Explorer Protection (Kill ActiveX) for {B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/02/2005, 23:59:48] - Removing Winlogon Notify Entry: gebyw
[12/02/2005, 23:59:48] - BHO list has been changed! Starting over...
[12/02/2005, 23:59:48] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[12/02/2005, 23:59:48] - 2: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[12/02/2005, 23:59:48] - 3: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - CNisExtBho Class
[12/02/2005, 23:59:48] - 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[12/02/2005, 23:59:48] - 5: {BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class
[12/02/2005, 23:59:48] - Finished searching for [MSEvents Object]
[12/02/2005, 23:59:48] - Finishing up...
[12/02/2005, 23:59:48] - Enabling Automatic Reboot on STOP Error.
[12/02/2005, 23:59:48] - Attempting to Restart via STOP error (Blue Screen!)
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
December 3rd, 2005 10:00
ICEHAWK83
3 Posts
0
December 4th, 2005 02:00
jvnut
2 Posts
0
December 5th, 2005 23:00
I ran the virtumundo, and the vundo fix, and the message is not coming up any more. Here is a copy of the vbg file. Is my computer ok now, or do I need to hijack the other thing.
[12/05/2005, 19:49:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Tom and Debbie\Desktop\VirtumundoBeGone.exe" )
[12/05/2005, 19:49:19] - Detected System Information:
[12/05/2005, 19:49:19] - Windows Version: 5.1.2600, Service Pack 2
[12/05/2005, 19:49:19] - Current Username: Tom and Debbie (Admin)
[12/05/2005, 19:49:19] - Windows is in NORMAL mode.
[12/05/2005, 19:49:19] - Searching for Browser Helper Objects:
[12/05/2005, 19:49:19] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/05/2005, 19:49:19] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/05/2005, 19:49:19] - BHO 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[12/05/2005, 19:49:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/05/2005, 19:49:19] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[12/05/2005, 19:49:19] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[12/05/2005, 19:49:19] - BHO 4: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} (Comcast Toolbar)
[12/05/2005, 19:49:19] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[12/05/2005, 19:49:19] - BHO 6: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[12/05/2005, 19:49:19] - BHO 7: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[12/05/2005, 19:49:19] - ALERT: Found MSEvents Object!
[12/05/2005, 19:49:19] - BHO 8: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[12/05/2005, 19:49:19] - Finished Searching Browser Helper Objects
[12/05/2005, 19:49:19] - *** Detected MSEvents Object
[12/05/2005, 19:49:19] - Trying to remove MSEvents Object...
[12/05/2005, 19:49:20] - Terminating Process: IEXPLORE.EXE
[12/05/2005, 19:49:20] - Terminating Process: RUNDLL32.EXE
[12/05/2005, 19:49:20] - Disabling Automatic Shell Restart
[12/05/2005, 19:49:20] - Terminating Process: EXPLORER.EXE
[12/05/2005, 19:49:21] - Suspending the NT Session Manager System Service
[12/05/2005, 19:49:21] - Terminating Windows NT Logon/Logoff Manager
[12/05/2005, 19:49:21] - Re-enabling Automatic Shell Restart
[12/05/2005, 19:49:21] - File to disable: C:\WINDOWS\system32\pmkhg.dll
[12/05/2005, 19:49:21] - Renaming C:\WINDOWS\system32\pmkhg.dll -> C:\WINDOWS\system32\pmkhg.dll.vir
[12/05/2005, 19:49:21] - File successfully renamed!
[12/05/2005, 19:49:21] - Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/05/2005, 19:49:21] - Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/05/2005, 19:49:21] - Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/05/2005, 19:49:21] - Deleting ATLEvents/MSEvents Registry entries
[12/05/2005, 19:49:21] - Removing HKLM\...\Winlogon\Notify\pmkhg
[12/05/2005, 19:49:21] - Searching for Browser Helper Objects:
[12/05/2005, 19:49:21] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/05/2005, 19:49:21] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/05/2005, 19:49:21] - BHO 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[12/05/2005, 19:49:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/05/2005, 19:49:21] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[12/05/2005, 19:49:21] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[12/05/2005, 19:49:21] - BHO 4: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} (Comcast Toolbar)
[12/05/2005, 19:49:21] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[12/05/2005, 19:49:21] - BHO 6: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[12/05/2005, 19:49:21] - BHO 7: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[12/05/2005, 19:49:21] - Finished Searching Browser Helper Objects
[12/05/2005, 19:49:21] - Finishing up...
[12/05/2005, 19:49:21] - A restart is needed.
[12/05/2005, 19:49:21] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[12/05/2005, 19:49:36] - Attempting to Restart via STOP error (Blue Screen!)
Thanks!!
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
December 6th, 2005 01:00
based on the information in your VBG log (as well as the fact that the warning message is no longer coming up any more), it looks like you've successfully tackled the vundo problem.
HiJackThis would serve as an additional confirmation.... as well as allow the experts in the HJT forum to analyze your system, to see if there are any other problems (besides the vundo) residing on your system. i'd recommend HJT, but the choice is yours. if you decide to do so, please start a new thread of your own, in the HJT forum... do NOT place your log here.