Vundo

---

• From: "John" <a>
• Date: Fri, 18 Jan 2008 14:08:18 -0800

---

I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
detects it but can't remove it. I've used Vundo removal tools from a few
sites. None can remove it. I've also done manual removal by deleting files
and registry entries. That does not work either (and yes I always boot into
safe mode).

Here's a list of things that I have done (Note: I do all my virus removal
work in Safe Mode. Never in normal mode):

- Boot into Safe Mode.

- Use VundoFix from atribune.org to scan and clean Vundo. It detects and
deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
C:\Windows\System32) can not be deleted (in use by other program).

- Restart the system and use NTFS4DOS from free-av.com to (clean) boot into
command prompt with NTFS support to remove malicious DLL files created by
the trojan. Delete all infected files that VundoFix fails to delete in safe
mode. All bad files are successfully deleted.

- Restart the system into Safe Mode. Malicious files gets recreated. They're
back in place.

- Use regedit in Safe Mode. Delete registry keys that should be there (I
know they're created by trojan). Key gets recreated in a split second as
soon as I delete it. This is why I know the trojan is alive in safe mode.

- Remove the (infected) HD and install the HD in a clean PC as secondary
master. Then boot the PC (primary master - clean OS with Antivir virus
software installed). The system detects a new HD but does not assign a drive
letter. This means I can't access the data in the HD. Windows Disk
Management shows the new HD but does not 'mount' it or assign a drive
letter.

I run out of ideas. My last resort would be reformat HD and reinstall the OS
but I don't want to lose the data. If I back it up, I'm afraid the trojan
will reinfect the PC when data is restored.

Anyone has any ideas? Thanks.


.

---

• Follow-Ups:
  • Re: Vundo
    • From: What's in a Name?
  • Re: Vundo
    • From: David H. Lipman
  • Re: Vundo
    • From: Volodymyr Shcherbyna
  • Re: Vundo
    • From: Malke
  • Re: Vundo
    • From: John

• Prev by Date: Re: WORM/DELF.FPV - new worm??
• Next by Date: Re: Vundo
• Previous by thread: Is Skype Emotions Art a malware? How to remove this junk?
• Next by thread: Re: Vundo
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Application error : "spoolsvc.exe" ... Trojan allows attackers to access your computer from remote locations, ... You might want to start in Safe Mode to run your antivirus and anti-spyware ... How to start Windows in Safe Mode Windows XP ... (microsoft.public.windowsxp.help_and_support) Re: 100% CPU ... A description of Svchost.exe in Windows XP ... svchost.exe could also be a process which is registered as a trojan. ... registered security risk and should be removed immediately. ... Running a full system antivirus scan or anti-spyware scan in Safe Mode can ... (microsoft.public.windowsxp.help_and_support) Re: Questions, Questions, a Trojan and a Chocolate Bar ... MS-MVP Windows Shell/User ... > Much to my surprise it found some spy-ware and a trojan called Nemog, ... > came across rickrogers.org useful site on starting in safe mode ... (microsoft.public.windowsxp.help_and_support) Re: Do I have a worm OR virus...computer going very slow and ... ... I have the log of what it got rid of....but it also ... | included a trojan. ... | because how do you access files in safe mode? ... "Password Stealers may steal data from the hard drive. ... (microsoft.public.windowsxp.security_admin) Re: Vundo ... know they're created by trojan). ... Delete registry keys that should NOT be there (I know... ... I've used Vundo removal tools from a few ... Boot into Safe Mode. ... (microsoft.public.security.virus)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security.virus  > 2008-01