Infected with trojan vundo, help

By TNTDESIGN
Oct 3, 2009
Topic Status:
Not open for further replies.
  1. ive have avanquest system suite and malwarebytes running ....after repeated deletes it keeps coming back

    can anyone help get rid of this bugger of a virus
  2. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    Have you read and followed through the UPDATED 8 Step sticky?
  3. TNTDESIGN

    TNTDESIGN Newcomer, in training Topic Starter

    Here are the logs

    Here are the logs from hijack, malware and superanti......thanks for your help in advance
  4. TNTDESIGN

    TNTDESIGN Newcomer, in training Topic Starter

    Please help help!! 5 days and waiting!!

    Can anyone help with my post
  5. momok

    momok Newcomer, in training Posts: 2,272

    All your mbam entries show " No action taken." for the detected infections. Please set the action to "quarantine"

    After you have done that run Hijackthis n fix these:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.122 antiwareprotect.com
    O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
    O2 - BHO: (no name) - {233B54C7-C524-4F36-AFEB-A382DAF0F8B3} - c:\windows\system32\pnrsttf.dll
    O20 - Winlogon Notify: xxkblmhz - C:\WINDOWS\SYSTEM32\pnrsttf.dll
    O20 - AppInit_DLLs: mofelise.dll

    post back with fresh logs of all 3 programs.
  6. TNTDESIGN

    TNTDESIGN Newcomer, in training Topic Starter

    I'll run the scans again....although i believe i chose to delete the found files after they completed....problem is they keep showing up again.....thanks for your help

    Everything keeps coming back even after quarantine and fixes.....here are the logs


    View attachment 52535

    View attachment 52536

    View attachment 52537
  7. momok

    momok Newcomer, in training Posts: 2,272

    Hm. Let's try this in safe mode:

    Reboot into safe mode and run HijackThis. Fix these entries:

    O2 - BHO: (no name) - {233B54C7-C524-4F36-AFEB-A382DAF0F8B3} - c:\windows\system32\pnrsttf.dll
    O20 - Winlogon Notify: xxkblmhz - C:\WINDOWS\SYSTEM32\pnrsttf.dll


    Next locate these files on your system and delete them.

    C:\WINDOWS\SYSTEM32\pnrsttf.dll
    C:\WINDOWS\SYSTEM32\GHENTSTO.DLL

    Empty your recycle bin. Reboot into normal mode and post fresh logs from all 3 once again. Hopefully this does the trick.
  8. TNTDESIGN

    TNTDESIGN Newcomer, in training Topic Starter

    Ive noticed also that the corrupt dll's are getting renamed....let me run and see what happens.....thanks so much for the help

    I ran quickscans this time since the're taking very long...hope ok
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    TNT, there is a line in Mbam that you are suppose to check for it to remove what it finds. You are not doing that and again your log shows No action taken. IT won't matter whether you run quick or long scans- you need to put a check on that line. Look for this:
    [*]Make sure that everything is checked, and click Remove Selected.

    momok is good people. He'll help you along.
  10. momok

    momok Newcomer, in training Posts: 2,272

    TNTDesign, please note bobbye's comment on the mbam program.

    Then, please try the following:

    Please download VundoFix.exe HERE and save to your desktop.
    Download and run LSP-Fix
    1. [Download LSP-Fix HERE and Save to its own directory on the desktop.. http://www.bleepingcomputer.com/files/lspfix.php
    2. Double-click on the file to open.
    3. In the left hand column, you should see the pnrsttf.dll file listed.
      • Click on it to highlight
      • Click the arrow in the middle of the screen that points to the right
    4. This will move the file name to the right-hand column labeled Remove
      NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
    5. Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
      • You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
    6. Close the LSPFix .

    Now for Vundofix:

    1. Double-click VundoFix.exe to run it.
    2. Click the Scan for Vundo button.
    3. Once it's done scanning, click the ‘Fix Vundo’ button.
    4. You will receive a prompt asking if you want to remove the files, click YES
    5. Once you click yes, your desktop will go blank as it starts removing Vundo.
    6. When completed, it will prompt that it will reboot your computer, click OK.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Post back with a fresh HijackThis log, MBAM log, as well as the vundofix log C:\vundofix.txt thanks.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.