Virtumondo.c isn't being removed, help please

[Guest]

Hi,
I have MSAS installed with other spyware programs installed and MSAS is the
only one to detect virtumondo.c on my computer to its great credit. It asks
me to let it remove Virtumondo.c and its components.. I click okay, MSAS says
it is removed, but it isn't. I have tried this in safe mode too. What should
I do? I hae HijackThis, Spybot S&D, Ad-aware 6, Spware blaster, system
cleaner and Cleanup! if those help. Thank you very much. shoedog

 

[Dave M]

Hi Ralph - Four approaches to removing Winfixer (Vundo). It's suggested
that you try them in this order.

1 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

2 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049


3 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

A command window will open and it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.


At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll

Press Enter.

Next you will see:

Please type in the second filepath as instructed by the forum staff

At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*

Press Enter to continue.

The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:


O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

After you have fixed these items, close Hijackthis.

The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.

Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Allow them to clean

Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.

Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'
----------------------------------------------------------------------------
--

The forum helpers have reported this fix from Atribune works. I don't know
about the Symantec tool.

If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.

Suzi"


Note: Here's some added info relative to the above courtesy of MVP Steve
Wechsler (akaMowGreen):

"the .dll's file name :

C:\WINDOWS\system32\geeby.dll

will be different on different systems. What you can do to identify it
is to scan the system with HijackThis and look at the O2 BHO and/or O20
Winlogon entries to find out it's name. Close all other programs and
browsers prior to scanning with HJT.
REMEMBER that there is a hidden file that will have the name of the .dll
spelled backwards. Enter that name when the VundoFix requests the path
to the second file.

4 - Grinler, a Security MVP, has another removal method that can be used if
the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"
_____________________________________________________

Here's the HijackThis info you may need:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt


Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."




*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
us.


When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.

 

[Guest]

Hello Ralh:

Try this:

http://www.bleepingcomputer.com/for...janVundoB-Search42com-MSevents-tx18610-0.html

http://www.atribune.org/forums/index.php?showtopic=589

OR

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then
send it to him as an attachment. Put Hijack in the subject
so he'll know it's not spam.

Alternatively you can post it on the Dell Forum at:

http://forums.us.dell.com/supportforums/board?
board.id=si_hijack

(if it wraps you can go to:

http://tinyurl.com/ckuzq instead.)

Put Ron in the subject so he will see it. You do not need
to have a Dell to post but you will need to register.

Ron Kinner
Microsoft MVP 2004 & 2005
(e-mail address removed)

Good luck

Engel

 

[Jim Byrd]

Hi Dave - FYI, it's customary (and good manners) to give attribution to the
original author when you copy someone else's post.

 

[Dave M]

Gee Jim... I thought I did, even advertising your site... sorry if it offended



Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 

[Jim Byrd]

My sincere apologies, Dave - that post is so long that I didn't go on down
to the end when I first read it to where you did indeed include my signature
block. Sorry 'bout that, and there was certainly no offense taken. On the
contrary, we're always glad to find our posts appropriately quoted since it
tends to help get out the information to those who need it, sometimes in
forums we may not always manage to get to as often as we'd like. It really
was just an FYI (albeit an erroneous one in this case. )

 

[Dave M]

NP Jim...
I get long winded myself on occasion... and if I do quote segments of your
generally fine posts, I generally do a From "Quotee" at the top, I just used the
whole shebang on this one since it all applied...

 

[Guest]

Hi Guys,

Here is an update. Virtumonde.c is gone. What a hassle. Should all those
that have the old Java environment - go to control panel and upgrade to 5.0
upgrade 5? I did. Anyway, the following is the thread from atribune.org and
what it took to remove this thing. Thanks for your help. Ralph the shoedog
aka Steve

http://www.atribune.org/forums/Virtumondec-MSAS-idand39s-canand39t-remove-Help-t1120.html

 

[Bill Sanderson]

As a rule, you are best off on the very latest Java platform you can find.
And if it is Sun's Java, you need to go to add/remove programs and remove
the older version after updating.

And once on that recent version, take advantage of the auto-update feature,
and keep an eye on it.
--

 

[Guest]

Thank Bill,
You know, I had Spybot S&D, Spyware Balster, MSAS, Trend Micro, Ad-aware 6
and CleanUp! already installed and updated before I got Virtumonde this time.
(Second time in a few months). How come? Was it the old Java environment?
Also, MSAS did a better job than almost all the others (+Ewido, etc.) in
detecting Virtumonde.c ... but why couldn't it remove it? Spyware Sweeper did
the job in one pass. Thanks

 

[Bill Sanderson]

I don't know for sure, but the old Java seems to be a common factor in most
if not all of these infections that Steve Wechsler is checking out.

I also don't know why Microsoft Antispyware fails in the removal. I didn't
notice anything too difficult in the process as I went about it
manually--but neither AVG nor Microsoft Antispyware were effective alone or
combined. I would love to have a known source for this infection so I could
properly bug the removal process.

 

[GeebyHater]

Easy winfixer / virtumundo / geeby.dll removal

Re: WINFIXER - VIRTUMUNDO - VUNDO - GEEBY.DLL

Succesfull Trojan Removal Program

I have spent MANY hours trying to get rid of this devil. Have tried many methods found on web to remove it. Was getting ready to reformat my harddisk and start over when I found a small (94.7KB), privately written program on the McAfee Help forum that did the job in a quick, simple snap:

Removal Tool (VirtumundoBeGone.exe) at: http://forums.mcafeehelp.com/viewtopic.php?t=57049

Read the information - 45 seconds;
Downloaded VirtumundoBeGone.exe - 10 seconds;
Ran VirtumundoBeGone.exe - 2 minutes;
Computer rebooted - 2 minutes;
Read VGB.TXT report on my desktop - 30 seconds;
Deleated all remaining remnants of this freak - 60 seconds.
Now plan to party ALL NIGHT.
It worked, it was simple.
THANK YOU!!!!!

Additional information:

EWIDO <http://www.ewido.net/en> has been good at spoting GEEBY.DLL. EWIDO removed it from 14 locations on my computer plus fixxing a number of other problems that my other more well known, expensive programs did not remove. However, it could not get GEEBY.DLL in window/system32 that was called by winlogon.exe. It recognizes it there, and attempts to remove it, but with no luck. EWIDO is free to try, and free to use permanently except that the real time protection is disabled after two weeks. Still, not a bad manual scanner and remover to have as a backup if you don't want to pay for it.

If this does not work for you, I have posted at the bottom the thread that lead me to this program. Some of the other information in it may be helpfull.
_______________________

For those of you interested, I ran the program twice. The first time it found Virtumundo and removed it. The removal process involved rebooting the computer. The second time it did not find Virtumundo and there was no computer reboot.
Here are the removal reports that Virtumundobegone.exe put on my desktop:

[12/23/2005, 23:12:46] - VirtumundoBeGone v1.5 ( "c:\My Downloads\0-LoadFromHere\VirtumundoBeGone.exe" )
[12/23/2005, 23:13:08] - Detected System Information:
[12/23/2005, 23:13:08] - Windows Version: 5.1.2600, Service Pack 2
[12/23/2005, 23:13:08] - Current Username: XXXXX XXXXXXX (Admin)
[12/23/2005, 23:13:08] - Windows is in NORMAL mode.
[12/23/2005, 23:13:08] - Searching for Browser Helper Objects:
[12/23/2005, 23:13:08] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:13:08] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[12/23/2005, 23:13:08] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:13:08] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:13:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/23/2005, 23:13:08] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:13:08] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:13:08] - BHO 5: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:13:08] - BHO 6: {7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:13:09] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:13:09] - BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:13:09] - BHO 9: {FC148228-87E1-4D00-AC06-58DCAA52A4D1} (MSEvents Object)
[12/23/2005, 23:13:09] - ALERT: Found MSEvents Object!
[12/23/2005, 23:13:09] - Finished Searching Browser Helper Objects
[12/23/2005, 23:13:09] - *** Detected MSEvents Object
[12/23/2005, 23:13:09] - Trying to remove MSEvents Object...
[12/23/2005, 23:13:10] - Terminating Process: IEXPLORE.EXE
[12/23/2005, 23:13:10] - Terminating Process: RUNDLL32.EXE
[12/23/2005, 23:13:10] - Disabling Automatic Shell Restart
[12/23/2005, 23:13:10] - Terminating Process: EXPLORER.EXE
[12/23/2005, 23:13:10] - Suspending the NT Session Manager System Service
[12/23/2005, 23:13:11] - Terminating Windows NT Logon/Logoff Manager
[12/23/2005, 23:13:12] - Re-enabling Automatic Shell Restart
[12/23/2005, 23:13:12] - File to disable: C:\WINDOWS\system32\geeby.dll
[12/23/2005, 23:13:12] - Renaming C:\WINDOWS\system32\geeby.dll -> C:\WINDOWS\system32\geeby.dll.vir
[12/23/2005, 23:13:12] - File successfully renamed!
[12/23/2005, 23:13:12] - Removing HKLM\...\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[12/23/2005, 23:13:12] - Removing HKCR\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[12/23/2005, 23:13:12] - Adding Kill Bit for ActiveX for GUID: {FC148228-87E1-4D00-AC06-58DCAA52A4D1}
[12/23/2005, 23:13:12] - Deleting ATLEvents/MSEvents Registry entries
[12/23/2005, 23:13:12] - Removing HKLM\...\Winlogon\Notify\geeby
[12/23/2005, 23:13:12] - Searching for Browser Helper Objects:
[12/23/2005, 23:13:12] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:13:12] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[12/23/2005, 23:13:12] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:13:12] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:13:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/23/2005, 23:13:12] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:13:12] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:13:12] - BHO 5: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:13:12] - BHO 6: {7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:13:13] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:13:13] - BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:13:13] - Finished Searching Browser Helper Objects
[12/23/2005, 23:13:13] - Finishing up...
[12/23/2005, 23:13:13] - A restart is needed.
[12/23/2005, 23:13:25] - Attempting to Restart via STOP error (Blue Screen!)

--------------------------

Here is the second report when Virtumundo had already been removed. (No reboot because it had been cleaned):


[12/23/2005, 23:27:16] - VirtumundoBeGone v1.5 ( "c:\My Downloads\0-LoadFromHere\VirtumundoBeGone.exe" )
[12/23/2005, 23:27:20] - Detected System Information:
[12/23/2005, 23:27:20] - Windows Version: 5.1.2600, Service Pack 2
[12/23/2005, 23:27:20] - Current Username: XXXXXX XXXXXXXX (Admin)
[12/23/2005, 23:27:20] - Windows is in NORMAL mode.
[12/23/2005, 23:27:20] - Searching for Browser Helper Objects:
[12/23/2005, 23:27:20] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[12/23/2005, 23:27:20] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[12/23/2005, 23:27:20] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/23/2005, 23:27:20] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/23/2005, 23:27:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/23/2005, 23:27:21] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/23/2005, 23:27:21] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/23/2005, 23:27:21] - BHO 5: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/23/2005, 23:27:21] - BHO 6: {7c1ce531-09e9-4fc5-9803-1c2956615786} (IeCaptureBho Object)
[12/23/2005, 23:27:21] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/23/2005, 23:27:21] - BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/23/2005, 23:27:21] - Finished Searching Browser Helper Objects
[12/23/2005, 23:27:21] - Finishing up...
[12/23/2005, 23:27:21] - Nothing found! Exiting...


-------------------------------------------------------

Thread that led me to this program:

FROM: http://www.howtofixcomputers.com/bb/sutra731052.html



Hi Barryco - Five approaches to removing Winfixer (Vundo). Not all will
work on all variants. It's suggested that you try them in this order.

1 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

2 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm


3 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049


4 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files

 

[Guest]

This is more of a general post to this problem. The fact that Microsoft want
us to install this virus detector and it still can’t remove a general
virus/spy ware problem makes one have even less faith in a consumer facing
anti-virus tool from Microsoft. PLEASE FIX YOUR TOOL SO IT CAN REMOVE
VIRTUMONDO. I have had this spy ware problem ever since I took the leap of
faith and ended my subscription with Zone Alarm and trusted my computer to
Microsoft’s firewall. Immediately I was infected and now you offer no
solution. I am sorry but this is absolutely pathetic. I truly hope you can
find a solution to this problem.
Thank you.

 

[Bill Sanderson]

Microsoft antispyware is not an antivirus and has never been marketed as
such.

What antivirus application are you using?
--

 

[Jim Byrd]

Hi gnan - Seven approaches to removing Winfixer (Vundo). Not all will work
on all variants. It's suggested that you try them in this order.

1 - Feedback from users reports that the Removal Tool here is the most
effective against what is currently the most common variety of this
'malware':
http://forums.mcafeehelp.com/viewtopic.php?t=57049



2 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions



3 - Courtesy of Dave Lipman:

"Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe


On the infected PC...

Execute; WinFixerFix.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your FireWall to enable WGET.EXE to download the needed McAfee
related files.

Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in
c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your browser
(Opera, FireFox or Internet Explorer). It is suggested that you move the
report out of c:\mcafee before performing another scan. It would be a good
idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session."



4 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm



5 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

A command window will open and it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.


At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll

Press Enter.

Next you will see:

Please type in the second filepath as instructed by the forum staff

At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*

Press Enter to continue.

The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:


O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

After you have fixed these items, close Hijackthis.

The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.

Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Allow them to clean

Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.

Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'

The forum helpers have reported this fix from Atribune works. I don't know
about the Symantec tool.

If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.

Suzi"


Note: Here's some added info relative to the above courtesy of MVP Steve
Wechsler (akaMowGreen):

"the .dll's file name :

C:\WINDOWS\system32\geeby.dll

will be different on different systems. What you can do to identify it
is to scan the system with HijackThis and look at the O2 BHO and/or O20
Winlogon entries to find out it's name. Close all other programs and
browsers prior to scanning with HJT. REMEMBER that there is a hidden file
that will have the name of the .dll spelled backwards. Enter that name when
the VundoFix requests the path to the second file.



6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
that can be used if the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"




7 - Courtesy of S.Sengupta[MS-MVP]

Download VirtumundoBegone and save it to your desktop.

VirtumundoBegone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Run that application after booting into safe mode.





Here's the HijackThis info you may need:

Download HijackThis, free, here:
http://www.merijn.org/files/hijackthis.zip (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt


Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."




*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2 and earlier, contain a security bug which certain
malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have one of
these
versions of Sun Java, JRE v. 1.4.2 or earlier, installed, please post back
and tell
us.


When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.