Please help with Vundo

By dixiejen79
Aug 23, 2008
  1. I have the Vundo virus & I don't know what to do....I have been looking online for awhile (from my laptop since my desktop is useless). I noticed that several posts are specific to user so I thought I might need to try that. I am not computer savy so I may need alot of may not want to attempt this! But please help anyway...I am good with instructions (usually!). Thanks so much!

  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Come back here to this thread and Attach the log in txt format your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  3. dixiejen79

    dixiejen79 TS Rookie Topic Starter

    Attached is the log. Thanks.
  4. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O20 - Winlogon Notify: 44f0ed4d382 - C:\WINDOWS\system32\__c006A1C8.dat
    O20 - Winlogon Notify: __c00C7966 - C:\WINDOWS\system32\__c00C7966.dat (file missing)
    O20 - Winlogon Notify: __c00DE624 - C:\WINDOWS\system32\__c00DE624.dat (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis and*Reboot.


    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  5. dixiejen79

    dixiejen79 TS Rookie Topic Starter

    Moved files log
  6. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please download VundoFix.exe
    to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click Yes
    • Once you click yes, your desktop will go blank as it starts removing the Vundo.
    • When completed, it will prompt that it will reboot your computer, click Ok
    • Please attach the C:\vundofix.txt & a new HijackThis log.

    Note: it is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." When VundoFix appears at reboot.


    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version. Then reboot into safe mode by rebooting then start tapping the F8 key you will get the advance option select safe mode then load run the program
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


    Please run an on-line virus scan at[b][color=blue]Kaspersky OnLine Scan[/color][/b] or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
  7. dixiejen79

    dixiejen79 TS Rookie Topic Starter

    VundoFix did not find any infected files.

    Below is the Malwarebytes' Anti-Malware log.

    Malwarebytes' Anti-Malware 1.25
    Database version: 1078
    Windows 5.1.2600 Service Pack 2

    12:42:27 PM 8/24/2008
    mbam-log-08-24-2008 (12-42-27).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 148598
    Time elapsed: 2 hour(s), 37 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\SYSTEM32\__c006A1C8.dat (Trojan.Zlob) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00de624 (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\44f0ed4d382 (Trojan.Agent) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\SYSTEM32\__c006A1C8.dat (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

    BitDefender log below(one infected file unable to remove)

    BitDefender Log File

    Product : BitDefender Total Security 2009
    Version : BitDefender UIScanner v.12
    Scanning task : Full System Scan
    Log date : 15:33:07 24/08/2008
    Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1219609987_1_02.xml

    Scan Paths:path 0000: C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
    Path 0001: C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    Path 0002: C:\WINDOWS\system32\DfrgNtfs.exe
    Path 0003: C:\WINDOWS\system32\Defrag.exe
    Path 0004: C:\WINDOWS\System32\msiexec.exe
    Path 0005: C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    Path 0006: C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
    Path 0007: C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
    Path 0008: C:\Program Files\Digital Line Detect\DLG.exe
    Path 0009: C:\Program Files\America Online 9.0\aoltray.exe
    Path 0010: C:\Program Files\iPod\bin\iPodService.exe
    Path 0011: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    Path 0012: C:\Program Files\DellSupport\DSAgnt.exe
    Path 0013: C:\WINDOWS\system32\ctfmon.exe
    Path 0014: C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    Path 0015: C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    Path 0016: C:\Program Files\ATT Internet Tools\blsloader.exe
    Path 0017: C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    Path 0018: C:\Program Files\iTunes\iTunesHelper.exe
    Path 0019: C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
    Path 0020: C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
    Path 0021: C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
    Path 0022: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    Path 0023: C:\Program Files\Real\RealPlayer\RealPlay.exe
    Path 0024: C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    Path 0025: C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
    Path 0026: C:\Program Files\Dell\Media Experience\PCMService.exe
    Path 0027: C:\WINDOWS\system32\dla\tfswctrl.exe
    Path 0028: C:\WINDOWS\System32\hkcmd.exe
    Path 0029: C:\WINDOWS\System32\svchost.exe
    Path 0030: C:\WINDOWS\System32\wbem\wmiprvse.exe
    Path 0031: C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    Path 0032: C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    Path 0033: C:\WINDOWS\wanmpsvc.exe
    Path 0034: C:\WINDOWS\System32\wdfmgr.exe
    Path 0035: C:\WINDOWS\System32\svchost.exe
    Path 0036: C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    Path 0037: C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    Path 0038: C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
    Path 0039: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    Path 0040: C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    Path 0041: C:\Program Files\Bonjour\mDNSResponder.exe
    Path 0042: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    Path 0043: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    Path 0044: C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    Path 0045: C:\WINDOWS\system32\spoolsv.exe
    Path 0046: C:\WINDOWS\system32\LEXPPS.EXE
    Path 0047: C:\WINDOWS\system32\LEXBCES.EXE
    Path 0048: C:\WINDOWS\System32\svchost.exe
    Path 0049: C:\WINDOWS\System32\svchost.exe
    Path 0050: C:\WINDOWS\Explorer.EXE
    Path 0051: C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
    Path 0052: C:\WINDOWS\System32\svchost.exe
    Path 0053: C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    Path 0054: C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    Path 0055: C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    Path 0056: C:\WINDOWS\system32\svchost.exe
    Path 0057: C:\WINDOWS\system32\svchost.exe
    Path 0058: C:\WINDOWS\system32\lsass.exe
    Path 0059: C:\WINDOWS\system32\services.exe
    Path 0060: C:\WINDOWS\system32\winlogon.exe
    Path 0061: C:\WINDOWS\system32\csrss.exe
    Path 0062: \SystemRoot\System32\smss.exe
    Path 0063: C:\

    Scan Options:Scan for viruses : Yes
    Scan for adware : Yes
    Scan for spyware : Yes
    Scan for applications : Yes
    Scan for dialers : Yes
    Scan for rootkits : Yes

    Target Selection Options:Scan registry keys : Yes
    Scan cookies : Yes
    Scan boot sectors : Yes
    Scan memory processes : Yes
    Scan archives : No
    Scan runtime packers : Yes
    Scan emails : No
    Scan all files : Yes
    Heuristic Scan : Yes
    Scanned extensions :
    Excluded extensions :

    Target Processing: Default action for infected objects : Disinfect
    Default action for suspicious objects : None
    Default action for hidden objects : None
    Default action for encrypted infected objects : None
    Default action for encrypted suspicious objects : None
    Default action for password-protected objects : None

    Scan engines summaryNumber of virus signatures : 1428775
    Archive plugins : 43
    Email plugins : 6
    Scan plugins : 12
    System plugins : 4
    Unpack plugins : 7

    Overall scan summaryScanned items : 158912
    Infected items : 1
    Suspicious items : 0
    Resolved items : 0
    Unresolved items : 1
    Password-protected items : 0
    Individual viruses found : 1
    Scanned directories : 10826
    Scanned boot sectors : 3
    Scanned archives : 2
    Input-output errors : 37
    Scan time : 01:55:39
    Files per second : 22

    Scanned processes summaryScanned : 63
    Infected : 0

    Scanned registry keys summaryScanned : 395
    Infected : 0

    Scanned cookies summaryScanned : 395
    Infected : 0

    Remaining issues:Object Name Threat Name Final Status
    [System] Cookie.2o7 Disinfect Failed

    Hope this helps.....Thanks!!
  8. dixiejen79

    dixiejen79 TS Rookie Topic Starter

    Anyone have anymore recommendations?? Any help is greatly appreciated! Thanks.
  9. dixiejen79

    dixiejen79 TS Rookie Topic Starter

    My firefox has now shutdown. I do not know how to access the internet from my desktop computer. If I transfer files via a memory stick will this transfer the virus? Any other fix suggestions?
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...