Trogan.Vundo

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have identified the trogan.Vundo virus. It is in a file pmkjk,dll which is
in Windows\system32

The Norton removal tool will not delete the file. I also cannot delete it,
even when signed on as Administrator. Have tried in Safe mode, done the
chkdsk \r and nothing seems to work.

It has been suggested that I need to reformat the drive and reinstall
everything. A rather drastic way to delete a file.

I think this has been posted before, but I have not been able to locate the
thread.

Oh, the computer is three weeks old, what a way to start out.
 
I found the following for you. If Re-formatting is an option, the following
may be worth a try first.
Good Luck

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache
Tools --> Options --> Privacy --> Cache --> Clear

1) Download TrendMicro Sysclean by one of the following 2 methods

Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt604.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend
Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

2) Download and install Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/
3) Update Adaware with the latest definitions then exit the software.
4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode and shutdown as many applications as
possible
6) Using the Trend Sysclean and Ad-aware SE utilities, perform a Full Scan
of your
platform and clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your platform using
both Trend
Sysclean and Ad-aware SE
8) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) Create a new Restore point
 
I have identified the trogan.Vundo virus. It is in a file pmkjk,dll
which is in Windows\system32

The Norton removal tool will not delete the file. I also cannot delete
it, even when signed on as Administrator. Have tried in Safe mode,
done the chkdsk \r and nothing seems to work.

It has been suggested that I need to reformat the drive and reinstall
everything. A rather drastic way to delete a file.

I think this has been posted before, but I have not been able to
locate the thread.

Oh, the computer is three weeks old, what a way to start out.
Click to expand...

what is the error message when you try to delete it ?
 
Dave Frick said:
I have identified the trogan.Vundo virus. It is in a file pmkjk,dll which
is
in Windows\system32

The Norton removal tool will not delete the file. I also cannot delete it,
even when signed on as Administrator. Have tried in Safe mode, done the
chkdsk \r and nothing seems to work.

It has been suggested that I need to reformat the drive and reinstall
everything. A rather drastic way to delete a file.

I think this has been posted before, but I have not been able to locate
the
thread.

Oh, the computer is three weeks old, what a way to start out.
Click to expand...

Symantec do a removal tool at
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
 
access to file denied. As a .dll file, I think it is activated during
start-up, and being "in use", cannot be renamed, deleted, or moved.
 
This is the first thing I tried. Used the tool in regular mode and in safe
mode. As a .dll file, I think it is considered "in use" and cannot be changed.
 
I think these are all virus identify tools. I have found the problem, not it
is a Windows problem. Since it is a .dll file in system32 directory, it is
considered "in use" after start up, and windows will not allow any changes.
 
Have you done research with various anit-virus companies and not just Norton?
Try Panda, AVG, and Inoculate. They might have different ideas on how to
remove it.
 
Have you tried to download spybot at www.spybot.com and then running it to
see if it would delete the Trojan? or Adware?
Nothing Ventured, Nothing Gained. I had good luck with the programs when I
had a backdoor something Trojan dialing a Beer.com site. Nortons' wasn't even
able to find it and yet I watched it connect to the site and would disconnect
each time. I was told to try those two programs, I did and problem was
solved. Won't guarantee that will be your case, but Hey! it is worth a try
and less than a Hour in time.
 
Dave Frick said:
This is the first thing I tried. Used the tool in regular mode and in safe
mode. As a .dll file, I think it is considered "in use" and cannot be
changed.
Click to expand...

The only other way is to hit F8 when booting and load command prompt only.
Navigated to the directory using DOS commands e.g. CD windows\system32.
Then use del pmkjk.dll
 
Dave said:
I have identified the trogan.Vundo virus. It is in a file pmkjk,dll which
is in Windows\system32

The Norton removal tool will not delete the file. I also cannot delete it,
even when signed on as Administrator. Have tried in Safe mode, done the
chkdsk \r and nothing seems to work.

It has been suggested that I need to reformat the drive and reinstall
everything. A rather drastic way to delete a file.

I think this has been posted before, but I have not been able to locate
the thread.

Oh, the computer is three weeks old, what a way to start out.
Click to expand...

No kidding!

Should you have to end up reformatting your hard drive to clean this malware
off, you may as well install a real operating system that is immune to this
crap. You'd be doing yourself and others on the Net a huge favour by having
one less insecure toy operating system out there.
 
Should you have to end up reformatting your hard drive to clean this malware
off, you may as well install a real operating system that is immune to this
crap. You'd be doing yourself and others on the Net a huge favour by having
one less insecure toy operating system out there.
Click to expand...

I like your idea. I am going to buy a KVM switch, install SuSE on a clean
computer and gradually switch over.
 
Hi Dave,

do a Google search for " MoveOnBoot " or " Killbox " ! These little
utilities, which let's you specify any "undeletable" file which is in use by
Windows after any startup. You can set different options like Rename, Move,
Delete and once you do a reboot, this utility will kick in before Windows
will get a lock on this file and does the option you specified.

I like MoveOnBoot better than Killbox, but that's just my preference.

Works very well.

Hope this helps.

Tom
 
Dave

Did you notice this in the notes for using the Removal Tool?

Important: You must have administrative rights to run this tool on
Windows NT 4.0, Windows 2000, or Windows XP.


--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.



~~~~~~~~~~~~~~~~~~~~~~~~
 
Dave Frick said:
I have identified the trogan.Vundo virus. It is in a file pmkjk,dll which is
in Windows\system32

The Norton removal tool will not delete the file. I also cannot delete it,
even when signed on as Administrator. Have tried in Safe mode, done the
chkdsk \r and nothing seems to work.

It has been suggested that I need to reformat the drive and reinstall
everything. A rather drastic way to delete a file.

I think this has been posted before, but I have not been able to locate the
thread.

Oh, the computer is three weeks old, what a way to start out.
Click to expand...

boot from CD and use recovery console option. It will let you "login" to C
drive from DOS and delete file
 
I have identified the trogan.Vundo virus. It is in a file
pmkjk,dll which is
in Windowssystem32

The Norton removal tool will not delete the file. I also
cannot delete it,
even when signed on as Administrator. Have tried in Safe mode,
done the
chkdsk r and nothing seems to work.

It has been suggested that I need to reformat the drive and
reinstall
everything. A rather drastic way to delete a file.

I think this has been posted before, but I have not been able
to locate the
thread.

Oh, the computer is three weeks old, what a way to start out.
Click to expand...

USe the recovary console to delete the file (Recovary Console can be
loaded from XP disk).
 
Vundo (AKA Winfixer) is a nasty bit of hijackware. Removing all traces of
it will require posting your HijackThis log to an appropriate forum and
getting help from an expert (e.g.,
http://www.aumha.net/viewtopic.php?t=13171).

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**
 
Back
Top