BleepingComputer.com: Duntek & Vundo Won't Go Away

After years of being virus-free, I've finally been blindsided, and I can't get up.

I'm running Windows XP Home Edition, with Norton Antivirus 2006. A couple of days ago, I was drinking and web surfing (stupid, I know), and must've come across a less-than-friendly website.

Every time I boot up, Norton lets me know that it's found/removed duntek, then vundo a few minutes later. Each time, I've noticed that the .dll file that's being deleted has a random name composed of eight letters followed by ".dll". The frustrating part is, I reboot (as advised by Norton after it gets rid of vundoo), and the cycle repeats. If I open my web browser, it seems to trigger some sort of "rebirth" for the troublemakers. I also get warnings about WinFixer as well as randomly-appearing internet explorer windows that go to various websites for swingers, immigration stuff, and fake drive cleaner utilities.

I've gone straight to the Norton website, and downloaded their vundo remover utility, but it doesn't permanently remove the virus. I've tried following the instructions at their site, but when they say to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]

from the registry, there's literally HUNDREDS of items under that folder that look random. Fortunately I made a backup of the registry before trying to delete several dozen. Definitely NOT the correct solution.

I've also tried fixvundo.exe and vundofix.exe, recommended by various websites (I see other users with similar problems, but the solutions seem very tailor-made). Still no joy.

I've downloaded combofix.exe, but while it was running, Norton popped up a window saying it had just deleted something, and that seemed to crash combofix but good.

I've also downloaded hijackthis_sfx.exe, but haven't tried it yet. Once I get a reply to this message about what to do, I'm sure you'll ask me to run the program and post the log file here. Just let me know where I should post it, I guess.

It looks like you folks are very patient and persistent, from what I've seen of other people's threads. I hope I don't waste too much of your time.

Thanks for your kind attention.

Dennis

please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

If for whatever reason HiJackThis.exe can not be opened try to rename it to Analyze.exe or fluffbunny.exe. Please make sure you have the right version of HiJackThis i.e. 1.99.1


Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.