Trojan.vundo has been found on my system by nortan anti virus. The tool can not find it and the norton can't fix it because file access is denied. I have tried running in safe mode and running scan ans still no joy. Also have searched for the registry changes and none of the ones have been found. Yet Norton anitvirus still claims that it has been detected on my comp. Any advice on how to remove? Details would be nice as I am not a computer expert.

If you scroll down there's a whole thread on trying to remove this - it's message 16663.

I'm getting ready to try one of the suggestions there.

Good luck!

You will most likely need to post a Hijack This log so that the files associated with vundo can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor.

I will be glad to to a look at your computer for you.

Hello jabuck,

Can you look up my log for me please? I'm not a computer whiz so details info would be great.

Here goes:

Logfile of HijackThis v1.99.1
Scan saved at 14:21:45, on 2005-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Magic Keyboard\V3D.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\The Cleaner\cleaner.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.canoe.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mlljk.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ItMonitor] C:\WINDOWS\WASAY\MONITOR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\Magic Keyboard\MagicKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference Titles\MSELL2.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Service de sécurité matérielle (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

Download Process Explorer by Systernals from http://www.sysinternals.com/Files/ProcessExplorerNt.zip

Download KillBox by Option^Explicit from http://www.thespykiller.co.uk/files/killbox.exe

And follow these directions so that you know how to boot into safe mode http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

The rest of the fix will need to be done in safe mode.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mlljk.dll once and then click the kill button.

After you have killed all of the mlljk.dll's under winlogon click ok.

Next do a search for mlljk and look for any .ini or bak files or other dll's with either the same name or the file name in reverse (kjllm) & kill them as well (write down the name and full path of any you find, you will need to delete them later)

Now double click on explorer.exe and again click once on each instance of mlljk.dll then click the kill button.

Then also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. You may have found these already but look again.

Click on the Threads tab at the top.

Once you have done that click ok again.

Next run HijackThis and place a check beside each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mlljk.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll

Now click fix checked and close HT.

Now click fix checked and close HijackThis.

Please copy the text in the Code box below(just the text between the lines), and paste it into a blank notepad window.

Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

----------------
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

----------------

Now run killbox and type The FIRST ONE of the below lines into the box, select delete on reboot then press the red X button, say Yes to the prompt but No to reboot now.

C:\WINDOWS\system32\mlljk.dll

Then continue to type the lines in, in turn, and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply.

Then repeat by typing in the full name of any of the reverse named .bak or .ini or other files that you discovered in the previous if there were any.

After you have input the last file name then click Yes to the first prompt, and Yes to Reboot now.

If your computer does not restart, restart it manually.

Also the messenger plus program you have installed often installs lop(a baddie) on your computer if it was installed with the "sponsor program'. But for now don't try to uninstall it or delete it with HT

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

I have the same problem! Would someone look at my log and give me advice as well? It would be much appreciated!

Hi,
I had this same exact problem, but I followed some instructions I found on Mcafee's website and the WORKED! Here's what I did:
1) Turn off system restore.
2) Download Process Explorer (procexp.exe) from Sysinternals (go to http://www.sysinternals.com/Utilities/ProcessExplorer.html)
3) Reboot the infected machine
4) Launch your Mcaffee or Norton virus scanner, but don't initiate the scan yet
5) Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, and rundll32.exe processes (right-click on these process names and choose suspend). [I couldn't find rudnll32.exe, so I just suspended the other two and it worked.]
6) Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]
7) PHYSICALLY power the machine off and back on - this is key - a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner.

This worked for me - good luck! I hope it does the same for you!

check out these instructions explaining how to remove trojan.vundo

by far the easiest way for me to kill trojan.vundo, was to download a free 14-day trial of Webroot's "SpySweeper" program. It works, its easy, its fast and its free.

I spent days with norton antivirus support trying to kill it with no results. I'm glad its finally gone now. (and to think that I paid nortons phone support $40 to unsuccessfully remove it just kills me)

I had the same problems with Trojan Vundo. Norton's real time feature would detect it, but would not clean it, the patch would not work, tried out Spydoctor... headache for a couple of days.

Thx, uncool, I tried Spysweeper from Webroot. Removed it like magic. And by far the easiest method of all those posted here. Here's the link.

http://www.webroot.com/consumer/

Thanks, uncool. Spysweeper worked great!!!
I called Geek Squad at Best Buy and they told me it would cost $110 to remove Trojan Venudo. That was with me bringing my PC in to the store. You are a genius!!! I love you guys!!!

Spysweepeer, its really wonderful.. Norton also couldnot remove this virus, it displayed virus removed, but still when I restart, I have that virus pop up.. I really got irritated.. Spysweeper is really excellent, it has worked greatly..

Guys, thanks for the message and link .. it really helped me a lot..

Spy Sweeper was definitely the solution that worked for me (I won't even go into everything I did over several days to try to get rid of this thing!). My offending file (as caught by NAV but not fixed by NAV) was \\winnt\system32\\ddayy.dll (ddayy part of the name will be different on each system infected).

Now I didn't even have to run Spy Sweeper in safe mode to make it work, but it was critical to do the following:
1) Turn off system restore
2) Turn off other anti-virus software running in background
3) Disconnect from net
4) And MOST important, suspend winlogon by using the Process Explorer tool from sysinternals.com
[if you don't do this, while you are deleting virtumonde (which is Spy Sweeper's name for this thing),this trojan will keep trying to add itself back].

Spy Sweeper was fantastic!! It found 4 total virus items (plus of course a hundred or so spy cookies), including virtumonde, lopdotcom, alyon & downloadware, and fixed everything (in memory, on the drive, and in the registry).

And just as important, it left my system IN TACT, unlike some other methods of removing this trojan which have left the user's system without the windows START button and all sorts of connectivity problems (internet, email, printers, etc).

Spy Sweeper completed the process in an absolutely clean fashion .. BRAVO

i cannot believe that this actually worked!!! my story mirrors all of yours - my husband and i were held hostage with this problem for 2 weeks with norton. can anyone suggest a preferable better program than norton or macaffee? i also had problems w/macaffee - that's why i switched to norton. help!!!

Virtumundo is one of the most persistent of Spyware strains and cannot be removed successfully without some manual surgical procedures. Switch your AV program to AVAST (www.avast.com); NOD32 (www.nod32.com) or Kaspersky (www.kaspersky.com) if you want to be protected long term. You must remove Norton AV prior to doing this

Johnny Kessel
Sr. Service Technician
EveryMethod Mobile Computing
http://www.everymethod.com
MCP; MCSE

This is great! You guys are so helpful. Thank you. I had this same problem with Trogan.vundo. NAV and their tech support were useless. I'm so glad I didn't bother calling their fee based tech support. You geniuses saving me some money, so thanks again!

I downloaded Spysweeper and the Process Explorer from Sysinternals (links are above), ran them and they worked like a charm. Now, to the best of my knowledge, I am virus free! I feel like a new person! What a relief!

Now that I've thanked you, I'm going to fire NAV and switch to AVAST (www.avast.com); NOD32 (www.nod32.com) or Kaspersky (www.kaspersky.com).