Virtumundo removal tool from symantec

hello all:

I have been frustrated with the inability to remove this virtumundo virus. Today my NAV finally noticed it. I went to Symantec and they ahve a "virtumundo removal tool"

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html

I am going to try it. If it works, I will let everyone know.

Thanks to everyone for your help!
Steve

 

Good news indeed! I was just wondering when somebody would catch up to this nasty! Keep us posted, Steve.

PP

 

PP:
Unfortunately, I ran their program and it didn't work. It said it removed everything but when I rebooted, their own program said it was still there! I ran it again and it said it WASN'T there (but it is!). Now my computer is "hijacked" by NAV because I can't do anything because thier "virus alert" keeps popping up and won't go away.

Frustration!

I will work on it this weekend and keep you posted. i will try to contact symantec for their help as well.

Have a great Holiday!
Steve

 

Yes, i was disconnected from the internet (cables out)....i followed instructions explicitly. The program finished and said "trojan.virtum" was removed. However, when I re-booted in normal mode, the NAV alert came up saying "virus alert, you are infected"...unfortuantely, I cannot close that window to dao anything, like run a NAV log....I have to turn off my computer to shut down. Then I re-booted in safe mode, ran the program again and it said I was NOT infected (but I am!)

I am corresponding with you from another computer. I plan to boot my infected computer in safe mode, uninstall NAV and start all over.

Once I get back on and can work, I will send you a HJT log.

I do TRULY appreciate your help!

p.s. my son came home for TG, he's talking about writing a program to capture the programs which write to disc on closure to figure out what is causing the problem....(talk about "major geeks"!) Anyway, hopefully, he will bring his intellect to bear on this vexing problem.

 

More info for your benefit:

5. To reverse the changes made to the registry


Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.


Click Start > Run.
Type regedit

Then click OK.


Navigate to the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1\CLSID


In the right pane, delete the value:

"[Default value]" = "{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}"


Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce


If it exists, in the right pane, delete the value:

"*WinLogon = "[Trojan full path file name] ren time:[random number]"


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


If it exists, in the right pane, delete the value:

"*[Trojan file name]" = "[Trojan full path file name] rerun"


Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\


If it exists, in the right pane, delete the value:

"*[Trojan file name]" = "[Trojan full path file name]"


Navigate to and delete the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ActiveState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}


Exit the Registry Editor.


Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."

 

It finally worked ! I appear to be clean. I went back to the symantec site yesterday and noted that their page had been updated 11/24...so I started all over and it WORKED!!!!! I was all set to clean out the registry but I didn't have to !

I've attached my HJT log for your perusal but I think I am clear!

Hope this will helpful to others.
Thanks again for all of your help!

Steve