Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan And Winfixer


  • Please log in to reply
8 replies to this topic

#1 Gwynne

Gwynne

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 10 March 2007 - 03:32 PM

I believe I have the vundo trojan and know I have winfixer (which I think I got with vundo). Yes, I was downloading on Wednesday night and have been having problems since Friday, yesterday, morning.

I am unable to find where vundo is located on my computer. My nortons kept giving me a warning yesterday morning saying it had deleted the vundo virus and I needed to restart the computer in the same administrator mode. I did not know what that meant so I kept rebooting and getting the same message about deleting vundo and restarting in the same mode.

When I got home from work, I starting googling for information. I found something from 2005 about installing a file on my desktop and working from safe mode. While doing this, I found out how to reboot as the same adminstrator, but only in safe mode. The instructions for removal of vundo, unfortunately, were outdated, so I couldnt remove it.

I had hoped that restarting the computer in the same administrator mode as nortons said I needed to do would solve the problem. However, later yesterday I had one instance of getting a message from nortons saying it had elimiated a hijacker virus and immediately after that I got the vundo message. I rebooted in safe mode as the same administrator. That is the only way I have figured out how to sign on as the administrator, in safe mode. I have had no more occurences since then, however I have downloaded about six spy programs. Some pointed out mundane issues such as empty folders but dont mention winfixer. Only two have picked up that I have winfixer. I have tried the steps on here to get rid of vundo, but when I do so, I get a message saying no instance of vundo is found. I have also tried removing it with nortons vundo tool but again am told that no instances are found. I later found out you might have to turn off system restore and nortons auto protect.

The reason I feel I still have the vundo trojan is because even after I restarted the computer in administrator mode earlier yesterday evening, I had the one instance of nortons telling me I have the vundo trojan, which I described above. Since I did the same step, which was restart in the same administrator mode, which I had done previously and I got another instance of the vundo alert, I have no reason to believe it is really gone this time. I know I have winfixer which probably came with vundo. Nortons doesnt seem to be able to detect winfixer, but two other spy programs did.

How do I find out if I have vundo? I cant remove it if I cant locate it! How do I remove winfixer? Again, I see from two spy programs it is still there. They mention HKEY directories which I dont know how to locate.

Here is the part where I am supposed to tell you about operating systems, but I dont know a lot. When describing the computer, I guess no one cares that it is a pretty grey color? Okay, I have windows XP. I know I dont have dial up. I have aol powered by verizon broadband. I do not know if broadband is the same as DSL or not. I do not leave my computer on as I go through the aol icon on my desktop and not the internet explorer desktop icon. It gives me a different screen so I do log on and off of aol then turn the computer off when it is not in use. This is a personal computer. I keep nortons and windows updated. Please let me know what other information I need to provide. Thank you for any help you can give me.

Edited by Gwynne, 10 March 2007 - 03:34 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:10 PM

Posted 10 March 2007 - 03:39 PM

Removal instructions:
http://www.bleepingcomputer.com/forums/t/18610/how-to-remove-winfixer-virtumonde-msevents-trojanvundob/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Gwynne

Gwynne
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 10 March 2007 - 04:16 PM

Yes, thank you, this is one of the steps I did yesterday, though I will rerun both again. At the end, I get a message saying vundo wasnt found. The reason I think it could be there was because it popped up a second time, out of the blue last night after I followed norton's instructions. I have had no problems since then and ran this tool after my last problem. The fact that I followed the instructions from nortons once then had another instance of nortons telling me I had the vundo trojan makes me wonder if it is hiding somewhere in a subkey or root and cant be detected by the steps I have taken so far. Sorry that my terminology isnt the greatest! According to everything I run, vundo is not there, yet I know it showed up a second time yesterday after I rebooted in administator mode.

Is there a way, by using the hijacker icon and posting, to see if it was really removed? And what about the fact that the spyware says I have winfixer?

Is there a way to remove that? Sorry for posting two problems to one post, but they seem to be related from what I have heard.

Thanks for any help.

#4 Gwynne

Gwynne
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 10 March 2007 - 04:45 PM

Yes, these are two of the steps I took last night and I just redid them right now. Although I get a message saying nothing was found, when I run NoAdware it says I have six instances of winfixer which it lists as a severe threat plus two instances of dangerous threats for viruses I have never heard of. Then there are the minor ones that are of little threat. I dont know what to do now. Should I post to the hijacking thread? Do I need an invitation so to speak to do so?

#5 buddy215

buddy215

  • Moderator
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:10 PM

Posted 10 March 2007 - 06:18 PM

NoAdware is not a reliable program. You sure you got the name right?

You can post a Hijack This log in the appropriate forum by following the directions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Gwynne

Gwynne
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 10 March 2007 - 06:23 PM

Yes, it is called NoAdware v5.0 and I thought it was associated with this website. :thumbsup: I clicked on one of the help buttons.

I did post a log to the hijacking board where I got further instructions but I am interested in finding out what the log says. I am interested in knowing if there is any evidence of vundo still lurking around.

#7 buddy215

buddy215

  • Moderator
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:10 PM

Posted 10 March 2007 - 06:35 PM

http://spywarewarrior.com/rogue_anti-spyware.htm
Note on NoAdware: NoAdware was listed on this page because of concerns with false positives and the use of aggressive, deceptive advertising (1, 2, 3) including exploitation of the name "ad-aware" (1). Earlier versions of NoAdware were also the same underlying application as Adware Hitman, Consumer Identity, Protect Your Identity, SpyBan, SpywareAssassin, Spyware C.O.P., SpywareKilla, The Adware Hunter, & TheSpywareKiller. Over the past few months, NoAdware has taken aggressive steps to reign in its affiliates (who were primarily responsible for the unsavory advertising) and released a new version of NoAdware (version 3.0) that addresses our concerns with false positves. Given these changes we can no longer regard NoAdware as "rogue/suspect" anti-spyware.

Domains: no-adware.com, noadware.biz, noadware.net, no-adware.net

(Note: other domains associated with NoAdware include: adware-free-download.com, adawareinfo.com, adwarenomore.net, adware-real-free-scan.com, adware-removal.biz, adwareremoval.net, free-adware-remover.org, free-adware-removal.net, free-adware-remover.org, free-adware-scan.com, free-spyware-check.com, nomorespyware.net, online-spybot-scan.com, spybotfinder.com, spyware-destruction.com, the-spyware-adware-remover.com, thespywarepros.com) [A: 6-26-04 / U: 11-17-04]

The program I believe was removed from the list of rogue products. So, can leopard change its spots? Let's see what the Hijack This team has to say about what they find on your computer.
You should not make any changes to your computer unless instructed by the Hijack This team. Good luck to you.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 Gwynne

Gwynne
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 10 March 2007 - 06:51 PM

Again, thank you. I probably did more damage downloading all these spyware programs! I did remove most of them after running them initially to see what they had to say. For some reason, I thought you endorsed adware. Thank you for your informative post.

I did post a log and got a response about further steps to take. Some I had done previously. I have just reread the instructions and there is a section about fixing something. I am going to have to handle that tomorrow as I am just too tired after working on this for hours today. Now that I see the word fix in the response, which I didnt notice the first time I read through, I am wondering what was found that needs to be fixed. I dont know if moderators have an assigned board and if The Hijack Team is separate from the moderators or not, but if you do read logs, would you mind glancing at the section of the log that RichieUK told me to fix and tell me what it means because I havent got a clue! Thank you!

Edited by Gwynne, 10 March 2007 - 07:12 PM.


#9 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:12:10 AM

Posted 10 March 2007 - 07:54 PM

If you have any dubt or querry on the fixes post in the thread the HJT Forum. Only members of the HJT team are allowed to undertake fixes with these logs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users