TechSpot

Cannot remove Vundo. Help.

By suk
Jun 10, 2007
  1. Hi.
    My computer seems to have been hit by Vundo . . . I have done everything from using Vundofix (the normal one and the killvundo.bat one) as well as virtumondebegone. Vundo fix shows my machine as clean but hijack this stills show up the file names in the 02 and 020 region. And my machine has become so slow that i can't do anything with it. I'm at my wits end. please help.

    I've attached the hijack this log.

    s.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi suk and welcome to techspot. =)

    You are running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    PVModule

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    PVModule.exe

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {13B1FC02-93DC-4E44-A9DF-083BAD648412} - (no file)
    O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - (no file)
    O2 - BHO: (no name) - {7C1F1401-FF31-47BF-B7EB-8A9104062029} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)
    O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{03037514-FDE4-434D-9AEC-18377548DFAE}: NameServer = 202.54.9.1,202.54.1.30
    O17 - HKLM\System\CCS\Services\Tcpip\..\{156816CC-52BB-4258-A82C-D0B16B56C113}: NameServer = 202.54.1.23,202.54.9.1 (Fix the O17 entries only if you do not recognise the domain to be from your ISP)

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\PROGRA~1\PRINTV~1\pvmodule.exe

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. The utilities can be downloaded from the links in my signature.


    Regards,
    Your friendly momok =)

    This thread is for the use of suk only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. suk

    suk TS Rookie Topic Starter Posts: 16

    following instructions

    hi momok,
    thanks for the help - i followed instructions but didn'y find "pvmodule" or "PVModule.exe". everything else was ok.

    then ran combo fix. saw the log and did something foolish but desperate - which is manually removed the vundo files from the registry (i hope they're not other files!)

    Anyway, my comp rebooted normally and seems to be working at normal speed now. hopefully this means that i'm clean. attaching hijack this log and combofix log.

    thanks again!

    s.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Have HijackThis fix the following entries:

    O2 - BHO: (no name) - {8892F6D6-0D1B-482F-82A1-C7D30994FE6F} - (no file)
    O2 - BHO: (no name) - {CBED2A49-DBAA-423F-A2A6-3253CADB4E38} - (no file)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of suk only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...