Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Vundo


  • This topic is locked This topic is locked

#16
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
There's more text in the vundofix.txt. Please repost me the text.


Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...0217&id=5.20013

R3 - Default URLSearchHook is missing

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab

O20 - Winlogon Notify: vtstr - C:\WINNT\system32\vtstr.dll (file missing)


Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***
Update Ewido to the latest definitions, don't scan yet.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Run Ewido.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Reboot back to normal mode.

Post me a fresh HijackThis log and the Ewido log to check.
  • 0

Advertisements


#17
Dave Murdock

Dave Murdock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I open HiJackThis (Version 1.99.1) and can find no place where I can check the items you requested (R1, R3, etc.) I will need additional instructions for me to complete this task for you.

Here is the complete file from Vundofix (CtrlA then ctrlC)
------------------

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 176 'smss.exe'
Threads [180][184][188]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 248 'winlogon.exe'
Killing PID 248 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

---------------
Looks the save as the last time.

Dave
  • 0

#18
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
This is how HijackThis looks on opening
Posted Image

Press the button 'scan' and put a check to the entries below.
It will look like this:
Posted Image

HijackThis entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...0217&id=5.20013

R3 - Default URLSearchHook is missing

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab

O20 - Winlogon Notify: vtstr - C:\WINNT\system32\vtstr.dll (file missing)

Press the button 'fix checked', then scan again. Post me the new log to check please.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP