TechSpot

Vundo virus

By ascot54
Nov 22, 2008
Topic Status:
Not open for further replies.
  1. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    had norton ages ago....

    been deleted for some time !
    caused more probs than it solved to be honest
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Oh yeah!

    Reboot run it again post new log and neew HJT log!

    You were eat up!

    See edit in my last post!

    Mike
  3. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    run combo again and HJT..??

    whats "eat up"
  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Totally infested like a dog with so many fleas it is being "eat up"!:)

    An American saying!

    Mike

    EDIT: yes both!
  5. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    Mike,

    rebooted,

    ran Combofix again

    then HJT...

    results attached
  6. mflynn

    mflynn Newcomer, in training Posts: 2,793

    One more thing I am surprised is still there.

    So 1 more tool!

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Copy and paste the Report.txt file to your next post.

    Mike
  7. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    Mike,

    here is SDfix log...

    please tell me i'm fixed !!

    wife to be threatennig divorce already ! lol !
  8. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hopefully after I see a new HJT log.

    Have you had a Norton - Symantec product before?

    And a status report how is it running.

    mike
  9. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    I had Norton over 2yrs ago and delted it due to errors....

    HJT attached...

    just found out, i got now system restore point...

    no entry in regedit either...
    linked to vundo you think ?
  10. mflynn

    mflynn Newcomer, in training Posts: 2,793

    HJT remove below
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

    Ahhh

    Copy all in box then paste to open command prompt!


    Still have a bad file.
    Code:
    cd\
    attrib /s qnlifb.dll >"%USERPROFILE%"\Desktop\attrib.txt
    exit
    exit
    
    Now paste me the attrib.txt from on desktop.

    Mike

    See edit above
  11. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    Mike,
    bit lost on that paste bit you posted...
    deleted the cab fiel from HJT ref symantec..
     
  12. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    ""
    File not found - qnlifb.dll

    "
    that was response from paste to desktop !
  13. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Ok

    HJT Remove below

    O20 - AppInit_DLLs: qnlifb.dll

    OK for wife to go now but you and I will finish a few detials tommorow.

    I will post.

    Run another MBAM and SAS but only while sleeping or at work!

    Mike
  14. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    just deleted another 1 from HJT...
    refernce to BTinternet...
    old service provider..!!

    now gonna run MAM n SAS....

    Wife 2 B can hang slack bud..

    this pc is linked to ptr for daughters homework on printer..
    i want it running tip top !
  15. mflynn

    mflynn Newcomer, in training Posts: 2,793

    We will get it that way but for now i am headed to Dinner and a movie!:)

    It has a few performance issues but you should be clean.

    I will look at new logs when I return.

    Mike
  16. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    Mike,

    latest logs for ya !

    rgds

    Paul
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  18. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Paul

    Did you not do post 35: O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/tech...l/SymAData.cab

    and

    Post 38: O20 - AppInit_DLLs: qnlifb.dll

    If not then run HJT delete them and post new HJT log.
    ----------------------------------------------------------------------------------------------------------------------------------
    OK lets see if we can't get rid of norton (Norton/Symantec is extremely hard to eradicate)

    Drag mouse copy for pasting all inside the box below

    Code:
    @echo off
    cd\
    attrib  -h -s -r norton*.* /s  /d >"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
    echo ...............................................
    dir /b /s norton*.* >>"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
    echo ................................................
    del /s norton*.* /f /q >>"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
    rd /s /q norton*.*
    
    attrib  -h -s -r syman*.* /s /d >"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
    echo .................................................
    dir /b /s syman*.* >>"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
    echo ..................................................
    del /s syman*.* /f /q >>"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
    rd /s /q synan*.*
    exit
    exit
    Then open the command prompt and paste directly to the Black screen.

    Attach the norton and symantec files created on the desktop.

    Then go here do all in this post except the registry editing we will do that differently and deeper.

    http://www.techspot.com/vb/post560473-8.html
    Note when you run rnav2003 do all versions but decline to reboot until the last one (no need to reboot 4 times)
    ----------------------------------------------------------------------------------------------------------------------------------

    SYMMSICLEANUP.reg ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg

    Save the file to the Windows desktop.
    If using Firefox. Right-click the following link and then click Save Link As to download the file.

    On the Windows desktop, double-click SYMMSICLEANUP.reg,
    Click Yes when prompted, and then click OK.

    Download RegSeeker http://www.hoverdesk.net/dl/en/RegSeeker.zip

    Unzip install and run.

    Click Find in Registry
    type
    norton
    delete all it finds

    do same process with Symantec

    You are finally clean of Norton/Symantec.

    Enough for one post.

    Good night,
    Mike
  19. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    Mornin Mike...

    I have done all courses of action to eradicate Notron/sysmantec...

    logs attached
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  21. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Good morning from here anyway

    Apparently Bobbye did not read all we did in post #43, that entry no longer exists anyway but the one below does.

    After you do the below Last thing do a HJT Scan only and remove
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -

    Delete all the log files we created on the desktop.

    Then cut and past operation on the box in my last post.
    I had a typo and added a couple of lines.

    Then send me the norton and syman files again.

    After all above now delete the entry above and send HJT log.

    Mike
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Look up the CLSID: It is related to Symantec products, specifically 'Related to Symantec Script Runner class.'
    So the SymantecLeftOvers.txt did not fully remove the entry, which was why I suggested the Norton Removal Tool.

    This bother me:
    You instructed the use to enter code but now said there was a 'typo' and you added lines? It would be of concern what happens if the incorrect, too short code is used.
  23. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Paul

    Please, please excuse and ignore this entire post as it has nothing to do with you or your thread!


    Bobbye from my very last post can you not see this or just intent on finding fault O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -

    I glad you worry for me I am not perfect I make mistakes I admit and take responsibility and correct my mistakes.

    But I am glad someone perfect mistake free like you is worrying for me.

    So continue worrying and let Paul and I finish up, we have cleaned his infections and are now doing some other general system cleanup!

    You have found fault several times in this post on things that were not faults at all but had already been addressed. Actually the same ones twice!

    Find something real and I will thank you.

    Mike
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I was only point out the the Norton entry had not been remove using the program you gave.

    Paul, this post was inappropriately put here. My apology to you, TechSpot members can contact each other privately and should not drag out personal matters at the expense of the person with the problem.
  25. ascot54

    ascot54 Newcomer, in training Topic Starter Posts: 87

    Hey guys....

    dont fall out over me,

    i read everything..!! and take advice where needed and really appreciate the help given..


    Thanks again..
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.