it's come to our attention that Atribune is continually updating his fix... I need to double check there, but (as you indicated) i believe the newer version no longer mentions the list of forums.
do you get to the point of it asking you for the first filename? if so, the only technical problem that i see is you left out the backslash between C: and WINDOWS
Hi- I've gone back to the VundoFix folder to try again several times. This is what happens:
when in safe mode, I've opened the folder, then double click on KillVundo.bat, it says "by using VundoFix you agree ...at your own risk" , please enter to continue. Once I click enter the mouse freezes and nothing happens. I've turned off the computer and tried again always to get the same response.
I definitely am ready with the exact spelling with all proper backward slashes if I could just get to that point. Thanks for helping!
i'm gonna take a look at the latest version of the Atribune fix.... see if i can determine anything more (which i can't actually run here, as i'm using an older win98SE machine)... you're the first person to report back with this particular problem :smileysad:
1) first, even though they suggest you run in safe-mode, try running it in normal mode instead, to see if that makes any difference. if you can succeed in normal mode, then we can stop here, and not proceed to the second suggestion.
2) if either you get the same error when running in normal mode, or if you can run it in normal mode but it doesn't remove the bad file, you can:
a- disconnect from the internet (so that you won't have anything else downloaded while you proceed, as we're temporarily turn-off your virus protection).
b-
temporarily disable your Norton anti-virus... i'm not familiar enough with Norton, but i'm assuming you can temporarily disable it. if you can disable it, AND access safe mode with it disabled, that would be preferable.
c- try running the VundoFix with anti-virus disabled. hopefully, that should do it.
d-
re-enable your anti-virus (be sure to do so before you connect back to the internet).
let me know if either of these approaches works... and if so, be sure to tell me which one.
okay - when I tried in normal mode I got this msg in a pop up " Batch File Denied Permission to Run Blocked by Microsoft antispyware"
So I disabled (I thought) Micro spyware and Norton Antivirus (having difficulty finding out how to uninstall) and it still said the above. So I tried it in safe mode and it still froze after I clicke enter (same as before!!!)
I must have a super duper version of this one.
I have to go but will be back to try more in an hour.
i'm gonna ask someone else to step-in (it'll probably be RKinner, ChrisRLG, Dobhar, Nikkj, or zbestwun2001... but anyone from Malware Removal University is qualified) to try to help you.
by the way, just to clarify... the suggestion was only to (temporarily)
disableyour anti-virus, not to
uninstall it.
Okay, I only disabled and didn't uninstall. It's been very frustrating to read other people here fixing their problems that sound just like mine. I also now have winfixer popping up too.
I'll be checking back in tomorrow and hopefully someone will have an idea what's wrong with my situation.
I do believe it's finally gone!!! After working endlessly, with the mouse constantly freezing in safe mode just as I was following the final steps from bleeping computer I looked up alternative ways to get into safe mode.
I used Start, Run, msconfig, to start Windows Xp in safe mode and the mouse DID NOT FREEZE up so I was finally abe to complete the steps as recommended at bleeping computer.
THANK YOU !!!! It just took a LOT of patience. Now I'll follow every security step possible to avoid this.
Do you know of any way to safeguard from the IM ing that teens do and their MY SPACE ? I read that Norton Antivirus for one does not protect or cover AOL. I guess the only safe thing, unless you have another suggestion, is to keep teens on a separate computer all together.
If the children have separate logins on the PC it is possible to set their logins up without adminstrator powers. This will limit the amount of damage they can do.
Logfile of HijackThis v1.99.1
Scan saved at 12:27:19 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
shows you how to get into the proper program for this. Whether a login had admin priv. or not depends on what group they are a member of so once modify their login you can select the "Member of" tab and remove the Adminstrator group from their membership list.
On XP Home the login named Administrator can only be reached from Safe Mode but normally has no password. In order to keep the kids from booting into Safe Mode and using the Administrator login to undo your changes you need to give the Administrator login a password while you are modifying logins. Just don't forget the password. Another quirk of XP Home is that the first login is automatically made a member of the Admin group. So even if you didn't intentionally give a user admin powers the first login automatically has them. Usually most people only have the one login so they do everything with admin powers. This is sort of dangerous since if something goes wrong and they get an infection the infection also has admin powers. Best is to have two logins for your own use. One with admin powers and one without. Use the one without for day to day surfing and only switch to the other one when you need to install software or make other changes that require admin powers.
Thanks Ron for all of your expert advice! It's been great working with you and I look forward to the Dell forum in the future for any other quirky problems.:)
ky331
3 Apprentice
•
15.6K Posts
0
October 14th, 2005 13:00
snowbell56
8 Posts
0
October 14th, 2005 15:00
Hi- I've gone back to the VundoFix folder to try again several times. This is what happens:
when in safe mode, I've opened the folder, then double click on KillVundo.bat, it says "by using VundoFix you agree ...at your own risk" , please enter to continue. Once I click enter the mouse freezes and nothing happens. I've turned off the computer and tried again always to get the same response.
I definitely am ready with the exact spelling with all proper backward slashes if I could just get to that point. Thanks for helping!
Cindy
ky331
3 Apprentice
•
15.6K Posts
0
October 14th, 2005 15:00
ky331
3 Apprentice
•
15.6K Posts
0
October 14th, 2005 16:00
snowbell56
8 Posts
0
October 14th, 2005 17:00
snowbell56
8 Posts
0
October 14th, 2005 18:00
okay - when I tried in normal mode I got this msg in a pop up " Batch File Denied Permission to Run Blocked by Microsoft antispyware"
So I disabled (I thought) Micro spyware and Norton Antivirus (having difficulty finding out how to uninstall) and it still said the above. So I tried it in safe mode and it still froze after I clicke enter (same as before!!!)
I must have a super duper version of this one.
I have to go but will be back to try more in an hour.
ky331
3 Apprentice
•
15.6K Posts
0
October 15th, 2005 00:00
Message Edited by ky331 on 10-14-2005 10:52 PM
snowbell56
8 Posts
0
October 15th, 2005 01:00
Okay, I only disabled and didn't uninstall. It's been very frustrating to read other people here fixing their problems that sound just like mine. I also now have winfixer popping up too.
I'll be checking back in tomorrow and hopefully someone will have an idea what's wrong with my situation.
Thanks!
RKinner
2 Intern
•
5.9K Posts
0
October 15th, 2005 11:00
Try the alternative fix at:
http://www.bleepingcomputer.com/forums/How-to-remove-the-TrojanVundoB-Search42com-MSevents-t18610.html
snowbell56
8 Posts
0
October 17th, 2005 00:00
RKinner
2 Intern
•
5.9K Posts
0
October 17th, 2005 10:00
Could we see a new HijackThis log?
If the children have separate logins on the PC it is possible to set their logins up without adminstrator powers. This will limit the amount of damage they can do.
Ron
snowbell56
8 Posts
0
October 17th, 2005 16:00
Scan saved at 12:27:19 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\JIMMAS~1\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128876130546
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/daimlerchrysler/rrtstreetwise/install.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/View22RTE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
RKinner
2 Intern
•
5.9K Posts
0
October 17th, 2005 19:00
http://www.wown.com/j_helmig/wxppusrm.htm
shows you how to get into the proper program for this. Whether a login had admin priv. or not depends on what group they are a member of so once modify their login you can select the "Member of" tab and remove the Adminstrator group from their membership list.
On XP Home the login named Administrator can only be reached from Safe Mode but normally has no password. In order to keep the kids from booting into Safe Mode and using the Administrator login to undo your changes you need to give the Administrator login a password while you are modifying logins. Just don't forget the password. Another quirk of XP Home is that the first login is automatically made a member of the Admin group. So even if you didn't intentionally give a user admin powers the first login automatically has them. Usually most people only have the one login so they do everything with admin powers. This is sort of dangerous since if something goes wrong and they get an infection the infection also has admin powers. Best is to have two logins for your own use. One with admin powers and one without. Use the one without for day to day surfing and only switch to the other one when you need to install software or make other changes that require admin powers.
Ron
snowbell56
8 Posts
0
October 18th, 2005 23:00