-
October 10th, 2005, 10:45 PM
#1
Vundo
I'm working on a customer's computer (XP SP2), and I'm running out of options. PC has Norton on it, which picked up "Trojan.Vundo". It can't delete it - they have a removal tool, but that doesn't work (it doesn't detect anything, while Norton itself goes crazy... I'm not the only one having that behavior).
The culprit is a "plmnnl.dll" in windows\system32\ and I can't get rid of it... Killbox can't do it, the "vundofix" tool from Atribune can't do it...
All the instructions I can find are among the same lines: http://geekstogo.com/forum/index.php...T&f=37&t=69350 - and that doesn't work at all for me....
I've tried WinPatrol (sees a plmnn.dll BHO, but can't delete it), HiJackThis, running The Cleaner right now...
Anyone ever seen this thing?
-
October 10th, 2005, 11:08 PM
#2
Hi Neg,
Are you refering to the Symantec tool?
Eg
http://www.softpedia.com/get/Antivir...val-Tool.shtml
Download Trojan.Vundo.B Free Removal Tool 1.0.0 - remove the ...
http://securityresponse.symantec.com...oval.tool.html
Symantec Security Response - Trojan.Vundo Removal Tool
http://msmvps.com/donna/archive/2004/11/25/20663.aspx
Trojan.Vundo
-
October 10th, 2005, 11:09 PM
#3
Sorry I can't offer much help besides trying a bootable cd, but I stumbled on this post in a forum :
PostPosted: Mon Oct 10, 2005 4:42 pm Post subject: Trojan.Vundo
I have the same virus! I got it Friday. Norton detects it but won't remove it. I used the removal tool from Symantec but it didn't work. I tried manual removal and that didn't work. I called Symantec and they said it was a varient of the Trojan.Vundo that had been out before. They hoped to have a patch out "within 48 hours" from Saturday (10/8/05) afternoon. They recommended that if I had my Windows XP cd I could use the recovery console and manually delete the file. What does this do with the registry? I am on travel and don't have the disk on me. . I am waiting for the patch.
http://www.bytesector.com/forums/viewtopic.php?t=1089
Looks like your not alone.
-
October 10th, 2005, 11:14 PM
#4
Hi Neg,
I GOT RID OF IT!!! After about 6 hours of trying today this site works! Thank you asdf26asdf26 for referring the site!
http://forums.techguy.org/history/f-54.html
Follow the instructions but you might have to alter it to fit the file on your computer...towards the end I got the 'blue screen of death' and was nervous so i shut down the computer and when i restarted it nav's alert wasn't showing up anymore and i can't find the file anymore, where before it was showing and i couldn't get rid of it! i'm scanning to make sure it's completely gone...but using this site is worth a shot since it worked for me!
http://www.computing.net/security/ww...rum/16663.html
Computing.Net - Trojan.Vundo Virus Unable Repair
-
October 10th, 2005, 11:14 PM
#5
Use a live cd or slave the drive. Then delete the registry entries and all associated files. You can always do a repare install if this fisks the os.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
October 10th, 2005, 11:34 PM
#6
There is some confusion in the thread Eg links to, and the link in the quote isn't specific.
This is the correct one :
http://forums.techguy.org/t404827&hi...jan.vundo.html
-
October 10th, 2005, 11:51 PM
#7
Hey Neg,
The most likely reason the tool didn't work is because they renamed the .exe and it will be found not only in the Registry, but also C:\WINDOWS\SYSTEM32 and C:\DOCUMENTS AND SETTINGS\USER\LOCAL\SETTINGS\TEMP\ . The names you will be looking for will be any variant of Virtual Monde or Vundo, (i.e. virtumonde, vmmonde, vunde, etc.) .exe
Of course there will be a couple of dll files and those are hard to find. However their size should be around 85000 bytes (Don't remember their exact size, but they will be the same size).
Usually there is a Temp File called (or some variant) of vmtemp.
Most likely an entree in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run and/or RunOnce
HijackThis should find the BHO for you in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\.
Also look in HKEY_CLASSES_ROOT\ for anything that is a variant of Events.
I don't know how much this will help but I had to do this when I got rid of this one and the Aurora on a friends box.
Oh yes, Ewido and WinPatrol led me to many of the files and was a great help.
cheers
Connection refused, try again later.
-
October 11th, 2005, 02:13 AM
#8
It seems like I've gotten rid of it... Ewido was a great help (took care of 32 crapware thingies), but couldn't deal with the main Vundo infection. I ended up using BartPE to get rid of the pmnll.dll (and llnmp.ini, pmnll.ini and some other variations... all +R +S +H in Windows\System32). There only seemed to be one ref to pmnll.dll in the registry...
Right now Norton is scanning the box...
Thanks all!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|