# Got Vundo? *VundoFix Generator*



## brendandonhu (Jul 8, 2002)

Click Here and paste a HijackThis log in the large textbox. Click *Write Instructions*.
Copy the results back into a post here.

Hopefully this will save the experts some time on Trojan.Vundo infections.

Detects these two Vundo variants:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\Windows\system32\xxxxx.dll

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\Windows\system32\xxxxx.dll

EDIT: It does detect if MS AntiSpyware needs to be disabled before running VundoFix. Also checks for latest version of HijackThis.


----------



## brendandonhu (Jul 8, 2002)

*Bump*

Anyone?


----------



## MFDnNC (Sep 7, 2004)

I just tried it and it looks good, may give it a go on the next one - TNKS


Make sure you copy the entire log, including the header


----------



## brendandonhu (Jul 8, 2002)

Yup, it uses the header part to check if they have the latest HijackThis.

Does anyone know if there are other Vundo variants besides the two posted?


----------



## Flrman1 (Jul 26, 2002)

I just used this log as a test:

http://forums.techguy.org/t406422.html

This is the fix it generated:

Open Microsoft AntiSpyware and click *Options*>>*Settings*>>*Realtime Protection*.
Uncheck *Enable the Microsoft Security Agents on startup. (recommended)* and *Enable real-time spyware threat protection. (recommended)*
Click *Save*.
Right click the MS AntiSpyware icon in your system tray and choose *Shutdown Microsoft AntiSpyware*.

Please print these instructions out for use in Safe Mode. 
Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to extract the files 
This will create a *VundoFix* folder on your desktop. 
After the files are extracted, please reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. 
Once in safe mode open the *VundoFix* folder and double click on *KillVundo.bat* 
You will first be presented with a warning. 
It should look like this 


> VundoFix V2.13 by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....



 At this point press enter one time. 
 Next you will see: 


> Type in the file path as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*C:\WINDOWS\system32\pmnll.dll*

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix. 
 Next you will see: 


> Please type in the second file path as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*C:\WINDOWS\system32\llnmp.** 

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

The fix will run then HijackThis will open. 
In HiJackThis, please place a check next to the following items and click *FIX CHECKED*:
* O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\pmnll.dll*
*

O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
*
After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer. 
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! 
Once your machine reboots please continue with the instructions below. 
Download and install *CleanUp!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Set the program up as follows: 
Click "*Options...*" 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Delete Prefetch files 
Cleanup! All Users 
Click *OK* 
Press the *CleanUp!* button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: *ActiveScan*

Copy the *results of the ActiveScan* and paste them here along with a new *HiJackThis log* and the *vundofix.txt* file from the vundofix folder into this topic.

:up: :up: :up:


----------



## Flrman1 (Jul 26, 2002)

I have added this line the canned fix I use:

*If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.*

After entering the second/reverse file, the vundofix runs a vbs script to start HJT. I've had a few users that were confused as to whether to allow the script or not so I added that.

Here it is ammended:

* *Click here* to download Please download *VundoFix.exe*. 
Save the VundoFix.exe file to your desktop.
Double-click *VundoFix.exe* to extract the files. 
This will create a *VundoFix* folder on your desktop. 
After the files are extracted, please reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. 
Once in safe mode open the *VundoFix* folder and doubleclick on *KillVundo.bat* 
You will first be presented with a warning that should look like this 


> VundoFix V2.13 by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....



 At this point press the Enter key on your keyboard one time. 
 Next you will see: 


> Type in the filepath as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*C:\WINDOWS\system32\awtsp.dll* 

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix. 
 Next you will see: 


> Please type in the second filepath as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*C:\WINDOWS\system32\pstwa.**


Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix. 
If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
The fix will run then HijackThis will open. 
In HiJackThis, please place a check next to the following items and click *FIX CHECKED*:
*O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtsp.dll

[*]O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
* 

After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. 
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! 
Once your machine reboots please continue with the instructions below. 
etc.......


----------



## D_Trojanator (May 13, 2005)

I used it just now - looks pretty cool!
David


----------



## ssgronfin (May 28, 2004)

Now that this darn trojan is out there and running rampant, then is there something to d/l and use, or even update, to keep this bugger out of our PC's now that we've rid ourselves of it?


----------



## brendandonhu (Jul 8, 2002)

I see the helper in that thread didn't have him disalbe MS AntiSpyware, anyone know if that step is really necessary?


----------



## brendandonhu (Jul 8, 2002)

ssgronfin said:


> Now that this darn trojan is out there and running rampant, then is there something to d/l and use, or even update, to keep this bugger out of our PC's now that we've rid ourselves of it?


I believe it is fixed by Windows Update and being careful when opening email attachments.

flrman1- I'll add the line about script blockers. If I had access to a Windows box I'd whip up a new VundoFix that doesn't use VBS. If we're still getting these infections later this week, I'll work on that. Any chance you have a copy of Vundo you could send me? I don't have inside access to any of the security sites.


----------



## D_Trojanator (May 13, 2005)

> Now that this darn trojan is out there and running rampant, then is there something to d/l and use, or even update, to keep this bugger out of our PC's now that we've rid ourselves of it?


This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
*Disable and Enable System Restore.* - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. 
You can find instructions on how to disable and re-enable system restore here: 
*Managing Windows Millennium System Restore* 
or 
*Windows XP System Restore Guide* 
re-enable system restore with instructions from tutorial above

*Make your Internet Explorer more secure* - This can be done by following these simple instructions:
From within Internet Explorer click on the *Tools* menu and then click on *Options*. 
Click once on the *Security* tab 
Click once on the *Internet* icon so it becomes highlighted. 
Click once on the *Custom Level* button. 
Change the *Download signed ActiveX controls* to *Prompt* 
Change the *Download unsigned ActiveX controls* to *Disable* 
Change the *Initialise and script ActiveX controls not marked as safe* to *Disable* 
Change the *Installation of desktop items* to *Prompt* 
Change the *Launching programs and files in an IFRAME* to *Prompt* 
Change the *Navigate sub-frames across different domains* to *Prompt* 
When all these settings have been made, click on the *OK* button. 
If it prompts you as to whether or not you want to save the settings, press the *Yes* button. 

Next press the *Apply* button and then the *OK* to exit the Internet Properties page. 

*Use an Anti Virus Software* - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: 
*Computer Safety On line - Anti-Virus*

*Update your Anti Virus Software* - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

*Use a Firewall* - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below: 
*Computer Safety On line - Software Firewalls*

*Visit Microsoft's Windows Update Site Frequently* - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

*Install Spybot - Search and Destroy* - Install and download Spybot - Search and Destroy with its TeaTimer option. 
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: 
*Instructions for - Spybot S & D and Ad-aware*

*Install Ad-Aware* - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: 
*Instructions for - Spybot S & D and Ad-aware*

*Install SpywareBlaster* - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: 
*Computer Safety on line - Anti-Malware*

*Update all these programs regularly* - Make sure you update all the programs I have listed regularly. Without regular updates you *WILL NOT* be protected when new malicious programs are released. 
Follow this list and your potential for being infected again will reduce dramatically.


----------



## MFDnNC (Sep 7, 2004)

Tried it on this log http://forums.techguy.org/t406452.html

Said it could not find Vundo


----------



## MFDnNC (Sep 7, 2004)

On this one

http://forums.techguy.org/t406448.html

it did not add the dll name


----------



## brendandonhu (Jul 8, 2002)

Yeah, its not working at the moment. Forgot to make a backup


----------



## brendandonhu (Jul 8, 2002)

The site is working again :up:
It should now work regardless of the victim's %windir%

Let me know if you find any more bugs.


----------



## Flrman1 (Jul 26, 2002)

brendandonhu said:


> If we're still getting these infections later this week, I'll work on that. Any chance you have a copy of Vundo you could send me? I don't have inside access to any of the security sites.


I'll see if I can round up some files for you.


----------



## brendandonhu (Jul 8, 2002)

Thanks 
I'm sure I could have someone send me the DLL but I'm trying to get the file that installs it all.

Although its kind of hard to test anything without a Windows box


----------



## EAFiedler (Apr 25, 2000)

That is really nice *brendandonhu* when are you going to start working logs?


----------



## brendandonhu (Jul 8, 2002)

Heh, what do you mean 'start'?


----------



## MFDnNC (Sep 7, 2004)

Brendan - thanks for the automation!!!!!!!!!!!!!!!!!!!!!!!!


----------



## MFDnNC (Sep 7, 2004)

Now that this is working - I suggest it be stickied


----------



## brendandonhu (Jul 8, 2002)

UPDATE: Now detects if SpySweeper needs to be disabled.

Anyone else think this would be a useful sticky?


----------



## Thracian (Oct 11, 2005)

Here are the instructions I received. I'm going to print them out and give this a try. Thank you!

Alyssa

Please print these instructions out for use in Safe Mode. 
Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to extract the files 
This will create a *VundoFix* folder on your desktop. 
After the files are extracted, please reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. 
Once in safe mode open the *VundoFix* folder and double click on *KillVundo.bat* 
You will first be presented with a warning. 
It should look like this 


> VundoFix V2.13 by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....



 At this point press enter one time. 
 Next you will see: 


> Type in the file path as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*

C:\WINDOWS\system32\awvts.dll*

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix. 
 Next you will see: 


> Please type in the second file path as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*

C:\WINDOWS\system32\stvwa.** 

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix. 
If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

The fix will run then HijackThis will open. 
In HiJackThis, please place a check next to the following items and click *FIX CHECKED*:
* O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - awvts.dll*
*

O20 - Winlogon Notify: awvts -

C:\WINDOWS\system32\awvts.dll
*
After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer. 
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! 
Once your machine reboots please continue with the instructions below. 
Download and install *CleanUp!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Set the program up as follows: 
Click "*Options...*" 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Delete Prefetch files 
Cleanup! All Users 
Click *OK* 
Press the *CleanUp!* button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: *ActiveScan*

Copy the *results of the ActiveScan* and paste them here along with a new *HiJackThis log* and the *vundofix.txt* file from the vundofix folder into this topic.

NOTE: If you get stuck at a black screen that says *Safe Mode* in the corners:
Hit *Ctrl*+*Alt*+*Del* on your keyboard.
Select *explorer.exe* in the list of processes. Click *Terminate*
You will be taken to your Desktop, but no icons will appear. This may take several minutes.

Hit *Ctrl*+*Alt*+*Del* again and chose *File*>>*Run*
Type the full path to VundoFix and hit enter.
The default location of the VundoFix is here :
C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat
Replace "your username" with your actual one.

Click *OK* and continue with the procedure.

-Instructions generated by VundoFix.php


----------



## brendandonhu (Jul 8, 2002)

Good :up:
You should still make a New Thread with your HijackThis log so we can make sure you get cleaned up properly.


----------



## brendandonhu (Jul 8, 2002)

There are 20+ GUIDs that Vundo hides under.
I'm only adding the ones I've seen posted, which is about 5 so far.


----------



## cybertech (Apr 16, 2002)

Nice brendandonhu! Thank you!


----------



## dvk01 (Dec 14, 2002)

OK I've stickied this so it should be easier for the victims to find


----------



## dvk01 (Dec 14, 2002)

it would be better brendan if you could remove all the formatting from the reply though as the victims won't be posting it on a forum but hopefully just copying it to notepad & doing the fiox themselves


----------



## ~Candy~ (Jan 27, 2001)

Great, now along with GMAIL, we'll have the highest positioning on VUNDO searches on Google


----------



## brendandonhu (Jul 8, 2002)

dvk01 said:


> it would be better brendan if you could remove all the formatting from the reply though as the victims won't be posting it on a forum but hopefully just copying it to notepad & doing the fiox themselves


I actually did that on purpose. I'm not so sure its a good idea for people to fix this themselves without a forum helper to look over their logs (although I can add a plain text version as an option.)

EDIT: I'm going to wait until we get a canned fix for the variant of Vundo that doesn't use backwards filenames. I'm not convinced there's any way to tell them apart from the HJT logs.


----------



## southernlady (May 6, 2004)

brendandonhu, I've borrowed this for my forum if you don't mind. However, rstones12 tells me that the version # has been updated so maybe just taking that out?



> VundoFix V2.13 by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....


Say this instead:


> VundoFix by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....


That way, regardless of what version he is on, it is accurate. Liz


----------



## brendandonhu (Jul 8, 2002)

I have to go to school, but I'll change that tonight.
Thanks


----------



## ~Candy~ (Jan 27, 2001)

Does anyone know how folks are actually getting this virus yet?


----------



## D_Trojanator (May 13, 2005)

Thats a good question - i spoke to someone on MSN who had it - they said it happened out of the blue!

I see these a lot with Vundo:

*R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll*

Any link Perhaps?

David


----------



## dvk01 (Dec 14, 2002)

D_Trojanator said:


> Thats a good question - i spoke to someone on MSN who had it - they said it happened out of the blue!
> 
> I see these a lot with Vundo:
> 
> ...


I very much doubt it

they are all Dell specific versions of myway

I firmly believe though can't prove it that one of the previously undisclosed windows exploits is responsible and hopefully todays updates will have plugged it


----------



## D_Trojanator (May 13, 2005)

:up:


----------



## ~Candy~ (Jan 27, 2001)

Updates? 

Are there updates today


----------



## brendandonhu (Jul 8, 2002)

It really does seem like most of the logs are Dell's with myway. Maybe there was an exploit in that software?


----------



## southernlady (May 6, 2004)

And brendandonhu, almost every one I've glanced at had a toolbar...could there be a flaw somewhere there??? Liz


----------



## brendandonhu (Jul 8, 2002)

Are you talking about the MyWay Toolbar/MyWeb Search Assistant?
I bet there is some kind of connection.


----------



## southernlady (May 6, 2004)

No, toolbars in general...go back and look at all of them...almost every one has A toolbar. Liz


----------



## brendandonhu (Jul 8, 2002)

Most people's logs have at least a toolbar I'd say.


----------



## southernlady (May 6, 2004)

But let's play *what if*...after all no one has figured it out yet.

What if someone has figured a way to exploit all toolbars with this thing? Liz


----------



## khazars (Feb 15, 2004)

Is this generator accurate? 

Wow, I just tried it! That's really good, it will save me some time ! 

Well done Brendan!


----------



## brendandonhu (Jul 8, 2002)

Thanks 
It gives correct fixes for the most common Vundo logs we see. I haven't found any need to have it filter ALL known Vundo BHOs, as we've only seen a few of them here. So you should take a quick look at the fix it generates just to make sure the filename isn't something crazy like :\2.dll*, that happens sometimes when people turn on word wrap and their logs gets messed up.


----------



## Magic1 (Oct 13, 2005)

TechGuyLive.com (Techguy.org's Live Chat Support) has a working fix for this that does not need safe mode or any fidling with complicated files. Its quite easy and the virus file was removed upon second scanning.


----------



## brendandonhu (Jul 8, 2002)

What was the fix?


----------



## OKC-SLC (Oct 13, 2005)

Magic1 said:


> TechGuyLive.com (Techguy.org's Live Chat Support) has a working fix for this that does not need safe mode or any fidling with complicated files. Its quite easy and the virus file was removed upon second scanning.


I saw this post last night and visited their website. Called in to inquire and after mentioning that I had a problem he already guess it was vundo--they had gotten over 60 calls yesterday alone.

Anyway, there is a Trojan fix program out there this guy found--for $25 my computer non-savvy self had him walk thru the download and run of this program. It is not one of the fixes out there that norton or others are putting out. Basically as I understand it this program scans, finds, and makes it so vundo stops running. Then Norton (in my case) is able to delete it as it's supposed to.

Incidentally the fellow told me that 100% of the people he's helped use Norton.


----------



## khazars (Feb 15, 2004)

what's the name of the programme that stops Vundo from running and allows Anti virus progrmmes to delete vundo?


----------



## southernlady (May 6, 2004)

> Incidentally the fellow told me that 100% of the people he's helped use Norton.


Out of the 100 logs I've looked at in the last 24 hours just to see if I can find a pattern:
98 were Dells, 2 HP's
99 were running Norton
99 had some type of toolbar.

I had ONE log that was on an HP, running AVG/ZA and no toolbar.
I'm trying to figure out WHY that odd log got infected...what was different. Liz


----------



## ~Candy~ (Jan 27, 2001)

You've been busy


----------



## OKC-SLC (Oct 13, 2005)

khazars said:


> what's the name of the programme that stops Vundo from running and allows Anti virus progrmmes to delete vundo?


I'll have to post the link when I am home later today--can't recall the exact name, but I'll post the link to it.


----------



## southernlady (May 6, 2004)

Told you I wanted to find out WHERE it was coming from! If you are still willing to chance one of your computers, I have a link for you to try, Candy. Liz


----------



## OKC-SLC (Oct 13, 2005)

when you say "had some type of toolbar", pardon my ignorance but what exactly do you mean?


----------



## southernlady (May 6, 2004)

Running a toolbar from AOL/MSN/Google/NAV/Myway....I can't remember all of them but those were the top ones. Liz


----------



## ~Candy~ (Jan 27, 2001)

southernlady said:


> Told you I wanted to find out WHERE it was coming from! If you are still willing to chance one of your computers, I have a link for you to try, Candy. Liz


Sure, may as well crash my Vista Beta  I running AVG on this one, and I don't think I have any installed toolbars. Do you want a hijack this log first?

Email me.


----------



## southernlady (May 6, 2004)

Yeah, I'll email you the link and you can email me back the hijack log. Liz


----------



## brendandonhu (Jul 8, 2002)

Dell computers come pre-installed with the MyWay toolbar, which is spyware. 
$5 says there's some kind of exploit in that 
I believe Dells also come with a trial of Norton A/V so that would explain a lot.

Hopefully someone out there has packet sniffer logs from when they became infected?


----------



## southernlady (May 6, 2004)

Brendan, that's why the HP running AVG/ZA and no toolbar is of such interest. Liz


----------



## OKC-SLC (Oct 13, 2005)

brendandonhu said:


> Dell computers come pre-installed with the MyWay toolbar, which is spyware.
> $5 says there's some kind of exploit in that
> I believe Dells also come with a trial of Norton A/V so that would explain a lot.
> 
> Hopefully someone out there has packet sniffer logs from when they became infected?


and mine is a dell. i am not aware of the MyWay toolbar, but I'd hella sure like to get rid of it. Anyone know how?


----------



## brendandonhu (Jul 8, 2002)

Yes, maybe they had one of the older versions of Vundo's downloader that spread through email attachments?
Can you post the O2 entry from their log so we can see the CLSID of their toolbar.


----------



## khazars (Feb 15, 2004)

Many pcs come with Norton or McAfee bundled unfortunately! 

Interesting that they are nearly all Dells, just shows ya that one needs to be careful who they buy their pcs from nowadays with all the bullahoo about terrorism in the air and our governments wanting to spy on us even more!


----------



## brendandonhu (Jul 8, 2002)

Here's the code if anyone wants to see.

Yes, I know it could be neater/cleaner/faster/better/shorter, but it works just fine.

```
<?php
if (isset($_POST['log'])) {
$log = stripslashes($_POST['log']);
$test = "Logfile of HijackThis v1.99.1";
$tests = explode($test,$log);
if ($tests[0] == $log) { die("You are not using HijackThis v1.99.1 or did not post a complete HijackThis log.  [URL]Download HijackThis[/URL]."); }
$sep = "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - ";
$log = explode($sep,stripslashes($_POST['log']));
$log = $log[1];
$fullpath = explode(".dll",$log);
$filename = $fullpath[0] . ".dll";
$fullpath = explode('2',$filename);
$fullpath = $fullpath[0] . '2\\';
$name = explode("\\",$filename);
$name = $name[count($name) -1];
$name = explode(".",$name);
$name = $name[0];
$thingy = "O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - ";
if ($log == ""){
$sep = "{52B1DFC7-AAFC-4362-B103-868B0683C697} - ";
$log = explode($sep,stripslashes($_POST['log']));
$log = $log[1];
$fullpath = explode(".dll",$log);
$filename = $fullpath[0] . ".dll";
$fullpath = explode('2',$filename);
$fullpath = $fullpath[0] . '2\\';
$name = explode("\\",$filename);
$name = $name[count($name) -1];
$name = explode(".",$name);
$name = $name[0];
$thingy = " O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - ";
}
if ($log == ""){
$sep = "{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - ";
$log = explode($sep,stripslashes($_POST['log']));
$log = $log[1];
$fullpath = explode(".dll",$log);
$filename = $fullpath[0] . ".dll";
$fullpath = explode('2',$filename);
$fullpath = $fullpath[0] . '2\\';
$name = explode("\\",$filename);
$name = $name[count($name) -1];
$name = explode(".",$name);
$name = $name[0];
$thingy = "O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - ";
}

if ($log == ""){
$sep = "{1C044AAD-7955-4cbd-8175-501A165C4E5D} - ";
$log = explode($sep,stripslashes($_POST['log']));
$log = $log[1];
$fullpath = explode(".dll",$log);
$filename = $fullpath[0] . ".dll";
$fullpath = explode('2',$filename);
$fullpath = $fullpath[0] . '2\\';
$name = explode("\\",$filename);
$name = $name[count($name) -1];
$name = explode(".",$name);
$name = $name[0];
$thingy = "O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - ";
}

if ($log == ""){
$sep = "{B8B55274-0F9A-41E5-9067-A3539BD9E860} - ";
$log = explode($sep,stripslashes($_POST['log']));
$log = $log[1];
$fullpath = explode(".dll",$log);
$filename = $fullpath[0] . ".dll";
$fullpath = explode('2',$filename);
$fullpath = $fullpath[0] . '2\\';
$name = explode("\\",$filename);
$name = $name[count($name) -1];
$name = explode(".",$name);
$name = $name[0];
$thingy = "O2 - BHO: MSEvents Object - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - ";
}

if ($log[0] == stripslashes($_POST['log'])) {
die("Sorry, I could not find a Vundo infection.  Post your HijackThis log at [URL]Tech Support Guy Forums[/URL]"); }

if(strstr(stripslashes($_POST['log']),'gcasServ.exe')) {
 $start .= "Open Microsoft AntiSpyware and click [B]Options[/B]>>[B]Settings[/B]>>[B]Realtime Protection[/B].\nUncheck [B]Enable the Microsoft Security Agents on startup. (recommended)[/B] and [B]Enable real-time spyware threat protection. (recommended)[/B]\nClick [B]Save[/B].\nRight click the MS AntiSpyware icon in your system tray and choose [B]Shutdown Microsoft AntiSpyware[/B].\n\n";
}

if(strstr(stripslashes($_POST['log']),'SpySweeper.exe')) {
$start .= "Open Spysweeper and click [B]Options[/B]>>[B]Program Options[/B].\nUncheck [B]Load at windows startup[/B].\nClick [B]Shields[/B] on the left side, and uncheck all options there.\nUncheck [B]Home page shield[/B].\nUncheck [B]Automatically restore default without notification[/B].\nExit the program.\nYou may re-enable these options when finished with the rest of the instructions.\n\n";
}
$start .= implode(file('a.txt')) . $filename . implode(file('b.txt')) . $fullpath . strrev($name) . '.*' . implode(file('c.txt')) . $thingy . $name . '.dll' . implode(file('d.txt')) . $name .  " - $fullpath" . $name . ".dll" .  implode(file('e.txt')) . "\n\n-Instructions generated by [URL=\"http://wizardsofwebsites.com/vundofix.php\"]VundoFix.php[/URL]\n";
echo nl2br($start);
exit;
}
?>

Paste HijackThis log here to generate instructions for removing a Trojan.VundFix infection.
```


----------



## ~Candy~ (Jan 27, 2001)

Liz, from the link you sent me, do I just have to go to the site? Or actually sign up?


----------



## southernlady (May 6, 2004)

Candy, did you get my last email? Liz


----------



## OKC-SLC (Oct 13, 2005)

khazars said:


> what's the name of the programme that stops Vundo from running and allows Anti virus progrmmes to delete vundo?


http://www.simplysup.com/tremover/

This is the program we used last night. I think the website gives a pretty good explanation of what/how it does. Can be downloaded for free (30-day trial).


----------



## starlight64 (Oct 14, 2005)

Thanks Brendanhu! This was badly needed and I am sure that the guys here as well as the infected people appreciate this as well!  
I have a slight prob though. When I paste the Hijack this log into the window my instructions come back w/ all of the formatting text instead of the actual formatting.  _ OOPS! It shows up correctly in the post here.  _
I still dont get the path in my instructions though?  
In my norton window that will not go away it says this: 
Object name C:\WINDOWS\Web\WALLPA~1\svcdisk.dll
Virus Name: Trojan.Vundo
Action Taken Access to file was denied
The instructions I get are these: 
"Please print these instructions out for use in Safe Mode.
Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to extract the files
This will create a *VundoFix* folder on your desktop.
After the files are extracted, please reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the *VundoFix* folder and double click on *KillVundo.bat*
You will first be presented with a warning.
It should look like this


> VundoFix V2.xx by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....



 At this point press enter one time.
 Next you will see:


> Type in the file path as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*.dll*

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.
 Next you will see:


> Please type in the second file path as instructed by the forum staff
> Then Press Enter, Then F6, Then Enter Again to continue with the fix.



At this point please type the following file path (make sure to enter it exactly as below!):
*.dll2\.**

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.
If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click *FIX CHECKED*:
* O2 - BHO: MSEvents Object - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - .dll*
*

O20 - Winlogon Notify: - .dll2\.dll
*
After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
Once your machine reboots please continue with the instructions below.
Download and install *CleanUp!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "*Options...*"
Move the arrow down to "*Custom CleanUp!*"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click *OK*
Press the *CleanUp!* button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: *ActiveScan*

Copy the *results of the ActiveScan* and paste them here along with a new *HiJackThis log* and the *vundofix.txt* file from the vundofix folder into this topic.

NOTE: If you get stuck at a black screen that says *Safe Mode* in the corners:
Hit *Ctrl*+*Alt*+*Del* on your keyboard.
Select *explorer.exe* in the list of processes. Click *Terminate*
You will be taken to your Desktop, but no icons will appear. This may take several minutes.

Hit *Ctrl*+*Alt*+*Del* again and chose *File*>>*Run*
Type the full path to VundoFix and hit enter.
The default location of the VundoFix is here :
C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat
Replace "your username" with your actual one.

Click *OK* and continue with the procedure.

-Instructions generated by VundoFix.php
"

So what EXACTLY should I type in for the path and filenames into those boxes? 
Thanks a bunch!
star****


----------



## dvk01 (Dec 14, 2002)

C:\WINDOWS\Web\WALLPAPER\svcdisk.dll in the first box & in the second box

C:\WINDOWS\Web\WALLPAPER\ksidcvs.*

after you have done the vundo fix

start a new thread in security & post HJT log please


----------



## brendandonhu (Jul 8, 2002)

The new Vundo infections don't show up in HijackThis the same way, so VundoFix.php will not parse the log correctly.
This is the canned fix I'm trying now, I'm not completely sure that it works yet.


Click the *Start* button in the lower left corner of your screen.
Right-click on *My Computer*, then click *Properties*.
Go to the *System Restore* tab and put a checkmark next to *Turn off System Restore*.
Click *Apply*>>*Yes*>>*OK*.

Download FixVundo.exe to a permanent folder such as the Desktop.

Double click *FixVundo.exe* to run the removal tool and click *Start*.

When the tool is finished running, note the *Number of deleted files* as well as *Number of fixed registry entries*.
Post these in your reply here.

Restart your computer.

Repeat steps #2-4 to ensure that Vundo has been removed from your computer.

Click the *Start* button in the lower left corner of your screen.
Right-click on *My Computer*, then click *Properties*.
Go to the *System Restore* tab and uncheck *Turn off System Restore*.
Click *Apply*>>*Yes*>>*OK*.

Run HijackThis and click *Do a system scan and save a log file*.
Your log will open in Notepad.
Go to *Edit*>>*Copy* and paste the log in your reply here.
DO NOT FIX ANYTHING IN HIJACKTHIS UNTIL INSTRUCTED TO DO SO!


----------



## dvk01 (Dec 14, 2002)

This thread has got out of hand so I am closing & locking it 

Everybody taht has a vundo infection START A NEW thread yourselves 

this was supposed to be an information post only


----------

