Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo Removal


  • Please log in to reply
6 replies to this topic

#1 thkeeler

thkeeler

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 07 April 2006 - 12:28 PM

I have a Dell Dimension desktop that is impossible to use due to constant popups (not the computer I am writing this on). I ran SpyBot S&D and a "commercial" spyware/addware removal program repeatedly (about 6 times), both in normal and safe mode, to no avail (by commercial I mean one that you pay for, to the tune of $40.00); I don't remember the name of the "commercial" one, but it's the one with the icon that looks like the ghost busters logo. I finally discovered I could make the computer "usable" by disconnecting it from the internet and stopping all Startup and Services via the System Configuration Utility, and starting it in safe mode. At that point I installed Norton Internet Security 2005, restarted the computer in normal mode and hooked to the internet so I could run LiveUpdate, which I was eventually successful at doing; an agonizing undertaking as the adds were coming at the rate of about one every two seconds and in about a minute there would be so many that the system would freeze. I then disconnected it from the internet and ran a virus scan. This was when I discovered it had the Trojan.Vundo, and where the "main" malware file was located (in C:\ProgramFiles\WINDOWS\System32\awwva.dll, I think; I'm not sure about the awwva.dll part).
At this point I searched the internet for info about this Trojan (that's how I discovered this site) and downloaded Symantecs Trojan.Vundo removal tool.
I ran the removal tool five times, three times in safe mode and twice in normal mode, following Symantecs instructions too the letter, but it was unable to remove this main .dll file, so did not help. At that point I tried to remove it myself in safe mode but it keeps saying "access denied".
Does anyone have any suggestions? They would be much appreciated!
P.S. As I am new to this site I am not sure I am posting this in the right place and following the approved procedure so if I am not I would appreciate any constructive info and/or critesizem about things I may be doing wrong in this post. (I realize I have been to wordy in my exasperation over this problem)

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:53 AM

Posted 07 April 2006 - 12:50 PM

Welcome thkeeler

Your in the right place at this point. Please see the self-help tutorial How To Remove Winfixer/Virtumonde/Msevents/Trojan.vundo.

If you are still having problems afterwards you may need to post a HijackThis log and get expert assistance. Instructions for posting a log are included in the tutorial. Logs are posted in the HijackThis forum, not here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 am2pm630

am2pm630

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 08 April 2006 - 12:41 AM

After doing step #2, I no longer see Vundo on my windows log-in. However when I scan the computer it still shows up on our other log-in name. Do I have to repeat the same process on the other log-in name??

Thanks.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:53 AM

Posted 08 April 2006 - 07:06 AM

Continue with: This step should only be used if the instructions in Step 2 did not remove the infection. Follow the instructions for using VirtumundoBegone
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 am2pm630

am2pm630

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 08 April 2006 - 09:50 PM

OK, so I followed the Step 2 instructions. I used msconfig to restart my computer in safe mode, then I ran the VirtumondeBeGone program. The text file it created said that Vundo was not found. When I run McAfee it still says I have Vundo. Can anyone shed any light on this?? Did I miss any steps or is there anything else I can do??

Any info is much appreciated.
Alex

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:53 AM

Posted 09 April 2006 - 06:51 AM

Sometimes vundo can be stubborn when we try to remove it and other times new variants arise which the tools will not work against until they are updated.

I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have not been replied as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 am2pm630

am2pm630

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 09 April 2006 - 03:38 PM

Thanks. I'm at work right now but I will give that a shot when I get home.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users