• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Help with Vundo Trojan

My computer is infected with the Trojan Vundo virus. I have read every thread on this board and tried the following solutions but have not been able to remove it.

I did a full system scan using Norton Internet Security full in Safe Mode. Before I did the scan, I updated the virus definitions and disabled System Restore as Symantec recommends here: http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99&tabid=3

The scan discovered the Trojan Vundo but could not completely remove it. The scan found over 200 affected registry files but could not delete these.

Next, I ran Symantec's Trojan.Vundo Removal Tool 1.5.1. Before I ran the tool, I made sure that the infected PC was not connected to the Internet, as per Symantec's instructions. The tool said it could not find the virus, but the virus is definitely still there as I keep getting popups, etc.

I tried running Malwarebytes as some posts recommend but the software would not download on the infected computer. So I downloaded it on a clean PC, saved the file onto a flash drive and then saved it to the infected PC. The Malwarebytes program would not run on the infected PC.

Can someone please help?

Replies

Kudos0

Re: Help with Vundo Trojan

My computer is infected with the Trojan Vundo virus. I have read every thread on this board and tried the following solutions but have not been able to remove it.

I did a full system scan using Norton Internet Security full in Safe Mode. Before I did the scan, I updated the virus definitions and disabled System Restore as Symantec recommends here: http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99&tabid=3

The scan discovered the Trojan Vundo but could not completely remove it. The scan found over 200 affected registry files but could not delete these.

Next, I ran Symantec's Trojan.Vundo Removal Tool 1.5.1. Before I ran the tool, I made sure that the infected PC was not connected to the Internet, as per Symantec's instructions. The tool said it could not find the virus, but the virus is definitely still there as I keep getting popups, etc.

I tried running Malwarebytes as some posts recommend but the software would not download on the infected computer. So I downloaded it on a clean PC, saved the file onto a flash drive and then saved it to the infected PC. The Malwarebytes program would not run on the infected PC.

Can someone please help?

Kudos0

Re: Help with Vundo Trojan

Was there an actual name of the file Norton detected, Or how do you know it is Vundo.

Quads

Kudos0

Re: Help with Vundo Trojan

After I ran Norton IS, the scan results identified the virus Trojan.Vundo. I applied the automatic fix prompted by NIS, ,after which NIS reported that the status was "partially resolved." In the report details, NIS listed 200 Registry entries with status of Delete Failed.

After running NIS, the virus symptoms have continued, perhaps worse than before.

Any help you can provide would be greatly appreciated.

Kudos0

Re: Help with Vundo Trojan

What is the Name of the File(s) given, not the registry entries.

Quads

Kudos0

Re: Help with Vundo Trojan

Sorry, I misunderstood. The files are:

windows\system32\madujeri.dll

windows\system32\natulevo.dll

windows\system32\bevozeti.dll

NIS reported that it deleted the 3 above files when it applied the partial fix.

NIS also terminated the following process when it applied the partial fix:

windows\system32\rundll32.exe

Kudos0

Re: Help with Vundo Trojan

OK, Just making sure Norton wasn't reporting Vundo when it actually may not be.

In this case it looks like the Vundo.H  variant,  Norton pulls up all the registry entries to do with Vundo even if some don't exist.

Download Malwarebytes  http://www.filehippo.com/download_malwarebytes_anti_malware/  "Download latest version" on the Right hand side and install.

Run Malwarebytes, Update it's definitions, then Run a Full Scan.

This is to double check, as some Vundo.H are resilient stubborn infections.  Hopefully Norton did it's job.

Quads

Kudos0

Re: Help with Vundo Trojan

I tried to download Malwarebytes on the infected PC. The file will not save. (The download helper says, download complete, but the file is not saved to the PC.)

I downloaded Malwarebytes to a clean PC and then saved the downloaded file to a flash drive. I then moved the mdam-setup file from the flash drive to the infected PC and tried to install. The program appears to install, but will not load. When you click on the Malwarebytes execute file, Windows says it cannot find the file.

Any ideas?

Kudos0

Re: Help with Vundo Trojan

To get a more complete picture, as you may have a Combination hit (or not)

1. When downloading what Browser are you using to do so??  I have see where settings within Firefox screwed can cause .exe files to state downloaded when they don't  actually do,

2. When you go into the Malwarebytes Programs folder  what files are missing??  here is a screenshot from my PC to cross reference

Quads

Kudos0

Re: Help with Vundo Trojan

mbam.exe is missing.

I thought mbamgui.exe was the program execute file.  (mbamgui.exe is in my PC's folder but mbam.exe is not.)

I did download the program using Firefox. However, when I downloaded it to the clean PC, the program works just fine.

I will try downloading Malwarebytes again, this time using IE. This will take a while a the infected PC is running slow.

Kudos0

Re: Help with Vundo Trojan

There is malware that will delete (eat ) programs main .exe, so I didn't tell you which ones on purpose, as you wouldn't know which is which etc.

OK, looks like I will have to see what is on your system

1. Download Hijackthis with the clean system from here http://free.antivirus.com/hijackthis/ Download the version 2.0.2 executable on the right hand side ( Not the Installer)

Before Transfering, rename "Hijackthis.exe" to "Hijackthis.com"  then transfer to your desktop of the infected machine, run and save a log.

2.  Download DDS from the first link here  http://forums.whatthetech.com/Hijack_WindowsUpdate_t109215.html

You will have DDS.pif, once transfered to the infected PC, you will have to disable Norton Auto-Protect.

Save the output "DDS.txt"

Now post back and attach both the Hijackthis log and DDS.txt

Quads 

Kudos0

Re: Help with Vundo Trojan

I am doing as you suggested, downloading HiJackThis, etc. While I was waiting for your reply, I got Malwarebytes to work on the infected machine by dumping the missing .exe file onto a flashdrive and then transferring it to the Malware folder on the infected machine.


Malware is scanning on the infected machine now and has so far found 21 infected objects. It is not finished scanning yet. Should I let the scan finish & see if it will delete the infected files before continuing with HiJackThis?

Kudos0

Re: Help with Vundo Trojan

Yes,

Malwarebytes creates it own logs after a scan,   It also may have needed the database to be updated, oh well,  If Malwarebytes can get rid of even a few it's a start.

And the logs from even malwarebytes also will help me understand hopfully which Malware / Rogue or other, even if it hasn't found all of it.

Quads

Kudos0

Re: Help with Vundo Trojan

OK, will let it finish scanning.

I had updated Malwarebytes on the clean PC before transferring the missing .exe file to the infected PC. Not sure if the updates are stored in the .exe file, but the dates on the other Malwarebytes files had not changed after the update, so I hope the updates got transferred.

Kudos0

Re: Help with Vundo Trojan

LOL, the definition file has nothing to do with the .exe file.

Quads

Kudos0

Re: Help with Vundo Trojan

I ran Malwarebytes twice. The first scan found 27 infected files, 3 of which needed the system to reboot to delete. After rebooting, I updated Malwarebytes on the infected PC and ran the program again. This second scan found 1 infected file. Attached are the logs from the first & second scans from Malwarebytes.

There are a bunch of files in the Malwarebytes Quarantine...is it safe to delete these?

Also attached is the HijackThis log. It looks like natulevo.dll and other malware are still infecting the PC.

Should I just wipe/reformat the drives on the infected PC and reinstall the OS? I am worried that I will never be sure that I have gotten rid of all of the malware and it may use backdoor programs to cause further damage.

Kudos0

Re: Help with Vundo Trojan

Hang in for Quads.  He will be along a bit later.  Time zone differences cause delays.  He will advise you.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Help with Vundo Trojan

fix the following

 

O2 - BHO: (no name) - {dddeec46-5e4a-446f-88b7-294547fe1e1e} - bevozeti.dll (file missing)

File Missing
When a file is missing, you should always have HijackThis fix the item.O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant" <script type="text/javascript">// tipIDs[tipIDs.length] = "46" // </script>
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant" O21 - SSODL: sowubayuj - {c357a318-84cb-441e-ace7-77e0ad34bd8f} - c:\windows\system32\kiganopo.dll (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.<script type="text/javascript">// tipIDs[tipIDs.length] = "74" // </script>
O21 - SSODL: zijowajik - {545b8bd0-1fb2-4300-948c-1083d817dec4} - c:\windows\system32\hariviza.dll (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.<script type="text/javascript">// tipIDs[tipIDs.length] = "75" // </script>
O22 - SharedTaskScheduler: jugezatag - {c357a318-84cb-441e-ace7-77e0ad34bd8f} - c:\windows\system32\kiganopo.dll (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.<script type="text/javascript">// tipIDs[tipIDs.length] = "76" // </script>
O22 - SharedTaskScheduler: gahurihor - {545b8bd0-1fb2-4300-948c-1083d817dec4} - c:\windows\system32\hariviza.dll (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
Kudos0

Re: Help with Vundo Trojan

Hi

The reason on the second Malwarebytes scan it still detected one is that you updated Malwarebytes Definitions. Also Malwarebytes log does show you scanned in Safe Mode.

Hijackthis

Start Hijackthis and tick these entries


O2 - BHO: (no name) - {dddeec46-5e4a-446f-88b7-294547fe1e1e} - bevozeti.dll (file missing)

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup   (not needed on startup)

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start  (not needed on startup)

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')  (can be used by anything)

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')  (can be used by anything)

O20 - AppInit_DLLs: acaptuser32.dll c:\windows\system32\kiganopo.dll c:\windows\system32\hariviza.dll zihimubi.dll natulevo.dll   (Vundo)

O21 - SSODL: sowubayuj - {c357a318-84cb-441e-ace7-77e0ad34bd8f} - c:\windows\system32\kiganopo.dll (file missing)

O21 - SSODL: zijowajik - {545b8bd0-1fb2-4300-948c-1083d817dec4} - c:\windows\system32\hariviza.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {c357a318-84cb-441e-ace7-77e0ad34bd8f} - c:\windows\system32\kiganopo.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {545b8bd0-1fb2-4300-948c-1083d817dec4} - c:\windows\system32\hariviza.dll (file missing)


Once those are ticked (checked), click the "Fix Checked" Button

Did you get a DDS,  that report shows me more like which files where newly created.

Quads

Kudos0

Re: Help with Vundo Trojan

Hi Quads,

I am running HijackThis as you suggested now.

I am confused about DDS...some sites report dds.scr and dds.pif as malware.  Are there versions of DDS that are being exploited as malware?

Kudos0

Re: Help with Vundo Trojan

You really think that I would be on this forum as a Guru, trying to break the Malware, but instead giving you Malware to download??

Quads

Kudos0

Re: Help with Vundo Trojan

I trust Quads and have watched him work for over a year now I have seen no one complain of any bad choice of tool to help remove their problem.This is the hard part of internet help trusting those who you can't see and don't really know.I guess you can ask yourself has he been wrong so far?....I am not having a go just trying to encourage you...Quads is good at what he does he helped me out and I had to face the same thing you are going through now,I chose to trust.

all is well with my auntys machine.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: Help with Vundo Trojan

Sorry, I did not mean to offend. You have been very generous with your time and spot-on with your advice.  I asked the question only because you seem to know a lot about the nature/behavior of malware, so I thought you might know if DDS can be exploited...in other words, should I uninstall DDS after running it if it can be exploited? (Or am confusing things again just like I mistakenly thought that the definitions file in Malwarebytes might be stored in the execute file!)

I am hoping to learn from you so that I am not so helpless the next time...I apologize if I offended...my question came just from a desire to learn a bit more about this.

I did the checks that you recommended on HijackThis and ran DDS after disabling NIS auto protect.

Attached is "DDS.txt" file. After completing the tasks that you recommended on HijackThis, I ran the log again -- attached is this file as well.

Thanks for your help.

File Attachment: 
Kudos2 Stats

Re: Help with Vundo Trojan

It looks as though Vundo is gone, It's not active

Some of the Programs I use on PC can or do act like Malware, as the technology can used for good or bad. One of the Programs I use on my own Machine also, when finding a way around Malware, part of the Program was detected by Norton,  The File detected, Symantec after I told them removed the detection for that file.

Your Acrobat Reader is out of date, it's version 7

Also did you have installed an older version of Norton installed before Norton 2009?? (16. x.  .......)

You could also scan With SuperAntiSpyware Free to see if any left over entries are left behind if you want to be sure, don't forget to update SAS's definitions before scanning.

Quads

Kudos0

Re: Help with Vundo Trojan

Good to hear that you think Vundo is gone! Thanks a million for your help!  I will reboot and then reconnect to the Internet. (I've had it disconnected on the infected machine during this process.)

Yes, I had an older version of Norton installed before 2009...I usually buy the new version of the program every year instead of renewing the subscription. Will update Reader.

Thanks for introducing me to HijackThis, etc. And thank you again for your help!

Kudos0

Re: Help with Vundo Trojan

Ok, It looks like you have some of the Old Norton still left on your machine,

You will probably have to use / run the Norton Removal Tool, (twice is a good idea) that will remove both the Old and New Versions.

Then clean install the New Version so that there will be no conflicting.

Quads

Kudos0

Re: Help with Vundo Trojan

No offense taken you did what needed to be done you asked the hard question...glad it all worked out for you.Don't forget to mark the post as the solution that solved your problem as only you can mark it solved...It makes others find the answer faster.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: Help with Vundo Trojan

Hi 800midori19

If you need the Norton Removal Tool, you can find it here

You can download the Norton Removal tool from http://www.symantec.com/symnrt

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.15.1.8 Core Firmware 267 I E 11
Kudos0

Re: Help with Vundo Trojan

Thanks, Quads. Thank you, everyone for helping getting rid of this Vundo trojan.

I really appreciate the help.

Kudos0

Re: Help with Vundo Trojan

Hello 800midori19

Thanks for coming back and marking your thread as solved. We all glad you were able to get your computer cleaned up. Thanks also for coming to the Norton Users Discussion Forum for help. If you have any further problems with your Norton product, please feel free to come here again and open up a new thread.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.15.1.8 Core Firmware 267 I E 11
Kudos0

Re: Help with Vundo Trojan

Hey Quads guru

I got exactly the same problem.  Trojan.vundo...

Running Norton Internet Security and Virus

I can not get Malwarebytes to run but read the solution used and am going to an unaffected computer now to get the mbam.exe.

Ive got SUPERAntiSpy running now and it's finding all kinds of stuff.  I wll also download Hijackthis....

You willing to help out another infected Norton user? 

This thread is closed from further comment. Please visit the forum to start a new thread.