Trojan Vundo won't go away!! Please HELP!

I have tried almost everything and so has my dad. We can't get rid of this stupid virus. The Semantec FixVundo program searched my computer and couldn't even find it, but it's there! This pops up every couple seconds from Norton:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\SYSTEM32\geedd.dll
Location: C:\WINDOWS\SYSTEM32
Computer: PRINCESSLIZZY
User: Lizzy
Action taken: Clean failed : Quarantine failed : Access denied

I know someone out there must know how to help me.

Thanks,
Lizzy

 

I'm assuming you will need this to help me...

 

First, please uninstall TrojanHunter & Ewido as they can block this removal. If you have purchased either of these programs just completely exit them before running the fix.

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored. After you complete the above, procede with the below fix!



Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

• At this point press enter one time.
  
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\geedd.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ddeeg.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\geedd.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  
• Once your machine reboots please attach a fresh HJT log from normal mode.

 

I did exactly as you said and there was one problem. When HJT opened up I could only find one of the items that was supposed to be checked. So I did that one, and continued as you said to... It seems, to have worked because Norton is not alerting my of the virus anymore, but I'm not sure. Here is the new log... (should I go into regedit and delet the entries manually?)

Thanks for your time!

 

No, there is no need for regedit, also before you complete the fix below be sure you have exited ALL browsers.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/forgotPassword.asp?affid=105-57&langid=1&close=true&RW =1

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\geedd.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above REBOOT, scan with HijackThis and attach the new log !

 

Here's the new log. Thanks so much! I can't wait to rub it in my dad's face that it really does help to "stop and ask for directions"
Have a nice night!

Lizzy

 

Your new HJT log is clean, are you having any further problems?

 

So far, no. Thanks so much!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!