How-to remove Winfixer, Virtumonde, Msevents, Trojan.vundo, ATLDistrib using Atribune's VundoFix removal tool
#31
- Group: GeekU Moderator
- Posts: 56,117
- Joined: 31-May 06
Posted 24 February 2008 - 07:19 AM
#32
- Group: Member
- Posts: 3
- Joined: 27-February 08
Posted 27 February 2008 - 08:46 PM
the link is dead. is there another to d/l the file?
#33
- Group: GeekU Moderator
- Posts: 56,117
- Joined: 31-May 06
Posted 29 February 2008 - 01:31 PM
Which link so that I can investigate ?
#34
- Group: Member
- Posts: 1
- Joined: 20-March 08
Posted 20 March 2008 - 07:40 AM
This is not an advertisement... [removed remaining content and links]
While there are no affiliate links, and the poster will not profit from this post, it's been our experience that the paid version of that product will not remove this infection in every case, and we're not going to imply recommending it's purchase by allowing the links to remain.
We recommend free tools here whenever possible, and there are free tools that do a great job.
While there are no affiliate links, and the poster will not profit from this post, it's been our experience that the paid version of that product will not remove this infection in every case, and we're not going to imply recommending it's purchase by allowing the links to remain.
We recommend free tools here whenever possible, and there are free tools that do a great job.
#35
- Group: Member
- Posts: 53
- Joined: 18-April 08
Posted 18 April 2008 - 05:32 PM
I used VundoFix to help my computer out on this Vundo virus caused by an lsass.exe application.
I also get that Microsoft C++ Visual Buffer Overload Window, so I though VundoFix would help get rid of that as well.
But I have over 8400 seemingly infected files...
Is that normal?
Edit-Ok I realize this is not normal; my whole computer suddenly died.
I also get that Microsoft C++ Visual Buffer Overload Window, so I though VundoFix would help get rid of that as well.
But I have over 8400 seemingly infected files...
Is that normal?
Edit-Ok I realize this is not normal; my whole computer suddenly died.
#36
- Group: Retired Staff
- Posts: 47,710
- Joined: 23-March 07
Posted 20 April 2008 - 04:06 PM
Sounds like you have a file infecter and a lot of legitimate and needed files were removed
We have seen the problem before and it is fixable. Somebody will get to your post in the Malware Removal forum don't worry.
We have seen the problem before and it is fixable. Somebody will get to your post in the Malware Removal forum don't worry.
#37
- Group: Member
- Posts: 53
- Joined: 18-April 08
Posted 22 April 2008 - 03:06 PM
Alright, thanks for the reassurance.
Just been psyched for the past couple days about this >_<;
Just been psyched for the past couple days about this >_<;
#38
- Group: Member
- Posts: 1
- Joined: 02-May 08
Posted 02 May 2008 - 11:19 AM
hey.. my laptop effected by win32/adware virtumonde.. im planning to use the guides that u showed in 1st page.. but im using Windows Vista.. is it ok?
#39
- Group: Member
- Posts: 1
- Joined: 02-May 08
Posted 02 May 2008 - 12:10 PM
Hi there 
I just got infected by virtumode trojan and run the vundofix.exe but found nothing, so i tryed the second solution available the virtumundobegone.exe which was very helpfull finally. I am not sure though if everything is ok now so i post the contents of VBG.TXT here. Please if there is still something wrong help me to get rid of this nasty thing.
Tanks a lot guys for the very good job you doing here which was very helpful during the past also.
[05/02/2008, 20:18:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe" )
[05/02/2008, 20:18:10] - Detected System Information:
[05/02/2008, 20:18:10] - Windows Version: 5.1.2600, Service Pack 2
[05/02/2008, 20:18:10] - Current Username: User (Admin)
[05/02/2008, 20:18:10] - Windows is in NORMAL mode.
[05/02/2008, 20:18:10] - Searching for Browser Helper Objects:
[05/02/2008, 20:18:10] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:10] - No filename found. Continuing.
[05/02/2008, 20:18:10] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:10] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:10] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:10] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:10] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:10] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:10] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:11] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:11] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:11] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:11] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:11] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:11] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:11] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:11] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:11] - BHO 15: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\efcCsqQH
[05/02/2008, 20:18:11] - Found: HKLM\...\Winlogon\Notify\efcCsqQH - This is probably Virtumundo.
[05/02/2008, 20:18:11] - Assigning {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} MSEvents Object
[05/02/2008, 20:18:11] - BHO list has been changed! Starting over...
[05/02/2008, 20:18:11] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - No filename found. Continuing.
[05/02/2008, 20:18:11] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:11] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:11] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:12] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:12] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:12] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:12] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:12] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:12] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:12] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:12] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:12] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:12] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:12] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:12] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:12] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:12] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:12] - BHO 15: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} (MSEvents Object)
[05/02/2008, 20:18:12] - ALERT: Found MSEvents Object!
[05/02/2008, 20:18:12] - Finished Searching Browser Helper Objects
[05/02/2008, 20:18:12] - *** Detected MSEvents Object
[05/02/2008, 20:18:12] - Trying to remove MSEvents Object...
[05/02/2008, 20:18:13] - Terminating Process: IEXPLORE.EXE
[05/02/2008, 20:18:29] - Terminating Process: RUNDLL32.EXE
[05/02/2008, 20:18:31] - Disabling Automatic Shell Restart
[05/02/2008, 20:18:31] - Terminating Process: EXPLORER.EXE
[05/02/2008, 20:18:33] - Suspending the NT Session Manager System Service
[05/02/2008, 20:18:34] - Terminating Windows NT Logon/Logoff Manager
[05/02/2008, 20:18:35] - Re-enabling Automatic Shell Restart
[05/02/2008, 20:18:35] - File to disable: C:\WINDOWS\system32\efcCsqQH.dll
[05/02/2008, 20:18:35] - Renaming C:\WINDOWS\system32\efcCsqQH.dll -> C:\WINDOWS\system32\efcCsqQH.dll.vir
[05/02/2008, 20:18:36] - File successfully renamed!
[05/02/2008, 20:18:36] - Removing HKLM\...\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:36] - Removing HKCR\CLSID\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:37] - Adding Kill Bit for ActiveX for GUID: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:38] - Deleting ATLEvents/MSEvents Registry entries
[05/02/2008, 20:18:38] - Removing HKLM\...\Winlogon\Notify\efcCsqQH
[05/02/2008, 20:18:38] - Searching for Browser Helper Objects:
[05/02/2008, 20:18:38] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:38] - No filename found. Continuing.
[05/02/2008, 20:18:39] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:39] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:39] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:39] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:39] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:39] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:39] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:40] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:40] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:40] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:40] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:41] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:41] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:41] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:41] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:41] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:41] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:41] - Finished Searching Browser Helper Objects
[05/02/2008, 20:18:41] - Finishing up...
[05/02/2008, 20:18:41] - A restart is needed.
[05/02/2008, 20:19:07] - Attempting to Restart via STOP error (Blue Screen!)
I just got infected by virtumode trojan and run the vundofix.exe but found nothing, so i tryed the second solution available the virtumundobegone.exe which was very helpfull finally. I am not sure though if everything is ok now so i post the contents of VBG.TXT here. Please if there is still something wrong help me to get rid of this nasty thing.
Tanks a lot guys for the very good job you doing here which was very helpful during the past also.
[05/02/2008, 20:18:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe" )
[05/02/2008, 20:18:10] - Detected System Information:
[05/02/2008, 20:18:10] - Windows Version: 5.1.2600, Service Pack 2
[05/02/2008, 20:18:10] - Current Username: User (Admin)
[05/02/2008, 20:18:10] - Windows is in NORMAL mode.
[05/02/2008, 20:18:10] - Searching for Browser Helper Objects:
[05/02/2008, 20:18:10] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:10] - No filename found. Continuing.
[05/02/2008, 20:18:10] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:10] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:10] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:10] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:10] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:10] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:10] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:11] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:11] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:11] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:11] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:11] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:11] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:11] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:11] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:11] - BHO 15: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\efcCsqQH
[05/02/2008, 20:18:11] - Found: HKLM\...\Winlogon\Notify\efcCsqQH - This is probably Virtumundo.
[05/02/2008, 20:18:11] - Assigning {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} MSEvents Object
[05/02/2008, 20:18:11] - BHO list has been changed! Starting over...
[05/02/2008, 20:18:11] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - No filename found. Continuing.
[05/02/2008, 20:18:11] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:11] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:11] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:12] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:12] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:12] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:12] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:12] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:12] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:12] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:12] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:12] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:12] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:12] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:12] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:12] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:12] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:12] - BHO 15: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} (MSEvents Object)
[05/02/2008, 20:18:12] - ALERT: Found MSEvents Object!
[05/02/2008, 20:18:12] - Finished Searching Browser Helper Objects
[05/02/2008, 20:18:12] - *** Detected MSEvents Object
[05/02/2008, 20:18:12] - Trying to remove MSEvents Object...
[05/02/2008, 20:18:13] - Terminating Process: IEXPLORE.EXE
[05/02/2008, 20:18:29] - Terminating Process: RUNDLL32.EXE
[05/02/2008, 20:18:31] - Disabling Automatic Shell Restart
[05/02/2008, 20:18:31] - Terminating Process: EXPLORER.EXE
[05/02/2008, 20:18:33] - Suspending the NT Session Manager System Service
[05/02/2008, 20:18:34] - Terminating Windows NT Logon/Logoff Manager
[05/02/2008, 20:18:35] - Re-enabling Automatic Shell Restart
[05/02/2008, 20:18:35] - File to disable: C:\WINDOWS\system32\efcCsqQH.dll
[05/02/2008, 20:18:35] - Renaming C:\WINDOWS\system32\efcCsqQH.dll -> C:\WINDOWS\system32\efcCsqQH.dll.vir
[05/02/2008, 20:18:36] - File successfully renamed!
[05/02/2008, 20:18:36] - Removing HKLM\...\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:36] - Removing HKCR\CLSID\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:37] - Adding Kill Bit for ActiveX for GUID: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:38] - Deleting ATLEvents/MSEvents Registry entries
[05/02/2008, 20:18:38] - Removing HKLM\...\Winlogon\Notify\efcCsqQH
[05/02/2008, 20:18:38] - Searching for Browser Helper Objects:
[05/02/2008, 20:18:38] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:38] - No filename found. Continuing.
[05/02/2008, 20:18:39] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:39] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:39] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:39] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:39] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:39] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:39] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:40] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:40] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:40] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:40] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:41] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:41] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:41] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:41] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:41] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:41] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:41] - Finished Searching Browser Helper Objects
[05/02/2008, 20:18:41] - Finishing up...
[05/02/2008, 20:18:41] - A restart is needed.
[05/02/2008, 20:19:07] - Attempting to Restart via STOP error (Blue Screen!)
#40
- Group: Retired Staff
- Posts: 47,710
- Joined: 23-March 07
Posted 02 May 2008 - 03:28 PM
The guides will work fine on Vista fatin_fab
hellenic, please don't post your logs here, you can only receive help in the malware removal forum
hellenic, please don't post your logs here, you can only receive help in the malware removal forum
#41
- Group: Member
- Posts: 1
- Joined: 02-June 08
Posted 02 June 2008 - 11:20 AM
Ding Dong! The Witch is dead. Which old Witch? The Wicked Witch!
Ding Dong! The Wicked Witch is dead.
I thank you all for the VirtumundoBeGone.exe, it had done in 3 seconds what I've been trying to do for 7 hours.
I've run _every_ online AV / spyware scanner (some failed, some succeded, best was Microsoft protection center), Spybot S&D (partial sucess), Adaware 2008 (almost nothing) and my own AVG 8.0 (which to detect anything!) - nothing.
I've tried VundoFix.exe and FixVundo.exe (the original and symantec's) - nothing.
I've tried manually doing things by suspending the processes and deleteing files - it still eluded me.
Then I've tried "VirtumundoBeGone.exe". 3 seconds, one reboot. gone. GONE!!! Yey! Merriment and joy! And a log file to certify the dead.
Way to go, geeks to go.
Ding Dong! The Wicked Witch is dead.
I thank you all for the VirtumundoBeGone.exe, it had done in 3 seconds what I've been trying to do for 7 hours.
I've run _every_ online AV / spyware scanner (some failed, some succeded, best was Microsoft protection center), Spybot S&D (partial sucess), Adaware 2008 (almost nothing) and my own AVG 8.0 (which to detect anything!) - nothing.
I've tried VundoFix.exe and FixVundo.exe (the original and symantec's) - nothing.
I've tried manually doing things by suspending the processes and deleteing files - it still eluded me.
Then I've tried "VirtumundoBeGone.exe". 3 seconds, one reboot. gone. GONE!!! Yey! Merriment and joy! And a log file to certify the dead.
Way to go, geeks to go.
#42
- Group: Retired Staff
- Posts: 47,710
- Joined: 23-March 07
Posted 04 June 2008 - 06:15 AM
Glad it worked for you
Thanks for the feedback
Thanks for the feedback
#43
- Group: Member
- Posts: 1
- Joined: 04-June 08
Posted 04 June 2008 - 10:27 PM
I had the frustrating experience of having vundo.ere on my computer. One popular "free" program required registration and purchase. I have seen other suggestions, but I used Malwarebyte's Anti-Malware program, a true freebie. It found vundo.ere (in many places) and 5 other malware files/programs. All but one [System32/ddccrixo.dll] were removed. The latter can be removed by changing the name of the file, e.g., add a 2 to it, and deleting it. Without the change, it wouldn't go away.
#44
- Group: Retired Staff
- Posts: 47,710
- Joined: 23-March 07
Posted 05 June 2008 - 05:38 AM
Glad you got it fixed. We are big fans of Malware Bytes here, so no surprise that it helped fix your problem
#45
- Group: Member
- Posts: 6
- Joined: 20-March 06
Posted 19 June 2008 - 10:22 AM
Hello,
I am helping a friend clean his son's new Dell laptop of malware. Spybot S&D did a pretty good job of most. Now I am left with Virtumonde.dll and Wind 32.Banker.aipy.rtk. I was going to do your Malware Removal Guide on the Virtumonde, however, the creator has removed the VundoFix.exe from his site. Is it OK to use the VirtumundoBegone instead. I know it was recommended to do this only if the VundoFix.exe didn't work.
Thanks,
P.S. his son is in the guards and currently deployed in Iowa to help with the floods. He will be heading to Iraq in a few months. I really want to get this done for him quickly.
I am helping a friend clean his son's new Dell laptop of malware. Spybot S&D did a pretty good job of most. Now I am left with Virtumonde.dll and Wind 32.Banker.aipy.rtk. I was going to do your Malware Removal Guide on the Virtumonde, however, the creator has removed the VundoFix.exe from his site. Is it OK to use the VirtumundoBegone instead. I know it was recommended to do this only if the VundoFix.exe didn't work.
Thanks,
P.S. his son is in the guards and currently deployed in Iowa to help with the floods. He will be heading to Iraq in a few months. I really want to get this done for him quickly.
