Question about Virtumundo fix

I've run through all the required steps in the "readme first thread" and although some of the tools show my system as clean, if I run Microsoft antispyware it finds virtumondo. Selecting next to allow it to fix the problem leads to the same result after rebooting if I rerun the scan.

I suspect I'll need to run Vundofix.exe with the first path being:

C:\WINNT\system32\fccdd.dll

and the second path: C:\WINNT\system32\ddccf.*

But beyond I'd appreciate some expert advice on that and if there is anything else in my HJT log that needs to be fixed.

Thank you for your assistance.

Joe

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Please print these instructions out for use in Safe Mode with no networking and DO NOT RUN any browsers while doing these steps.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at. Iit should look like this
• At this point press enter one time.
• Next you will see:
• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\system32\fccdd.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:
• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\ddccf.* ​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O20 - Winlogon Notify: fccdd - C:\WINNT\system32\fccdd.dll
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Stand\Local Settings\Temporary Internet Files\Content.IE5\EDL2VA9C\cwshredder[1].exe (file missing)

YOU MUST NOT REBOOT OR POWER DOWN AT THIS POINT! You must just wait for then next steps. If you reboot or power down the symptoms and problem files will mutate making my next steps uesless. Make sure you indicate to me that you understand this and that you are not rebooting or shutting your PC down.

 

Ok,

just to be sure I get this right I want to double check a few things before proceeding.

1) I'm running Win2K, so the system restore disable doesn't apply. Correct?

2) Viewing hidden and system file along with extensions is something I normally enable, and I verified before the RMF steps were followed so that should be all set unless there was something you saw that indicate otherwise. If so, I'll dig deeper and find out where I have a setting wrong.

3) When you say:

I understand you don't want me to manually reboot or shut down, but what are the additional steps I'll need to perform so that I can print out or write down?

Thanks for your help,

Joe

 

1) Right 2K doesn't have system restore.

2) If viewing hidden and system files is enabled then you are good.

3) Sorry, I accidently cut out part of the instructions when I edited my reply; this is just before the YOU MUST NOT REBOOT OR POWER DOWN AT THIS POINT!

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Now please attach a new HJT log from normal mode.

 

I ran killvundo.bat as instructed, and had one error come up saying file path not found after entering the second path. Is that normal?

I've attached the latest HJT log for review.

Thanks again,

Joe

 

Your log is clean.

You are runnig XP SP1, that represents a major security risk to your computer. I strongly recommend you install SP2 and run Widows Update to bring your computer up2date.

 

Thanks for your assistance.

I think you may have someone else in mind about the XP update, I'm running Win2K SP4.

Thanks again,

Joe

 

Sorry, saw the SP1 on IE6, WIN2KSP4 is correct.