TROJAN.VUNDO VIRUS FOUND!!!! NEED HELP!!!!!!!111one11!one1!!!oneeleventwo!!1!1111!!!!

H'okay... I have found specific instructions for removing the Trojan.Vundo virus.

However.

I have found none that are for Windows 200 Pro. all are for Windows XP. These are the instruction s i found on 15 sites, at least:

Download Trojan.Vundo removal tool

Turn off system restore

Reboot in safe mode

run infected file

run removal tool

reboot after turning on system restore


I cannot find the System restore, recovery or anything like that... I have run the program, to no avail. I have followed the instructions other than the system restore stuff, to no avail. I NEED HELP! PLEASE GIVE ME INSTRUCTIONS ON REMOVING THIS ARSE OF A VIRUS!!!!! SYMANTEX DOESN'T DO SHIZnAT!!!

 

start menu,accessories,system tools, should get u to system restore.

 

Send a HjT-log, instructions -> http://forums.afterdawn.com/thread_view.cfm/263784 (steps 3 and 4)

 

Alright, I'll try HJT. Dowloading now >_>'

 

Alrite... Tried HJT, didn't work. Looked under system tools, all i have there are backup, character map, disk cleanup, disk defragmenter, getting started, scheduled tasks, and system info. checked under system info, found nothing. still problem with symantec, doing a real-time scan and not removing it. manual scan won't remove it... -_-'''

 

Just saving HjT-log doesn't fix anything. But if you post that HjT-log here, I or someone else may help you removing Vundo

 

ooh.. okay. Here's the thing on notepad that popped up. that's it, right? the trojan is in C:\\WINNT\system32\bnvphitm.dll

Logfile of HijackThis v1.99.1
Scan saved at 8:52:21 PM, on 1/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
D:\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\lndeggme.exe
C:\program files\zango\zango.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\gjkh.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {24CA35A4-67A7-4450-BC6A-53471E1CD720} - C:\WINNT\system32\hpvedxji.dll
O2 - BHO: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\PROGRA~1\MINICL~1\MINICL~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O2 - BHO: (no name) - {6EA4491C-9AC8-45EF-8619-36198151A143} - C:\WINNT\system32\hpvedxji.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINNT\system32\nd_gfx9.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\PROGRA~1\MINICL~1\MINICL~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] D:\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lndeggme] C:\WINNT\system32\lndeggme.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [gjkh] C:\WINNT\gjkh.exe
O4 - HKCU\..\Run: [lndeggme] C:\WINNT\system32\lndeggme.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (Miniclip) - http://www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08b1391d22dd2231a400/netzip/RdxIE601.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nd_gfx9 - C:\WINNT\SYSTEM32\nd_gfx9.dll
O23 - Service: DefWatch - Symantec Corporation - D:\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\SYMANT~1\Rtvscan.exe

 

Run these in exact order. Credit goes to ddp...

ccleaner http://www.ccleaner.com/
cwshredder http://www.intermute.com/products/cwshredder.html
ad-aware se http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-...
spybot s&d http://www.majorgeeks.com/download2471.html
online virus & spyware scan http://housecall60.trendmicro.com/en/start_corp.asp

Virus should be cleaned out. Everything but the last should be run in safe mode. Press f8 repeatedly when booting up and windows will give you the screen to select safe mode.:>

 

are all of those downloads, or should I run safe mode with networking?

 

@ozzy214: Vundo requires special fix

@DMROOLZ:

Uninstall via Control Panel (add/remove programs), if found:

winupdates
Zango Search Assistant Helper or just Zango

Shutdown these via Task Manager(ctrl+alt+del -> end process):

zango.exe
lndeggme.exe
gjkh.exe

Fix with HjT (do a system scan only, checkmark these and press fix checked):

O2 - BHO: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\PROGRA~1\MINICL~1\MINICL~1.DLL
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\PROGRA~1\MINICL~1\MINICL~1.DLL
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [lndeggme] C:\WINNT\system32\lndeggme.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [gjkh] C:\WINNT\gjkh.exe
O4 - HKCU\..\Run: [lndeggme] C:\WINNT\system32\lndeggme.exeO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (Miniclip) - http://www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08b1391d22dd2231a400/netzip/RdxIE601.cab

Delete these files/directories, if present:

C:\PROGRA~1\==>MINICL~1<==
C:\Program Files\==>winupdates<==
C:\WINNT\system32\==>lndeggme.exe<==
c:\program files\==>zango<==
C:\WINNT\==>gjkh.exe<==

Please download VundoFix.exe -> http://www.atribune.org/ccount/click.php?id=4 to your desktop.
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will shutdown your computer, click OK.
[*]Turn your computer back on.
[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.

 

Sorry to dissapoint you guys... My mom figured this one out Download ClamWin, run scan on resident file, Symantec works w/ Clamwin, quarantines it, go to view in symantec, then quarantine, then delete files from there. Simple as that. No more limewire for me. XD Thanks for the help though.

 

Dude...your mom is a bad a$$. Thats pwnage right there.

 

1337 pwnage. She spent 2 hours scanning, downloading and searching. My uncle gave her the program, she ran it, and symantec did hte rest.