Can't Remove Trojan.Vundo.B !

THANK YOU! THANK YOU! THANK YOU!

I have been liberated! Special thanks to GEMLAM. I ended up using a combination of the advice given and voila - it worked! The only way that I could get safemode to work was by going in to RUN and typing msconfig, then into the BOOT.INI tab and checking off /SAFEBOOT. You just have to remember to go back after you run the scan & the delete tool, and uncheck it. I also went into the registry and removed the three sugested subkeys. (suggested by Symantec)

Thank you again.
Mar

 

hello all,
i tried the fix that longleaf proposed (post #24) for my mother's computer... i talked her through exactly what he posted and while in safe mode the removal tool removed no registry keys and found no instances of the virus. then, on a normal restart the norton virus warning popped up and stayed again. seems like that approach didn't work...any other ways that worked? i'd appreciate any help or feel free to email me <removed>

thanks,
aaprocto

Email address removed to prevent harvesting--Ron

 

Ok and just where did it find this when it popped up..did you get the file path and location ??..and what is the OS ?? and how many users and accounts on the PC ?

sorry we do not do emails and not a good idea to ever post your email addy in an open forum

 

there are 3 user accounts, 2 personal and 1 administrative. it is windows XP w/ SP2. she told me it was orginially found by norton in the "windows" folder in "fonts". whatever that means. hope this clears things up....yeah, prob. not good idea to post email, i wasn't thinking.

 

I am having a similar problem, running on XP home edition. I have one personal and the Administrator account. Norton always warns of TrojanVundo.B infecting c:\WINDOWS\ServicePackFiles\winsys.dll

It won't allow deletion or access even after unregistering it in safe mode. The norton remover tool never finds it in any mode or any user. I've tried seemingly everything- including the entire lengthy shakedown here: http://forums.majorgeeks.com/showthread.php?t=35407
Haven't done a Hijack This log yet, but I don't know how to interpret it.
It's been over a week and I'm getting weary.. around the same time as this popped up my Outlook also stopped getting/receiving to my SMTP and Pop servers. help!

 

bump on this last post, sounds like the problem i'm trying to fix exactly....have you tried any of the other fixes?? i'm sure a combination of them would work, but i don't know if i talk my mom through it on the phone you know....

 

Found the solution at last!! Apparently Norton has finally got on top of it and re-released the Trojan.Vundo.B removal tool, this one workds where-as the old one didn't. Here it is: http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

It totally worked and cleared up my email problem too. My subscription was up so I also ordered the Norton 2005 version in hopes it will protect me better.
Here's the forum where I found the link in the first place:
http://forums.majorgeeks.com/forumdisplay.php?f=35

good luck!

 

Shut down System restore. Go to symantec and download the upgraded Trojan Vundo .B removal tool. Reboot your pc in safe mode(if your antivirus program is active in safe mode switch it off or disable it), run the removal tool. It should correct 5 registration entries and say that there is one(or more) files that it will delete on reboot. After this message reboot your system back to safe mode and run the tool again - it should come back with "Trojan Vundo .B not found on this system". You can then reboot back to normal mode and switch back on system restore. Upgrade your virus definitions to the latest ones and update all your anti-spyware software as well.

 

my situation is slightly different, but a number of similarities.
i do not have norton av yelling at me about vundo infection. in fact its extremely quiet. but a number of things suggest that i do have it, or a variant.

i first noticed that explorer.exe was hogging cpu cycles, starting around the 27th april (like others here). shuting down the process and restarting it did sometimes restore things to normal, sometimes not. looking at norton internet security logs i find that the restarted explorer was immediately trying to access obaldulam.net. hence google searching has brought me here. blocking this IP solved the explorer cpu problem, but obviously i still have some trojan present. the vundo removal tools (both) do not even detect the trojan, let alone remove it. therefore i do not know the whereabouts or name of the infective dll that explorer is using, so also cannot try manual removal.

so, anyone have any ideas on this one? even though i *may* have neutered the trojan, its still present on my system and i'm not confident in accessing my bank account etc until im sure its been removed.

cheers
rosco

 

oh, yes.
and also, trying to boot into safe mode results in a blank screen as explorer fails to load. activating explorer.exe from command prompt (which is only thing functioning at this stage) starts it loading then fails again and again, clapping out just after you get the message asking whether you want to load safe mode or not. clicking yes quickly does not help.

nasty piece of work this trojan.

rosco

 

Hi!
Im about to freak out soon... I have hadde the virus for about a week now, and i can't remove it. It's in my windows/security/cvcsys.dll Haven't heard about any other haveing that file... I have tryed everything! (I belive) So I would be very happy if anyone could help me... No more Norton after this! The Tool dosn't work for me!!!

 

I never heard of any legit file called cvcsys.dll..what other files do you have in that folder called security ? Did you make that folder yourself? ..nevertheless you can submit a copy of it to (upload)...

http://virusscan.jotti.org/
and see what they call it..

and if you need help with the rest of it

First do these steps

Guidelines for Posting in This Forum, READ THIS FIRST PLEASE


http://forum.gladiator-antivirus.com/index.php?showtopic=10517

Then post your hijackthis log in a new topic at that GSF fourm


HELP! Think you are Infected?

http://forum.gladiator-antivirus.com/index.php?showforum=170


To use that forum you must first register at their Board.

 

Thank U for trying to help!

I tryed to run the file trough the link u sent me, but it didn't work out. Couldn't send file to...........blablabla! And im new at this! Sorry to be an idiot, but so it is... I'm hopeing for a tool to help me, but it doesn't look to come for a while.

I talked to a friend who knows a bit about it, and he told me to repair the files with a boot from windows-cd, but i didn't manage to do the...

I thought the virus trojan.vundo.b would be easy to remove,That was what the symantec site wrote........... but nope........
:-(

The folder SECURITY wasn't mad by me, don't know where it comes from, but the symantec site says:

Saves and executes the .dll file in any of the following folders:


%Windir%\addins
%Windir%\AppPatch
%Windir%\assembly
%Windir%\Config
%Windir%\Cursors
%Windir%\Driver Cache
%Windir%\Drivers
%Windir%\Fonts
%Windir%\Help
%Windir%\inf
%Windir%\java
%Windir%\Microsoft.NET
%Windir%\msagent
%Windir%\Registration
%Windir%\repair
%Windir%\security
%Windir%\ServicePackFiles
%Windir%\Speech
%Windir%\system
%Windir%\system32
%Windir%\Tasks
%Windir%\Web
%Windir%\Windows Update Setup Files
%Windir%\Microsoft

I'm to tired know! I'm stil hopeing to get som help, but maybe im to stupid to get helped..........:-/

 

Go to the symantec website and download the removal tool. I had this trojan but it is easy to remove. Just follow the instructions.

 

although norton had not alerted me to my trojan, an online scan from trend micro did. its not vundo though. an infected dll was identified, but deletion could not occur as it was linked into explorer, iexplorer and winlogon (like vundo).

don't know if this is relevant to you guys, but deleting the file was pretty easy via the windows xp recovery console. bang, it's gone. no more trojan activity.

cheers
rosco

 

Thanks to this Forum. We followed the instructions of #24 post(LongLeaf) and were able to remove Win32.Vindo.af as reported by eTrust AV and Win32.Vundo.h as reported by Trend Micro's housecall. We've been attempting to eliminate this thing since April 26 with no success. eTrust reports it but doesn't remove. AVG doesn't report it. Trend Micro reports but doesn't remove. Keep up the great job. Stan

 

I have seen several answers as to how to get this virus off a computer. However, since I am a rank ameteur I do not understand how to get the removal tool to a easy spot such as my desktop to operate from safe mode.

When I download the tool it wants to lauch immediately and there is no way I can see to save it somewhere.

Can anybody help?

 

Do a right click on the D/L button, choose 'save target as' and save to a file you create in (for example) C:\Program Files\Vundo Tool. You can then create a shortcut for the tool in this location (by right clicking the tool in Explorer) and put the icon on your desktop. You can then run it in 'safe' by clicking the desktop icon.