Results 1 to 8 of 8

Thread: Vundo

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Vundo

    I'm working on a customer's computer (XP SP2), and I'm running out of options. PC has Norton on it, which picked up "Trojan.Vundo". It can't delete it - they have a removal tool, but that doesn't work (it doesn't detect anything, while Norton itself goes crazy... I'm not the only one having that behavior).

    The culprit is a "plmnnl.dll" in windows\system32\ and I can't get rid of it... Killbox can't do it, the "vundofix" tool from Atribune can't do it...
    All the instructions I can find are among the same lines: http://geekstogo.com/forum/index.php...T&f=37&t=69350 - and that doesn't work at all for me....
    I've tried WinPatrol (sees a plmnn.dll BHO, but can't delete it), HiJackThis, running The Cleaner right now...

    Anyone ever seen this thing?

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Neg,

    Are you refering to the Symantec tool?

    Eg

    http://www.softpedia.com/get/Antivir...val-Tool.shtml
    Download Trojan.Vundo.B Free Removal Tool 1.0.0 - remove the ...

    http://securityresponse.symantec.com...oval.tool.html
    Symantec Security Response - Trojan.Vundo Removal Tool

    http://msmvps.com/donna/archive/2004/11/25/20663.aspx
    Trojan.Vundo

  3. #3
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    Sorry I can't offer much help besides trying a bootable cd, but I stumbled on this post in a forum :


    PostPosted: Mon Oct 10, 2005 4:42 pm Post subject: Trojan.Vundo

    I have the same virus! I got it Friday. Norton detects it but won't remove it. I used the removal tool from Symantec but it didn't work. I tried manual removal and that didn't work. I called Symantec and they said it was a varient of the Trojan.Vundo that had been out before. They hoped to have a patch out "within 48 hours" from Saturday (10/8/05) afternoon. They recommended that if I had my Windows XP cd I could use the recovery console and manually delete the file. What does this do with the registry? I am on travel and don't have the disk on me. . I am waiting for the patch.
    http://www.bytesector.com/forums/viewtopic.php?t=1089

    Looks like your not alone.
    .

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Neg,

    I GOT RID OF IT!!! After about 6 hours of trying today this site works! Thank you asdf26asdf26 for referring the site!

    http://forums.techguy.org/history/f-54.html

    Follow the instructions but you might have to alter it to fit the file on your computer...towards the end I got the 'blue screen of death' and was nervous so i shut down the computer and when i restarted it nav's alert wasn't showing up anymore and i can't find the file anymore, where before it was showing and i couldn't get rid of it! i'm scanning to make sure it's completely gone...but using this site is worth a shot since it worked for me!
    http://www.computing.net/security/ww...rum/16663.html
    Computing.Net - Trojan.Vundo Virus Unable Repair

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Use a live cd or slave the drive. Then delete the registry entries and all associated files. You can always do a repare install if this fisks the os.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    There is some confusion in the thread Eg links to, and the link in the quote isn't specific.

    This is the correct one :

    http://forums.techguy.org/t404827&hi...jan.vundo.html
    .

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Hey Neg,

    The most likely reason the tool didn't work is because they renamed the .exe and it will be found not only in the Registry, but also C:\WINDOWS\SYSTEM32 and C:\DOCUMENTS AND SETTINGS\USER\LOCAL\SETTINGS\TEMP\ . The names you will be looking for will be any variant of Virtual Monde or Vundo, (i.e. virtumonde, vmmonde, vunde, etc.) .exe

    Of course there will be a couple of dll files and those are hard to find. However their size should be around 85000 bytes (Don't remember their exact size, but they will be the same size).

    Usually there is a Temp File called (or some variant) of vmtemp.

    Most likely an entree in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run and/or RunOnce

    HijackThis should find the BHO for you in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\.

    Also look in HKEY_CLASSES_ROOT\ for anything that is a variant of Events.

    I don't know how much this will help but I had to do this when I got rid of this one and the Aurora on a friends box.

    Oh yes, Ewido and WinPatrol led me to many of the files and was a great help.

    cheers
    Connection refused, try again later.

  8. #8
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    It seems like I've gotten rid of it... Ewido was a great help (took care of 32 crapware thingies), but couldn't deal with the main Vundo infection. I ended up using BartPE to get rid of the pmnll.dll (and llnmp.ini, pmnll.ini and some other variations... all +R +S +H in Windows\System32). There only seemed to be one ref to pmnll.dll in the registry...
    Right now Norton is scanning the box...

    Thanks all!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •