Cannot remove Vundo.B

I'm working on a friends computer running XP - he has Norton antivirus with the virus alert window that won't go away. I have run Symantec's fixvundo.b. and fixvundo and have tried everything in your "Read & Run Me First" posting down to the HijackThis part. Shall I continue or is there anthing else I can try first? I am not familiar with HijackThis and won't know what it means.

 

Before we start the fix for this particular infection, I would like you to try the newest removal tool from Symantec. Download this tool, reboot to Safe Mode, run the tool and attach the log to your next post after you have rebooted back to normal mode.

Symantec Trojan.Vundo Removal Tool 1.3.1

 

I believe that is the version I ran yesterday, it was downloaded from Symantec's website. However, I will try the link you sent and get back to you.

 

10-04

 

It was the same version but I re-ran it anyway. Both logs are attached.

 

Okay, now a current HJT log from normal mode.

 

Here it is...

 

Could you attach a fresh log without the MD5, makes it easier to sort out.

 

Attached

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

The ewido scan is still running on the other computer but I have another question. We have 2 computers sharing a DSL connection through a Linksys router. We share a couple files and a printer connected to my computer but sharing has been stopped since finding this virus. Would it be a good idea to run some type of scan on my computer to ensure that I won't catch what he has? Also, we both run Norton Anti-virus, should we have an anti-spyware program running also?

 

Ewido has finished with a warning message regarding "wildtangent" files, asking if I want to remove the whole archive since it is not able to remove the embedded files. These files are under Documents & Settings...Local...Application data, etc. This sounds as if it should be removed, right?

 

Regarding my last post, I removed the wildtangent archive, then rebooted in normal mode and that blasted Virus alert screen is still there! Ewido and HJT logs are attached.

 

Before you start the fix below you MUST uninstall Ewido & Microsoft Antispyware.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

• At this point press enter one time.
  
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ddccd.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\dccdd.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O20 - Winlogon Notify: ddccd - C:\WINDOWS\system32\ddccd.dll ​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

Once your machine reboots please attach a fresh HJT log from normal mode.

 

I have followed all instructions but after entering the first file path it responds that the "file was not found; attempting to delete it; then 'deleted' is not recognized as an internal or external commany", etc. It then starts to open HijackThis but I'm not sure if I should continue with that or not. I have tried this twice and verified that the file path is typed correctly. What is next?

 

I just rebooted and was looking for the file when I realized that the Virus alert screen had not popped up. Attaching a new HJT log. Is it possible that the virus may be gone?

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddccd.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: ddccd - C:\WINDOWS\system32\ddccd.dll (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


After you complete the above REBOOT, scan with HijackThis and attach the new log.

 

I ran the fix & ccleaner, the HJT log is attached. I can't thank you enough for helping me eliminate that nasty virus!!

If you have a moment will you read my post #11 below and respond? Also, I believe the router's firewall is protecting both computers but how can I verify that?

 

Your HJT log is clean, are you having any further problems?

You should see this article on How to Protect yourself from malware!

You need a firewall, antivirus and antispyware programs for good security and protection on each computer.

 

Everything is working well. Thank you so much!

 

Your Welcome!

Be sure you check out the thread on How To Protect, very good information!

Surf Safely!