Infected with trojan vundo, help

Status
Not open for further replies.
ive have avanquest system suite and malwarebytes running ....after repeated deletes it keeps coming back

can anyone help get rid of this bugger of a virus
 
All your mbam entries show " No action taken." for the detected infections. Please set the action to "quarantine"

After you have done that run Hijackthis n fix these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: (no name) - {233B54C7-C524-4F36-AFEB-A382DAF0F8B3} - c:\windows\system32\pnrsttf.dll
O20 - Winlogon Notify: xxkblmhz - C:\WINDOWS\SYSTEM32\pnrsttf.dll
O20 - AppInit_DLLs: mofelise.dll

post back with fresh logs of all 3 programs.
 
Hm. Let's try this in safe mode:

Reboot into safe mode and run HijackThis. Fix these entries:

O2 - BHO: (no name) - {233B54C7-C524-4F36-AFEB-A382DAF0F8B3} - c:\windows\system32\pnrsttf.dll
O20 - Winlogon Notify: xxkblmhz - C:\WINDOWS\SYSTEM32\pnrsttf.dll


Next locate these files on your system and delete them.

C:\WINDOWS\SYSTEM32\pnrsttf.dll
C:\WINDOWS\SYSTEM32\GHENTSTO.DLL

Empty your recycle bin. Reboot into normal mode and post fresh logs from all 3 once again. Hopefully this does the trick.
 
Ive noticed also that the corrupt dll's are getting renamed....let me run and see what happens.....thanks so much for the help

I ran quickscans this time since the're taking very long...hope ok
 
TNT, there is a line in Mbam that you are suppose to check for it to remove what it finds. You are not doing that and again your log shows No action taken. IT won't matter whether you run quick or long scans- you need to put a check on that line. Look for this:
[*]Make sure that everything is checked, and click Remove Selected.

momok is good people. He'll help you along.
 
TNTDesign, please note bobbye's comment on the mbam program.

Then, please try the following:

Please download VundoFix.exe HERE and save to your desktop.
Download and run LSP-Fix
  1. [Download LSP-Fix HERE and Save to its own directory on the desktop.. http://www.bleepingcomputer.com/files/lspfix.php
  2. Double-click on the file to open.
  3. In the left hand column, you should see the pnrsttf.dll file listed.
    • Click on it to highlight
    • Click the arrow in the middle of the screen that points to the right
  4. This will move the file name to the right-hand column labeled Remove
    NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
  5. Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
    • You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
  6. Close the LSPFix .

Now for Vundofix:

  1. Double-click VundoFix.exe to run it.
  2. Click the Scan for Vundo button.
  3. Once it's done scanning, click the ‘Fix Vundo’ button.
  4. You will receive a prompt asking if you want to remove the files, click YES
  5. Once you click yes, your desktop will go blank as it starts removing Vundo.
  6. When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post back with a fresh HijackThis log, MBAM log, as well as the vundofix log C:\vundofix.txt thanks.
 
Status
Not open for further replies.
Back