here are your vundo removal instructions http://www.spywaredb.com/remove-win32-vundo-522752trojan/

I am having the same problem, but there is an added hitch: The file that Norton's has found to be infected is C:/Windows/System32/awvts.dll. Although Norton flags it, it is unable to delete it. Also, their Vundo-specific tool to remove it is not finding it, saying that it is not on my computer. And I have run both in safe mode. When I go in to manually delete the file, The OS yells at me, saying that it is unable to delete because another program is using this file. Again, this still happens in safe mode. I am running out of ideas. When it was first flagged, Nortons gave me a message that "Access to the file was blocked." Could this have something to do with the problem?

I've got a similar problem. The tool from Symantec is not finding Trojan.vundo on my computer yet Symantec Antivirus is finding it and is unable to delete it. Sometimes symantec quarines a file and says reboot is needed but when I reboot the problem is still there. I have run Microsoft Anti-spyware, Symantec Antivirus, Spy Sweeper and the tools for removal in both safe and regular mode with no sucess. I need help!

same problem as last 2 comments. norton detects infected file "awvts.dll" removal tool cannot see it i cannot delete it weak sauce!!!

apparently im not alone! NAV gives me the message that it has detected a virus on my computer at high risk and that action taken is "access to the file was denied" and "unable to repair this file." the object name is C:\WINDOWS\system32\sstts.dll ive run the tool from symantec with it saying i dont have trojan.vundo virus. but norton says i do and the box message remains there.. ive only noticed my computer working slower than usual....please help !!!!!!!!

I am having the same problem. My computer is super slow and I can't get it off...... anyone have any ideas please let me know

Same thing as above except file is C:\WINDOWS\system32\jkkjh.dll The Norton alert window pops up and will not go away regardless of how many times I OK it.

Hi Folks, I have the Vundo too! My file is C:\WINDOWS\system32\geebx.dll I think it is some sort of ie helper. According to Norton, it has also hit 21 registry keys? Any ideas for removal - I have used the tool. I'm gonna try all night and I'll up date you with my findings.

ooh gosh..! i have it too.. ive been trying to fix it using all the tips and info from here but nothing seems to be working.. 'rockygabriel' i hope you find the answer soon! and is this a coicidence? because i'm already the 7th person to come here and reply today..

i have it too!! very fustrating, since i've been trying for 4 hours to get rid of it!!!! my file is: C:\WINDOWS\system32\vturq.dll someone figure out something!

I am having the same Trojan.Vundo problem as people have been describing above. I also cannot delete it because of the warning message that it is being used by something else. Norton says mine is located in C:\WINDOWS\system32\ddabc.dll I used the Symantec removal tool, but I think the reason it doesn't work is because it was made back in Nov. 25, 2004. This version of Trojan.Vundo seems to have been created recently. If anyone has any solutions or suggestions, please keep us informed.

I am having the same problem,all day long I have tried...help my file is c:\window\system32\ssqpp.dll

Add another one to the list. In my case the filename is c:\windows\system32 and it's pmnlm.dll so it's obvious that the filename is random. Symantec's wonderful removal tool says the virus cannot be found. (I also tried their "B" removal tool, same results). Ask me if I'm happy about having Norton's Antivirus software running and scanning constantly, yet it still allowed this one to park itself on my hard drive. Thanks Symantec. Must be because I just renewed my subscription. (Something I'll never do again. Are you listening Symantec?) Can't delete the file in safe mode. Can't do anything to get rid of this pest. HELP Roger

After about a half an hour of searching I finally found the page for Symantec e-mail support and reported the problem in great detail, so at least they are aware of it. Hopefully they'll come up with a fix soon. I hope whoever is responsible for this burns in hell for about a zillion years.

I too am having the same problem. I've tried various ways of running the removal tool with no luck. The file is c:\windows\system32\jkhfd.dll. It looks to me as if it has a different name on each computer. Earlier today I ran Xisoft antispyware program and it found a couple of registry links but didn't remove this file. Another thing I found was that my email program, Pegasus could not find the POP3 server so I wonder if this dll affects tcp/ip. Thanks for any help here... BC

I'm also having the POP3 server problem for the last couple of hours.I got a message from my sysad earlier that they would be working on the sytem and I would have to manually logn to the server using my password (which I've thus far been unable to do). I won't know until I can call them in the morning if it was genuine or fake. It looked real but I'm so paranoid now I think it could be BS. Also, is anyone else getting a really annoying popup for Winfixer? This thing has been busting my nuts for several days now.

Affirmative to the WinFixer thing. That's been happening here for the past 3-4 days, but I didn't get the trojan.vundo alert until today. The creation date/time on the file that trojan.vundo is pointing at is exactly 7 days prior to the first occurance of NAV notifying me of it's existence. To the hour! Coincidence? Or perhaps a clue for someone? Glad you were able to locate Symantec's e-mail address, I couldn't. Think you'll hear anything back? Roger

Other people have the same problem as us and got help at "Tech Support Guy Forums." Here's the link, search for "trojan.vundo". http://forums.techguy.org/history/f-54.html The links in there are text-only posts, so click the link in the page to get the full version post. It seems that they have had success in fixing the problem. They were told to download other programs and do certain things. I would like to get help from "Tech Guy" but I am on a dial-up modem and am still in the process of downloading all the proper tools (ActiveScan, HJT, etc.) Take a look at the forums, maybe ask for help then report back here with your progress. Hope this helps.

RMelin13: Try this for the e-mail support page: https://symantec.iseva.net/support.aspx As far as hearing from Symantec, I'm not holding my breath but maybe if enough people hit them with this they'll do something. I'll get back in a sec with the page opener for that url in case it won't work.

i started getting the winfix pop ups 3days ago and now have the same norton alert.i've spent the last 5 hours looking for a fix

Here's the link that opens the aspx page: http://www.symantec.com/techsupp/nav/nav_2005_contact_tscs_solve_error.html Good luck!

hey guys... just add me to the list with this same problem... BUT one other catch that im not sure if any of you guys are getting, I can not get rid of the pop-up window that Norton AntiVirus tells me about the virus with. The 'X' is shaded out and whenever I hit 'ok' the window will reposition itself in the middle of the screen and just not go anywhere. I too have been going at this one for about 5, 6 hours. Frustrating cant even begin to describe this thing. hope to find some answers quick.

I GOT RID OF IT!!! After about 6 hours of trying today this site works! Thank you asdf26asdf26 for referring the site! http://forums.techguy.org/history/f-54.html Follow the instructions but you might have to alter it to fit the file on your computer...towards the end I got the 'blue screen of death' and was nervous so i shut down the computer and when i restarted it nav's alert wasn't showing up anymore and i can't find the file anymore, where before it was showing and i couldn't get rid of it! i'm scanning to make sure it's completely gone...but using this site is worth a shot since it worked for me!

Same problem here also, just wasted the last 5 hours trying to rid this problem. Why is the symantec download not working????????????????????HELP - this is getting frustrating. The stupid norton popup saying i have a virus constantly comes up and just like someone else i am getting the stupid box in the lower right hand corner about something 32 . Such a pain..........##!@$#$

Trace, can you be a bit more specific as to which post on the page pointed you toward the fix? JCson, you might as well drag and drop the alert over out of sight until you get a fix. It's not going away.

bartedous... i think its this one... yeah it took me a little bit to find it too... http://forums.techguy.org/t404827&highlight=trojan.vundo.html

Same Peoblem here too file name is c:\windows\system32\jkkjj.dll cant do anything with it.

is this thing significantly slowing up anyone elses computer?

Same problem here. I checked the http://forums.techguy.org/history/f-54.html but cannot find the comment that would give a solution. Anyone? Zillion zanks.

The explanation by Trojanator refers to ewido security suite http://www.ewido.net/en/download/ Anyone tried it already?

How did all of you get it? LOOK HERE for a removal tip.

I went to the the techguy messageboard noted above, and found the following thread: http://forums.techguy.org/showthread.php?t=405031&page=1&pp=15 I followed the instructions as they were laid out, using Hijack This and the KillVundo download provided in the thread. I made sure to change the filename provided in the thread to apply to my virus's filename (ex: mine was vtuts.dll, instead of the poster's jkkjg.dll). I followed all the thread's instructions, up to the point where it said you would get the blue screen of death after forcing your computer to re-boot. My computer re-started, no problem, and it is currently in the process of a full system scan by Norton... but so far, no annoying Norton pop-up that won't go away, and no Winfixer (or any other) Internet pop-ups. *knock on wood* So... the instructions on that messageboard seem to be valid, as far as I can tell. Are we thinking it's more than just a coincidence that so many of us got the same virus on the same day?

Hello, first, sorry for my poor language. I'm form Argentina. I have the same problem with my PC. The file is c:\WINDOWS\System32\jkkjh.dll. Well, is imposible remove this virus with the antivirus, with safe mode, with, symantec, manually ways... Absolutly imposible. The antivirus detect it, buy you can´t delete the virus. Thanks for any help here. I hope somebody to be able speak in spanish, please.

I figured it out! I had all of the same issues as above, AND my network was disabled by trojan.vundo. Here's how to fix it: Go to: http://forums.techguy.org/t404827&highlight=trojan.vundo.html Scroll down to the October 5th @3:04pm post by D Trojanator and follow the directions regarding Ewido and Cleanup! exactly as he describes it. I did the Ewido scan in Safe Mode and it found 109 infected objects and cleaned them all. (Norton didn't find any of these.) D Trojanator rocks!

I'm pretty freaked about this Vundo thing and I'm not that experienced with computers. I was doing research for a college paper last week so that must be what happened. I was visiting sites like Encyclopedia Britannica and dictionary sites. The only thing I registered for was from the Chicago Manual of Style sponsored by the University of Chicago Press. I've read through the thread so I understand it's an adware deal, but does that mean just logging on to a site without registering that this can happen? My problem began like others. 1. Internet Explorer giving error messages and telling me to download to fix the problem. 2. I didn't do it because I was afraid. 3. Instead I downloaded firefox to use, but I didn't delete Explorer because I don't know how. 4. Today I got the High Risk error message labled as C:\WINNT/system32/awtst.dll. 5. Then I downloaded the fix and my Norton report says that it doesn't detect it on my system. (I was thinking that was because the download fixed it.) 6. My Norton status report says my system is okay, but I can't get rid of the alert. 7. I hesitate to download the ewido thing etc. as recommended on the tech site because everything is just too scary. I am Windows2000 professional. I hope you tech smart people can help. Thanks, Patty

Hi Everybody. I've got it too. Mine is - Windows\System32\ddcyx.dll Norton's FixVundo.exe can't fix it. I tried all the adaware, spyware programs that I have and they couldn't fix it either. Norton AntiVirus virus alert window won't close. I wasn't even surfing the net at the time. I turned on my computer which has DSL and then decided to go write out bills which took me about 30 min. I came back to the computer and found the Norton virus alert window. Like others have said, my infected file name is different - ddcyx.dll. Take care, Linda

As pointed out in post 37. Easy to follow instructions.

Same here!! EXACT same - except my file is vturp.dll I'm about to try some of the recommendations posted here... wish I had found this site before I went through the whole Norton/Symantec process. I'll let you know if I manage to kick this thing... good luck to everyone else!

Hi guys Yes, I had it fixed using the instructions by Trojanator. I did it outside Safe Mode and it worked also. Thanks a zillion, Trojanator!

I tried the method described by Trojanator twice, but Norton still finds it. C:\WINDOWS\system32\ddabc.dll It was a simple procedure to follow, so I don't think I did anything wrong. Oh well, it's getting late. I'll try something else in the morning. Anyone else have any success?

Good News! I downloaded the free trial of SPYSWEEPER and it deleted the infected DLL file! I also tried the Trojanator technique but that didnt work for me either.... I'm glad the spysweeper DID. I'm very relieved.

I fixed it on 2 computers last night. 1. Write down the name of the file. On one system it was mljjg.dll; the other was pmkjj.dll. My files were in the c:\windows\system32 folder; both XP systems 2. Download and save to the desktop the VundoFix.exe program. Get it from http://www.atribune.org/downloads/VundoFix.exe. Double-click VundoFix.exe to extract the files. This will create a VundoFix folder on your desktop. 3. Reboot your computer into Safe Mode. Do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. 4. Show all hidden files. Do this by: Right-click on start button, left-click Explore. Click Tools, then Folder Options. Click the tab labeled View. Scroll down to Hidden Files and Folder. Click the radio button that says Show Hidden Files and Folders; also, click to uncheck Hide Extensions for known file types. 5. UNREGISTER THE MALIGNANT FILE SO IT CAN BE DELETED. To do this click Start, Run. Type "command" or "cmd" in the box and click OK to open a DOS window. Change directories to c:\windows\system32. Do this by typing "cd c:\windows\system32" without the quotes. Then unregister the file. Do this by typing "regsvr32 {name of malignant file} /u". My entry was "regsvr32 mljjg.dll /u". Note: there is a space betw the end of the filename and the /u. You should see a window confirming it was successfully unregistered. If it says it can't find the file, make sure you have unhidden files. 6. Delete the malignant file using VundoFix. Double click to open the VundoFix folder and doubleclick on KillVundo.bat. You will first be presented with a warning and a list of forums to seek help at. it should look like this VundoFix V2.1 by Atri By pressing enter you agree that you are using this at your own risk Please seek assistance at one of the following forums: http://www.atribune.org/forums http://www.247fixes.com/forums http://www.geekstogo.com/forum http://forums.net-integration.net At this point press enter one time. Next you will see: Type in the filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. At this point please type the following file path (make sure to enter it exactly as below!): "C:\WINDOWS\System32\{malignant file.dll}" Mine was C:\WINDOWS\System32\mljjg.dll Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. Next you will see: Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\{reversename of the malignant file.*} Mine was C:\WINDOWS\System32\gjjlm.* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. The fix will run then HijackThis will open. In HijackThis, please place a check next to the following items and click FIX CHECKED: O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\mljjg.dll O20 - Winlogon Notify: mljjg - C:\WINDOWS\System32\mljjg.dll After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! 7. Turn system restore off and back on. To this by clicking Start, Control Panel. Double click System. Click System Restore tab. Click to turn off System Restore on all drives. Restart your system. Re-enter Control Panel and click to uncheck the box to restart System Restore. 8. Once your machine reboots run a virus scan to remove any detected remnants. NOTE: one of the two systems wasn't able to find HijackThis. I had used the program on that system before so I manually ran it and deleted out the two entries recommended above. If you need it, it can be downloaded from here: http://www.download.com/3000-8022-10227353.html

i ran the ewido scan and clean up recommended by Trojanator and when i restarted my cpu, my windows xp taskbar became weird and had no start button!!! something is seriously wrong....i need help pls!!!

My update: I followed all instructions EXACTLY as described in the computing.net link, ran ewido and cleanup as described, and I STILL HAVE THE NORTON VIRUS ALERT ! Bah! Guess I'll try NancyJo's advice next. Gee, this is fun. Just be warned that apparently the ewido and cleanup routine doesn't work all the time. My run of ewido found 804 threats! These were overlooked by Norton's AV, but neither was able to get the job done. I'll be back.... Roger

I used the free trial of Spy Sweeper and it removed the virus. Simple and easy - none of these 22 step proceedures. Spy Sweeper is recommended by Consumer Reports, so I know it is safe to use.

THANK YOU NANCYJO ! VundoFix was the only one that worked for me. Neither Norton, FixVundo, ewido nor SpySweeper could do the job. Each system is different, and apparently each episode of this wonderful malware piece of garbage is a bit different too. Thanks so much, NancyJo!! Roger

Ditto - Nancyjo's fix is the only one that worked. Ewido, cleanup and Norton's FixVundo didn't do it. Thanks much, Nancyjo. Is it possible that this trojan, which has been around for a while, is morphing itself as it moves from computer to computer? Is it possible it's "smart" enough to alter itself sufficiently against the currently effective fix? Reading various threads it seems that a fix which worked a few days prior won't cut it with newer cases of infection. I use Norton 2003 with live update and am amazed that this creature dropped onto my PC without warning. I am religious about updating Norton and use 2 firewalls. I'm extrememly careful and reasonably knowledgeable about internet security. I believe that this trojan is far more malicious than is presently thought. My only hope is thta it has not sent all of my personal information to the remote computer with which it communicates... We all need to inform our antivirus vendors (Symantec, McAfee...) about the way this thing is behaving...

I agree, mooline. I guess the folks that know about these things are best to determine how this thing works, and how it manifests itself. I am also very careful about sites I visit, I always have NAV running, check daily for updates to Norton's AV signature files, use a firewall, and I take as many reasonable precautions as I can, but I don't have a pop-up blocker. I guess that's next. It is still frustrating that ewido found 804 threats, but Norton found only the one. And neither could do anything about it. I'm going to keep my eye on this thread, and other threads that discuss this malware to see what really happened to us. I don't want to just let it go now that I'm "repaired". The truth is that this is the first "virus" (IF this was a virus) that I've been hit with, and I've been using PCs since their inception. THANKS AGAIN NancyJo !!! Roger

My story is the same as everyone else - wish I didn't have to take time out of my busy day to deal with this, but I will. One question for Nancyjo - your instructions seem very complete...I'm just wondering in step 5 when you change directories if there is a space after you type in "cd"? There is a line break in your instructions, so I can't tell, and we all know how one little thing can change (or not chenge) the outcome. Thanks!

Thought I'd take the easy way out and try SpySweeper. It picked up the bug as virtumonde, not the newer name, vondu. I removed it, though SS wanted to reboot. After the reboot, NAV still detects the bad file and virus. Now it's time for the NancyJo fix...

'nother one in the same boat. I am going to try NancyJo fix and let you know if it works. Wish I had found this sooner after a very loooooong night with no luck. The file infected is ddayx.dll. I searched all over norton to find a way to submit this and couldn't find the info. Driving me nuts!

Spy sweeper was effective for me and, as far as I know, I'm clean. Thanks to everyone for their suggestions and good luck to those of you who haven't kicked this thing yet!

This stupid virus has cost us all hours. I finally got rid of it using a combination of a few of the suggestions. It's been a long process, so be preapared to walk away from the computer while some of these sweeps work it out. 1. Follow the link that Big Daddy provided in his post on Oct. 7 This is it: http://forums.techguy.org/t404827&highlight=trojan.vundo.html Scroll down to the October 5th @3:04pm post by D Trojanator and follow the directions regarding Ewido and Cleanup! exactly as he describes it. It cleaned many files that were present only 4 weeks after a complete HD reformat and faithful use of NAV and Internet Secuity. After doing this I still got the NAV message about Trojan.Vundo. 2. Then I tried the trial of SpySweeper. It found a few more traces of adware and actually listed another name for the Trojan. But and a big but it is...it's now gone!!! Seems like there a few ways to get rid of the pest, but they all seem to take time.

I was one of the lucky ones for whom the spysweeper program worked. I turned off system restore before I let the program remove the vundo. I don't know if this was necessary but it worked so if you haven't had any luck with spysweeper you might try it. Just be sure to turn it back on afterward and run the program again. With the download came a $10.00 off coupon for a one year sub. I did this and now I feel a bit safer. So here I sit red-eyed and tired from my ordeal, and $19.95 poorer. Lesson learned; Spybot S&D and Adaware, Norton all proved inadequate against this. You can go through the complicated processes described above or pay the money for peace of mind. I'd still love to get my hands on the creep who started vundo. I'd imagine he's getting a lot of satisfaction (and no doubt quite a bit of $$$) from our collective misery, the b---tard.

I tried the ewido and clean up, but when i restarted i got the same thing as sean in response 49, weird taskbar and no start button, and when I start a program I get error messages, saying i may have to reinstall the program. does anyone know how to fix it please?

Posted earlier that SpySweeper did not work. Re-ran it again, and the bug is gone. Why and how, I can't tell you. IE and other functions are running normal again. I'd recommend DL'ing the trial version, running it. Reboot. Run again, and reboot (Kind of like shampoo instructions, no?) If this doesn't work, the NancyJo 12 step program would be next. Oh, and if the SpySweeper works, uninstall it from the add/remove programs on the control panel. FREE at last!

Used the Spysweeper free trial and it worked. Whew,,,, this has been a long arduous task thanks for the help. And may all malware, adware, virus miscreants be burned at the stake with their code as kindling.

Hi everyone. D*mn, what a mess. I am going to try the Spy Sweeper and will post results. I tried the detailed instructions by nancyjo but was unable to get past the dos window (and I dont know what the hell I'm doing). my question: Is this the sort of thing that, given time (hopefully a few days) Norton or Symantec could send out an update for which would remove the virus? Thanks!

I usually don't get annoyed with those NAV high risk warnings that just don't go away by just pushing it to some far-off corner of my screen. But this time, it was bad because the virus totally screwed up me and my favourite computer activities like watching DVDs and drawing using photoshop because the virus causes the programs to jerk and stop for a split second. I tried the easy way first, using Spysweeper. It didn't work at first as the scan just disappeared halfway through the scan. It was only after restarting my comp and turning off the system restore did it do the magic. I think the virus is gone now. *crosses my fingers and hopes* Thanks for all the help from everyone here!

I'm back already. I owe it to you guys who posted this information. Spy Sweeper's free trial worked - as some of you mentioned, it may find the virus under another name ("virtumonde", in my case). I had to reboot and even do a cold-boot when my computer froze while still in the Sweeper's operating mode. I still feel paranoid. I typically stay away from ANYTHING with "SPY" in the title. Why and how can one company be so much momre effective than another? How do I know the "good" guys and the "bad" guys aren't the same group? I don't think we do or can know and thats scary s*%t. One poster above said he just paid the $20 for a subscription for "peace of mind" - yeah, I'm sure thats what they want all of us to do. So on the one hand I'm really glad - and the psychological high of being freed from 4 hours of frustration is considerable -and on the other hand I'm, as I said, paranoid. Thanks to you all again for the suggestions.

Thank you nancyjo! Although I was dripping with sweating during this process, (especially when hyjack this failed to start and I though my system crashed), it works! However, I must caution everyone using the spy sweeper method. I thought Spy sweeper removed this thing from my system on Wed. night. But, it remanifested its ugly self on Thursday and I think I was only able to delete it this moring with nancyjo's instuctions. Best of luck to everyone. Thanks again nancyjo!

Same problem as everyone! I am now going to try the solution from the Tech Support Guy....... Thanks so much to all of you! I don't know crap about any of this stuff! my first virus

I aswell have the same virus problem, trojan.vundo, object name : C:\WINDOWS\system32\ddayv.dll if anyone on here finds out the solution to deleting this virus please email me at dp5_hockey @ hotmail.com or post back here, ps ive tried many ways from other sites and none seem to work :( Ppppeeeeeeeeeeeeeaaaaaaaaaaaccccccccceeeeeeeeeeee

I tried everything in the post to this point to no avail. The option that worked for me is from: http://www.geekstogo.com/forum/index.php?act=ST&f=37&t=67176 This .dll looks like it's deployed by virtumonde adware. My .dll was named pmkjh.dll but they're all the same virus so just enter the path of the suspect file in the .exe provided at the site. The .exe also asks for two paths, I entered them both even though I knew I didn't have the file for the second path requested - it might still be on my system, but the first .dll entered in the exe provided at the site was the one causing all my headaches. You also might want to turn off System Restore, which I did.... I have no connection to the site above and it worked perfectly. No more trojan.vundo! Thanks to everyone for posting solutions! Cheers,

Tech Support Guy can really help. They can pinpoint the problem and give you exact details on how to remove this virus. The forum is at: http://forums.techguy.org/forumdisplay.php?f=54 They helped me get rid of this nasty thing. Consider a donation as they are working their butts off today. I donated - man they deserved it!

I've tried everything above except Nancy Jo. That is my next try. I've been at it a total of 12 hours (after a nap in between)... My file is: C:\WINDOWS\System32\pmkig.dll Wish me luck...Nancy your my last hope.

Mine showed up after I deleted the Yahoo Tool Bar from my Internet Explorer page. Coincidental? Anyone else?

I've got the same virus, Trojan.Vundo. I've disable my internet connection,turned off system restore, booted into safe mode and still no luck. Norton 2K2 is telling me that the virus's location is C:\Windows\System32\iigff.dll. In need some help please!

a HUGE! thank you to nancyjo!! located response number 48. as well as to everyone else helping in this matter. the affected file, sstts.dll, is gone, my computer is running normal, and im doing a NAV full system scan now. though when i was using the instructions nancyjo gave, i had gotten to the part: "The fix will run then HijackThis will open. In HijackThis, please place a check next to the following items and click FIX CHECKED: O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\mljjg.dll O20 - Winlogon Notify: mljjg - C:\WINDOWS\System32\mljjg.dll " norton popped up sayin hijackthis was a corrupted file or something or other..but i authorized it and i never got that window to check the former with hijack. anyhow the vundofix.exe prompt said all was deleted so i continued with restart and followed the directions from there. im staying tuned though to find out what exactly went on with this virus!! grR..

Hi again. After trying everything; all the Adaware, Anti-Virus and Spyware programs, including the paid for version of Spy Sweeper, the only thing that worked was - Nancyjo's instructions. It looks harder than it is; that is why I kept looking for a software fix where I wouldn't have to type anything throughout the process. I wasted a lot of hours. If I had read the instructions Nancyjo wrote out when I first saw them, I would have tried that before all the messing around with other methods. After I used Nancyjo's method, I then ran all my Adaware and Spyware and Anti-Virus programs again to make sure. Everything is clean. Thank you Nancyjo. Take care, Linda

I FIXED IT. I turned off the XP system restore and then downloaded the free 14 day trail of SPYSWEEPER. It took 1 1/2 hours to scan the computer. It found 54 pieces of adware, two trojans and the VIRTUMONDE virus. It then deleted them. I had to reboot, the machine froze, but upon restart, the message from norton was gone and all seems well. Remeber to go to the System Restore page and turn it back on. SO MUCH FOR ADAWARE,SPYBOT AND NORTON !!! LOVE SUSAN

I, too, had to deal with the Trojan.Vundo with a location at C:\WINDOWS\system32\ddcyv.dll (according to Norton). I tried Norton, the supposed Trojan.Vundo Removal Tool at Symantec, AVG, and spybot. I turned off system restore. All this time the Norton box telling about the virus was not allowing me to turn it off. After reading posts here, I downloaded and tried Spy Sweeper. The first scan found numerous adware and cookies suggested for quarantine. I followed through with reboot. The dang Norton virus threat alert box came back. At this point I turned off Norton antivirus and internet (setting it to remain off until reboot). I logged off, logged back on, which got rid of that Norton alert box. At this point I ran Spy Sweeper again. It found, again, 2 items, of which I remembered one from the first scan... AD virtumonde. Spy Sweeper alerted me that I needed to reboot to finish, as there was something in memory (forgive me I am not techie). I okayed this and at some point got the blue screen. I rebooted and hoped for the best. Logged back on... Norton antivirus and internet security was back on at this point. All is well so far. No alert threat box. HOURS, hours, of dealing with this. I credit Spy Sweeper.

About to go to NancyJo. Have done the SpySweeper 14 day trial, and cleaned out 115 some items, mostly in cookies. Virtumonde still there (morphed from trojan.vundo) whenever I turn Norton back on. HAS ANYBODY BEEN GETTING UNSOLICITED POP-UP OFFERS FROM "WINFIXER"? LOOKS HIGHLY SUSPICIOUS. WHO THE HELL ARE THEY? This happened after I deleted "MSMSGS" when given the option on "Remove Start-up entry" My problem seems to be running continually in memory. THE OTHER THING that keeps happening is right before the restarft, an application called "ccApp" has an abnormal shutdown under both Norton and SpySweep.

i need help when i go into safe mode my desktop pops up then goes right away leaving me with safe mode in each corner how can i fix that?

Tonya - I kept having that too...I just had to do the task manager (ctrl-alt-delete) and shut down and start over again. I had to do that a couple times, I don't know why. I had a few struggles (I think I'm dense when it comes to following instructions) but I'm thrilled to say NancyJo's fix seems to have worked for me...I did a reboot, and NO NAV ALERT MESSAGE!!!! Hooray. I had to do the step where you reverse the name of the file several times because I wasn't adding a . at the end of the file name. I also wasn't sure if the little asterisk at the end meant I was supposed to add the rest ie: dll at the end or something, but when I left that off it worked. Good luck. I'm a little afraid to shut down my computer for the night for fear the pesky vundo will reappear in the morning. I hope not!

nancyjo THANK YOU SOO MUCH! i tried the techguy thing and it didnt work.. and i already used my spysweeper trial so i couldnt do that.. but your's was the only one that worked.. now my computer is up to normal speed!.. took me a couple of hours to try everything and i dont know HOW many times i had to reboot my computer into safe mode and regular mode but it was soo worth it.. thanks again nancyjo!

The virus didn't hit my computer but it did hit my son's. I directed him to follow the procedure documented at techguy.org. This is similar to the procedure documented by NancyJo. The HijackThis! part of the procedure didn't do anything so I had him search the Registry for the name of the offending .dll. He found one key with that name and a CLSID associated with it. The CLSID, BTW, is: DD0BC06-4719-4BA3-BEBC-FBAE6A448152 . He searched the Registry for that CLSID and found two keys that contained it and deleted those. NancyJo's idea of running regsvr32 <filenam> /u should get rid of the Registry keys in a more elegant manner. If anyone has any ideas about how this thing showed up on his computer in the first place we would all be interested. He runs Norton Internet Security, etc. (though I have reason to believe his installation has some corrupted files) . He doesn't knowingly visit questionable Web sites and hasn't gotten overtly suspicious email. For the moment, I have told him to access the Internet via dial-up instead of using his high-speed connection, at least until I can re-install Norton.

its all fuss/mess to download all nonsense crap.. I got the Trozon.vundu virus to one of the *.dll in the system32 folder for windows xp home edition. I fixed the problem by switching to windows safe mode with command prompt. By doing this not many of the services are started and easy to delete any file from c:\windows\system32\ folder. Upon starting windows will switch to command prompt, here cd c:\windows\system32 rem xyz.dll (this removes the dll keep it simple stupid

We are having the same problem as Response #13. Same file. Can't get rid of the NAV message either. And the Removal Tool doesn't work. also our computer is running real slow. HELP windows/system32/jkhhg.dill HELP Chris and Wina

I tried the D_Trojanator's advise, did the ewido and clean up, but it DIDN"T work. Neither did Spy Sweeper' HELP Chris and Wina

Use the http://forums.techguy.org/history/t-405812.html link. Its simple and gets rid of this vundo crap. Download the Fix as directed and follow the instructions with the exception of substituting the infected dll for where they say to input vtsqo.dll. For the second dll mentioned in the instructions I just typed it as is and the program ran and said to redo the fix because the file could not be found. I think this is because Trojan.Vundo has two files working and Norton removes the second but not the first. So this will get rid of the first. After the tool says to re-download just restart and run your anti-virus.

deuce2, We also had the unsolicited pop-up offers from "winfixer". deuce2 mentioned: THE OTHER THING that keeps happening is right before the restarft, an application called "ccApp" has an abnormal shutdown under both Norton and SpySweep. Ditto here. After I was able to get the NAV off and rerun the Spy Sweeper, my computer appeared to be ok.

Chris and Wina. I had the exact same problem you got, and I found that, i could fix it my way post "84", or the method specified in http://www.geekstogo.com/forum/index.php?act=ST&f=37&t=67176 that worked awesome.. though my was the simplest among all. give it a shot.. switch to windows safe mode with command prompt.(when windows is starting, use F8 to go to the options and select safe mode with command prompt).. other modes dont work as windows services are running and the *.dll are locked cd c:\windows\system32 rem c:\windows\system32\jkhhg.dll After doing this shutdown and restart, this time, dont use F8 and just let the windows boot in normal mode.

For starters, I am sorry if this situations is repetitive from previous users. I am totally a newbie when it comes to computer infection. I've been reading all replies to this thread and it is quite confusing, especially for someone like me who's English is not a first-language. So here goes my story... I am going to mention everything I have done since this situation crumbled late last night. I started having problems more than 12 hours ago. I remember this week receiving popups about WinFixer but we always closed them. Never touched them. Norton Anti-Virus (which we update on a daily basis) popup came on about a warning. My path is C:/WINDOWS/system32/mlljkl.dll (I know the backslash are not positioned properly - could not find the button - new keyboard) After reading some of your experiences, The file name is sort of irrelevant. I've done 2 Live Updates with NAV and tried twice their removal tool. It successfully removed one affected file but failed with the second one. I've run twice the complete NAV scan before heading to bed at 1:30am This morning, since the problem was clearly still on my computer, I called my ISP tech support. The man gave me two products to download online in order to fix this issue: Trojan Hunter and The Cleaner. Trojan Hunter found the file but its access was denied so it wasn't able to fix it. The Cleaner ran for almost 2 hours and still no sign of the file - and its still working now. I've read earlier that Spy Sweeper was good for the job - downloaded and scanned my entire computer. About 40 files or so found - spy cookies - they are only quarantine now. Don't know how to delete them completely. So, I am looking for a step-by-step procedure in order to destroy this thing once and for all. I have a Acer computer with WinXP and DSL Internet Access. I am very concerned now this thing will destroy my computer completely. Can someone help me out?

Many thanks nancyjo. Your post (response number 48) worked. In my case VundoFix (V2.13) could not find HijackThis, so after rebooting I downloaded HijackThis and ran it, fixing all the entries that contained my malignant filename. Now Norton is happy with my system32 directory, no more virus warnings :)

Put me in the category of SpySweeper appears to have worked. NAV Autoprotect is reenabled and no High Risk pop-up. The dll is gone. Incidently, if anyone is keeping a log, mine was named ssttt.dll. Anybody have any idea where this trojan came from? Like many of you, I consider myself a safe computer, Norton AV autoprotect, pop-up stoppers and running behind a router firewall, no risky surfing and no warning. Grace to the rest of you wrestling this. I wonder how long it will take Symantec to catch up to this and provide a workable solution. My confidence in NAV has been seriously eroded.

I just used the "NancyJo" fix to apparently get this virus off my computer (thanks for the fix! glad this forum exists since this experience has shown me how useless Symantec/Norton is). I've done alot of computing and web surfing over the years, follow all the right practices, and as with others in the same boat this is my first virus. Has anybody had this problem (WinFixer popup) who isn't running Norton? Seems like everybody posting here is running it. I had the same problem as others with the virus also slowing my computer and having the ccApp hangup on shutdown. I'll be interested to find out how my computer caught this virus and see if Norton ever even mentions its existence. Are there any antivirus packages out there with better support for situations like this?

I got Trojan.Vundo on 10/7/05 & the infected file on my computer was C:\WINNT\system32\ssttu.dll. After giving up on Symantec for help, I tried a couple of other anti-virus programs and none of them removed the infected file. The "simple" method in response #84 didn't work either. However, NancyJo's solution in response #48 worked for me. (I had to download HijackThis separately.) Now my computer is clean and back to normal. I can't believe how many hours I've worked on fixing this problem. If Symantec uses NancyJo's method, they better compensate her. THANKS SO MUCH FOR YOUR HELP NANCYJO!!!

I need help following Nancy Jo's instructions--it was going so well, then it gets to the point where i am to go to another site for instructions? All the steps were followed but I am not sure where to go or what to ask for when I go to the tech sites. Please help. thank you

Slickfield - if I'm understanding your question right, you don't go to any of those links shown for instructions...you just continue on with NancyJo's instructions..I beleive it was to press "enter - F6 - enter" and then type some stuff exactly as shown in the instructions.

ok im still having the problem with safe mode when everyone else goes into it before it goes to your desktop does it say click yes or no on screen and if so which do you click or neither? please help

For the folks who used Spysweeper and it did not work, did you update the definitions? I was unable to update the definitions when I first downloaded product. I scanned anyway, and was unsuccessful in getting rid of virus. Later, I was able to update, and it got rid of the virus! Nick

Ok, I'm going nuts. I contacted the trojan.vundo a couple of day ago and this is what I've tried so far (with no success)... norton's fix & spysweeper. I was able to follow nancyjo's fix up to item 6 - I'm not able to see the folder(vundo.fix) in safemode. HELP! Also, I have technical suppost with hp. There recommendation is to use the recovery disk. Are they crazy. ref: located in c;\window\system32\vturp.dll

so i guess noone can help me with the safe mode problem it still continues to stay black with safe mode in each corner and not go to my desktop i tried restarting not working the only thing is a yes or no pops up and im really not sure if im suppose to click one or not im going crazy

USE NANCY JO'S INSTRUCTIONS!!!! I too got this virus (on Friday) and went through essentially the same nightmares as everyone else, spending hours and hours trying to fix it using the Symantec Removal tool, etc etc etc. Norton did absolutely nothing!! Nancy Jo's instructions fixed it in less than 10 minutes - THANK YOU NANCY JO.

Tonya --- try selecting "Safe Mode with Networking" instead of "Safe Mode" when you start up your system - this is the only way I can get my desktop to show up.

Tonya - If you mean the big windows blah-blah about this being safe mode and do you really want to do this, click yes. Then you should get a login screen if you use one (log in normally) then your blue desktop with "safe mode" in the corners.

Sarada Ok going to safe mode in net working worked for me now im trying nancy jos instructions but i seem to be stuck on number 4 i right click start then i dont see explore maybe its just me im not sure and i dont know much about computer so maybe you can explain you been a help so far

Hi Cjmoss94555. Move the Vundo.fix folder into your (C:) hard drive. Then when in Safe Mode go to Start - My Computer - Local Disk (C:) and find the Vundo.fix folder. Safe Mode causes your desktop to revert to a lower resolution and some of your desktop icons will move off the edges of the screen; that is why you can't see it. If you put it in the (C:) drive instead of on the desktop you will be able to track it down. Take care, Linda

i have tried to follow nancyjo's istructions, but i always run into trouble when i try and unregister the file. i get something that pops up and says "cannot register the file" so i just tried going into the trojanfix kill.vundo thing, but whenever i type in the second file name, it says that it doesn't exist! please someone help me..im a college kid who has been suffering with this for a number a days with no progress made! After running other rograms attempting to fix the problem, my tool bar/start menu appear different, and they look weird...please help! amy

For two days I have tried everything Norton said to and I tried Ad-Aware. I had the same issues with repair tools that everyone is talking about. My virus was under C:\Windows\System32\byxuv.dll I just downloaded the free trial of Spy Sweeper, ran it but it didn't work, ran it in Safe Mode and I am Norton Alert Window free!! Yee-haw! Thank you Spy Sweeper! I'll have sweet dreams tonight!

HI there, its amy again. After spending yet more time trying to fix this, still without success, i figured I'd cme back and restate my problems with nancyjo's instructions a little better. When I go to unregister the file, i type everything in as it should be but then when i click enter, i get a pop up saying "Loadlibrary (ssqrq.dll) failed. Access Denied." Since I can't unregister the file, I am guessing that is why i can't get any farther than that. I did check so that all hidden files can be seen, so I dont think that that is the problem. Please, I know it is getting late, but I would really appreciate any help that any of you that had success could offer. I'm planning on taking my computer to the computer support place on campus tomorrow, but I am afraid that they won't be able to fix it. Help please!

It's GONE!!!! Here's what worked for me. (1) Download the free trial of Spy Sweeper to the desktop. (2) Update this program. (3) Disconnect from the internet. (4) Disable Norton antivirus. (5) Disable system restore. (6) Run Spy Sweeper. (7) Restart the computer. (8) Make sure Norton antivirus is still off and run Spy Sweeper again. (9) Restart. (10) Reconnect to the internet, re-enable Norton anivirus and system restore. SO FAR, no more alert windows. Hope this helps (and thanks to all those above for their ideas) Jerry gwelliott

Amy: 1. To be really sure you can see hidden files: Once you've done the "cd c:\windows\system32", you should be able to list the file using the "dir" command in the cmd window - looks like for you it would be "dir ssqrq.dll". If that successfully shows the file, then the regsvr32 should work. 2. Are you sure you're adding the "/u" as in "regsvr32 ssqrq.dll /u"? 3. Are you running as a user with administrative privileges? Do you have a separate "administrator" account on the computer? I think the procedure will only work if you have admin privileges on the computer.

Hi Amy, Make sure that you completed step 4 which is to Show all hidden files (your last post said you did this) AND uncheck Hide Extensions for known file types (your response doesn't mention that you did this). In step 5 at the Command prompt, be sure to change to the directory where the infected file is located. For example, type: cd C:\WINNT\system32 (this is where my infected file was located). Make sure there's a space between cd and C:\WINNT\system32. Press the Enter key. Then type: regsvr32 filename.dll /u and press the Enter key to unregister the file. Make sure there's a space between regsvr32 and your filename, and a space between filename.dll and /u. Hope this helps you.

I am having the exact same problem as Amy in post 108. Getting the same error message when I try to unregister the file.

Amy - I think CFW above has some good tips. The biggest problem I had was knowing where I was supposed to have spaces and where I wasn't - I especially got hung up on the "cd" right before a line break in the instructions so I tried it both ways. It seems like there were several instances of this type of problem for me and I just had to keep trying different ways. I also got hung up on the one where you reverse the file name. I tried typing it with the asterik at the end, and with the .dll at the end, and finally stumbled upon the solution when I just put the dot (or period)and nothing else at the end. Good luck! You might want to print off NancyJo's instructions for the campus tech guy to look over if you take your computer in...it may give him a headstart in sorting it out if he doesn't know anything about it.

Hi , just to add what I know, I did managed to remove one instance by doing the following : 1 ) Download VundoFix. URL as below: http://www.atribune.org/downloads/VundoFix.exe. 2 ) Boot into Windows Safe Mode. 3 ) Run VundoFix and unzip to another folder. 4 ) Run that KillVundo.bat You'll be prompted 2 paths. the first path is the path of the infected file. 2nd path is the path of the infected file (with the name reversed.) e.g. infected file is C:\Winnt\System32\byxxv.dll 1st path will be C:\Winnt\System32\byxxv.dll 2nd path will be C:\Winnt\System32\vxxyb.dll Thanks to the people who contributed especially NancyJo. :)

I got my to work!!! Thanks a zillion trace. I just followed the forum and it worked. Oh and this might be late but...... I know how to get that stupid annoying nortorn virus pop-up to go away. Well it worked for me. I just opened Task Manager by pressing CTRL+ALT+DEL and then ended the task for norton. But when you do this it turns off auto protect.

I'm so happy to report.....IT"S GONE. After I tried the other methods, and it was still there I left it for awhile. Later I came back, let Spy Sweeper do it's thing again, and it picked up some stuff, and told me it had to reboot to get rid of it. It did that and the virus was gone. Thank goodness. Hey, this morning I had a reply back from symantec NAV. They gave me links and told me how to get rid of it. I think I'll keep it around just incase. Thanks for everyone's help. Chris and Wina

Spy Sweep also worked for me, just as it did for Chris and Wina (reboot and all). I was all set to try NancyJo's fix next, but figured I'd give Spy Sweep a shot and, thank God, it worked! This is a pesky virus and I was getting worried that I'd never be rid of it. For the record, the much-acclaimed Spybot freeware software, which is lauded by CNET as very effective, did not resolve this. I will probably purchase Spy Sweep when my 14-day trial expires because I can't afford to have this happen again. I blew an entire weekend trying to get this resolved. And the Symantec tools were NO HELP. Thanks to all for your tips and assistance. This virus seems to be associated with a hijacking/adware program that leads people to the Win Fixer site. Seems like a new outbreak of a year-old trojan virus which hasn't shown up in months because the virus tools and Microsoft all released patches for it last fall. I've advised Symantec of this, though I doubt anything will result of it. Again, thanks to all!

FINALLY GOT RID OF IT! Tried booting safe mode w/command prompt and "removing" the infected file (efcab.dll for me), but it came back with a "error: file is currently in use" rejection. Decided to try SpySweeper: updated its definitions, shut off Norton & System Restore, then disabled internet connections. It found the virtumonde adware and said it needed reboot. So I rebooted but it was still there, so I ran the scan again. Again, it stated that reboot was necessary, but I decided to boot later. My computer FROZE!!!!! I left it for a few minutes hoping "maybe its just taking its time." No luck. So I rebooted and was going to give NancyJo's idea a shot, but... I went to unregister the file, and it wouldn't let me. I said to myself "WHY!?". I followed all instructions, it should work!!!! So I went to manually look for the file again, and POOF, it was gone. Ran Norton to double check, and it says I'm clean. The second scan of SpySweeper that crashed gets my praise for removing the virus. Hope you all liked my story. Good luck =)

Tonya -- when you start up your machine in safe mode w/networking, does your start button appear in the lower left-hand corner? When I right-click on the start button there is an "Explore" option to select. If this still doesn't work for you, you can also try opening a "My Computer" or "My Documents" window and selecting Tools > Folder Options from there, and that should also work. Let me know!

Winfixer???? can't seem to rid of the virus. I've tried everything and nancyjos suggestion is too complicated for my pea brain. i keep getting popups for Winfixer, should i install that?

ok - here's where I'm at... I was able to follow nancyjo's instructions to item 6 and i wasn't able to located the vundofix file so I exit'd out. As instructed, I transferred the file to the c drive (I can see it). Since I unregistered the file in my previous try (item 5), do i need to do this process again? or should i just start where I left off at item 6? Ok, I'm sure it's obvious by now but I'm not a computer genius. I was soooo frustracted yesterday - I haven't tried again. I will try again tonight. Also, winfix showed up on our computer (where the f*** did this come from?). Thanks in advance for the support. You guys have been great!

I have been having the same exacy problems. I followed the instructions posted by D Trojanator, they didn't work. The virus is still active. It infected file c:\WINDOWS\system32\Geedd.dll on my computer. Same symptoms as everyone else; computer is slow, takes forever to do something and the error message keeps poping up. Please help. If I try to reload the OS would this help? I am willing to do that then to keep trying "fixes" that obviously aren't working. This is soooo frustrating. Thanks Linda Still learning.

I too had this bug. Mine was in the Windows\system32 folder and called "mlljj.dll". Symantec's removal tool also would not work to remove it and kept saying it could not find it even thought the Norton AV program continued to detect it. I did the fixes posted by Nancyjo while in Safemode. It seems fine now - no more Norton VundoTrojan detects and scan comes back clean. Oh, I never did get the blue screen of death after using VundoFix but had to manually hit the rest button and restart the PC and then manually launch and run the Hijackthis fixes.

Tonya: To solve your "Black Screen" problem in Safe Mode: 1) hit CTRL+ALT+DEL 2) select "new Process" 3) type "Explorer.exe" 4) hit "OK" That should get you to where you need to be.

Hello all, I've joined the ranks of vundo/virtumonde victims. I tried to take advantage of Nancyjo's posted instructions, however, when i run vundofix, it never prompts me for the 2nd path... am i just not waiting long enough? I waited 45 mins. Also, can someone help me with step by step instructions on how to move HijackThis from the desktop into C drive? I dunno why I can't seem to accomplish this.:( I feel so stupid. I've wasted 3 days now- going on day 4. Please help anyone??? I need my computer for work and this is killing me! Thanks in advance! -kat

I got the damn Vundo virus last Wendesday and have been driving myself nuts trying to get rid of it. Thank you so much NANCYJO and COMPUTERPUNK... For the first time in days I was able to boot up without Norton going crazy. Thank you again. SweetMelissa

Thanks to all for your posts. I received it also on the 10/7/05. Mine file was ssqrpr.dll in the system32 folder. Norton of course was useless. Sophos did have more on their website (updated in March of 05). I saw the problem start on 10/6/05, before the DLL even appeared on my computer. Evidentally according to Norton, Sophos AV, and many other boards full of information it activates on your computer via link you click on in an email. This installs something that downloads from one of 3 IP address which you can block in IE 6 (under the site option). 62.4.84.53 62.4.84.56 62.4.84.41 Which is then also used to send information about your internet activity to the creator. I am guessing that this info is then used to prompt you with ads such as the winfixer. The reason I spotted it before the DLL even existed is because of a little program called WinPatrol. You might all want to get it (http://www.winpatrol.com). I first found it on a CD included in a pc magazine I get. It is free to use, and basically monitors a ton of changes to your Windows OS. Also, I am in no way tied to this program or it's creator. They do ask for donations which gets you access to the Plus descriptions of programs running on your computer. The Plus database is really good with known "required" windows programs and many third party ones as well. I got suspicious when they didn't have anything on the Trojan, and that is what initiated my research. Good luck to all!

Solution! Hi, I got the Trojan.Vondo virus on my computer over the weekend. Ran the Symantec scan, and it detected the virus in the file C:\Windows\system32\pkjmm.dll However, the Symantec Removal Tool could not detect it. However, there is a solution that worked totally fine. Here's the link: http://forums.techguy.org/history/t-404212.html The solution is to download VundoFix (http://www.atribune.org/downloads/VundoFix.exe), which does away with the virus completely. However, it needs to be executed in a few manual steps along with HijackThis, so please follow the solution on the page. Hope it helps all of you...

Hi all, well i hope some of you are having some luck. this is day 4 of this damn thing. Spysweeper didnt work. Thanks to NancyJo I have rid my other computer of the vundo jkkjk.dll. However i am still having heaps of probs with my puter. I seem to have lost my network settings and cannot connect to the internet with the cleaned machine. NAV is still saying that autoprotect is off, email scanning is showing error and automatic live update is turned off. Manually turning them on doesnt work. I also get a System Monitor (main) warning every time i reboot. The computer is also still a bit slow but certainly not as bad as it was. I am stumped now, can anyone please please help before i throw the computer over the balcony. thanx again to NancyJo and everyone out there who has the answers to this plague. Leesa

I'm not able to start my computer in safe mode. window comes up asking if i want to restore my system to a earlier point (i think the window disappears so fast i can't read it)and then its black with some writing on the top. what is going on? help! cari

Hello again, I finally did it!! Day 4, and it's finally gone! Spysweeper worked for me at last. I think the trick was to run it in safe mode and I ran the diagnostic version. After it completed, I deleted the infected files from the quarantine file, and rebooted back into safe mode. I then ran it again, and it came up clean!! After that, I ran nav in the safe mode, it also came up clean. I rebooted into regular mode, and ran adaware se. I ran another hijackthis log, and the files I thought may be the culprits were gone!! I am back to full system speed, and no nav warning box, no winfix pop up, nada!!! Hope this helps someone else. :) -kat

Okay it just gets worse. Vundo is gone but now the computer is completely screwed up. i have no antivirus, no printer, no internet, no network capabilities, no sound, no working usb ports, and the graphics are weird. What on earth has happened to all these things. The computer itself is running fast but I cant get into many of the things on the computer. I followed NancyJo's advice to the letter and when i rebooted this is what i am left with. Please help. By the way Cari, I had the same problem as you with safe mode. When you start up in safe mode and you have a black screen just cont+alt+del and the task manager will pop up. Click File - New Task (RUN) and then you can browse to anything on the C drive that yu want. cheers Leesa

leesa it sounds like i have the same problem as you only i used Spy Sweeper.HI GUYS. I TRIED THE SPY SWEEPER AND I LET IT SCAN AND EVERYTHING AND IT FOUND SOME FILES INCLUDING THE VIRTUMONDE OR WHATEVER SO IT SAID FOR ME TO REBOOT MY COMPUTER FOR IT TO BE DELETED SO I DID.so windows restarted and everything and it appears as though the virus is gone. buttttt my windows is really messed up. the taskbar and all the windows are the traditional grey boxes (not the xp style) and in the controlpanel/display menu there isnt even an option for the xp style. My internet connections are gone and when i try to set up a new network or connection it won't let me. when i try to go into the Help and Support menu it says it cannt because a System Service is Not running...whateverthat means. helppppppppppppppp

I had the virus for 3 days, but I was able to get rid of it using instructions on the Dell forums. It was a bit time consuming, but it worked. After I followed the instructions, I ran Norton again and it still found the virus, but this time it was able to delete it and it is now completely gone. Here is the link to the Dell forum if anyone needs it. http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=43550 The symantec removal tool and Norton could not get rid of it, I also tried several other methods that I can't even remember now. This is the only thing that worked for me. Good Luck!!

jermz823, i ended doing an system recovery. Turn computer off and then on, at the blue screen press F10 - this will take you to the system recovery program. You want to select non destructive system recovery - it will reinstalll your original software without erasing most of the other software and data that you have on the c drive. Follow the prompts and then restart your computer. You will then have to go through setup to relaunch XP. Doing this I have basically taken my computer back to what it was like when i bought it, except I have the extra programs that i have loaded over the years. Warning: i did lose my updated NAV, my networking config, and microsoft outlook. It just means i will need to spend the rest of the night updating the software. At least the machine is stable and bug free. good luck all

Response # 48 worked for me! it's a lot easier than most other I've attempted doing and they were just a waste of time. The name of my file name was OPNKI.dll Thanks Nancyjo!!!!

Oh, please, Could somebody explain me a bit best the recomendation of nancyjo. I've not be able to understand all the intructions. Please, help me!! Please, I've not be able to delete this virus Trojan.Vundo. I need some idea, please!!

I followed Nancyjo's instructions (response 48) to the letter (along with some help from computerpunk..response 114) and so-far-so-good. The evil Vundo appears to be gone and my computer is back to normal (knock on wood) THANK YOU NANCYJO and COMPUTERPUNK!!!! you guys rock and NAV sucks!!!

Thanks you, thank you Nancyjo!! I managed to get ride of it. At first I had a bite of a problem with number 6 but I did the same thing that Nancyjo did and it worked!!! THANKS!!! mearva

I had it too. HAD is the operative word here. Started with a Winfixer pop up problem and seemed to morf into a Trojan.Vundo problem with the virus warning from Norton(?) that wouldn't go away. One of my dll files was infected the same as everyone else. I have a Spy Sweeper license and worked with Spy Sweeper support to get a solution. They had me load a beta version of Spy Sweeper which appears to have fixed everything. The actual application removed by Spy Sweeper was "Virtumonde".

I must be the biggest loser, because I can't even find the vundofix.exe file on the atribune.org/downloads page. There is nothing there to double click on. What am I missing? I am trying to follow Nancy Jo's directions since nothing else has worked for me...but I can't even get passed number 1...can someone please help me???? Thanks

Hi Lissa, here is the download. http://www.atribune.org/downloads/VundoFix.exe

OK, same here as far as Vundo infection while prompted for Winfixer dnld. The difference is the file infected on the machine I'm working on is the C:\WINDOWS\sytstem32\geeda.dll. Same results on individual removal tool and NAV (Norton Internet Security product) not running. Same with non-removeable NAV virus alert pop up. But another difference is that there was NO problem until Norton's product was upgraded to 2005 version. Before doing the upgrade, a manual liveupdate was run. No problems indicated. Then the upgrade from Norton's site was done. Again from Norton's site the prompt for Winfixer dnld poped up. Naturally you expect Norton to be a trusted site. So OK on the dnld. From that point on, the system went south and the problems increased until the typically reported slow down of the system as all others reported. Here is my question. Did the virus originate from Norton's site? Or was it possible somehow their site was hijacked and you get to a spoof site that gives you the virus while you think you are still on Norton's secure site? After two days and near midnight our time I called Symantec's tech support. Talked to some guy in India who could only tell me that they were aware of the "new" virus and were working on a fix for it and an update to liveupdate. He told me to wait 12 hours and check their website for the updates and fix. Now, can I really trust Symantec's site? The usual fixes everyone here tried was tried by me with no luck. So now I sit on my hands until Norton figures out how to fix this virus. Personally I think it is possible that in my case the virus originated from Norton's server. Before update, no problems, live updated as scheduled, and a manual done just in case before the update to 2005 version from Symantec's site. Circumstantal evidences points to their servers getting hit and they could have broadcast to others. Just my humble opinion based on actions before and after the visit to Symantec's site. BTW never could get their tech support people to give me an idea where this thing came from. So here I sit. Rats!

I fixed it using the link from NotNormal (THANKS!) and NancyJo's instructions. I am so not the computer type and I have shocked my husband! Thank you thank you! My husband had spent all day Sunday trying to fix it, and couldn't. I insisted last night to let me try before taking it in to Best Buy. Thanks everybody!!

In browsing alot of the other boards, alot of people had their HiJackThis logs posted. One thing in commom with all of them, is they were running the ITunes service that is installed with iPod installations. It might be possible that it came through this service. Was there anyone that had this Trojan/Virus, but did not have the iPod software installed? Or does everyone here also run iTunes?

thank goodness, i just got rid of this crap, i used the spy sweeper program , i put the computer on safe mode, ran spy sweeper and wala, its gone for now. computer running back to normal. question- after the spy sweeper trial expires in 14 days, should i purchase the program and if i dont will the trojan reappear.

download the free trial version of webroots SPYSWEEPER program. It works ... i tried it.

Webroot Spy Sweeper is the ticket and has get the *hit off my machine. These guys will be getting my money after the fully free trial. Nice and I hope the *ick that released this rubbish rots.

Try the free 14 day trial of Spy Sweeper. I tried everything and this worked!!! I will be purchasing this software for sure!

I used response #109 and it worked! Thank you! I've been working on this for days!

Many thanks to the person behind response 109. Although the trial version of Spy Sweeper had expired on install and I had to pay for the full version for it to work, it was well worth it to be rid of the virus. Cheers & thanks.

I tried three methods of removing this virus last night - nancyjo's in response 48, Spysweeper, and the removal tool from Symantec's site. Nothing worked! Nancyjo's worked but when I reboot it then put the virus in another system file, so it seems to duplicate itself upon startup. Spysweeper detected the file and after I remove it it is still there. Symantec removal tool says the virus is not resident on this computer. PLEASE HELP!

SPYSWEEPER DID IT FOR ME! I had a buddy at work trying to repair his Vundo virus all week! i made fun of him about it.. til i caught it last night on my laptop! i too tried the NAV tool and it did not fix! i then read the thread to try spysweeper. wonderful! though, on my first sweep.. it didnt seem to detect the Vundo virus.. and the application had an error when i was removing some adware/spyware i had on my laptop.. once i rebooted, the NVA pop-up disappeared! and hasnt shown up since! i did another sweep and cleaned out all my other adware/spyware and she is running like a dream now! not lagging behind right now.. TRY SPYSWEEPER IF YOU HAVENT YET!! free trial.. www.spysweeper.com thanks to those who post on this site! i thought i was doomed!

In response to the I-Tunes question, I do use it, but have always turned down updates for the I-Pod option, yet I also have been blessed with this trojan and offers to download Winfixer. I'm going to try the plethora of options now. Wish me luck. Do you think that the people who invent viruses visit computer forums and get all excited they've caused utter havoc for hundreds, if not thousands of folks? I imagine these message boards are like the Hustler magazine of virus inventors. Jerks.

Follow this link: http://www.techguylive.com/ This is for all of those (like me) who have limited computer skills. It works guaranteed! But it cost $25 bucks. Worth it if you ask me.

OK folks, I think I got it. I have the NAV screen that would not go away telling me I have the Trojan.Vundo. C:\WINDOWS\APPPATCH\LOGINFO.DLL Was unable to remove until I booted using my XP installation CD, then I chose Repair mode. This will place you in a command prompt mode and allow you to move to the directory that Norton is screaming about, and delete the file, or files in question. I am not sure if all of these files were even visible through the GUI, but here is the list of things I deleted: LOGINFO.DLL OFNIGOL.BAK1 OFNIGOL.BAK2 OFNIGOL.INI (Note the backwards filenames...) After re-boot,Norton did not scream about the virus any more, so I ran Spyware Blaster, Adaware, Bazooka, Spybot S&D, and Norton one more time before rebooting again. Looks like problem has been eradicated!

Can anyone comment - Is this trojan.vundo specific to IE? Wonder if Microsoft's Spyware can block it entering through the ports, provided all of the Internet controls are locked down. Is it also specific to Internet Explorer? I use Firefox (or an Apple when I'm hypersensitive about viruses.) Regards.

Same issues going on here. My computer is new, WINXP, SP2, pentium 4, HT technology, and I have Norton Internet Security suite installed, and the vundo removal tool says it is not found on my computer and the AV software says it is there, and the NAV window box will NOT close for me, either- even after hitting the ok button a trillon times. My culprit file is in here: C:\windows\AppPatch\bakinfo.dll It will NOT delete no matter what way I try! I have tried deleting it in safe mode, I have tried spysweeper, which shows 47 items and then shows them deleted and then when I sweep it again- all 47 are BACK again! Please, can someone help me? My computer is booting up using 100% CPU, (not all the time but a lot) and this computer has gigs of memory and hard drive capacity and never moved beyond 5% until recently when this VUNDO issue started. TY in advance for any suggestions. Andrea Connors Connors21@cox.net

Just as an update to my earlier post... It has been nearly 2 hours and much surfing the net, opening programs etc. since the last re-boot and there are no signs of the issue any longer. It seems that once you remove the offending DLL file using the repair mode of the O/S installation CD, the problem is gone.

I am having the same issue with my computer it lists it as C:/WINDOWS/Drivers/Intel/logad.dll,same thing as everyone else,mine just showed up this morning and i've tried everything,funny thing is,what it is called has been on the computer since September 2nd.

Spysweeper worked for me! I wish I could send a big hug along with my $30. It was detected as adware "virtumonde" and deleted by spyspweeper. It did crash and blue screen on me, but deleted the file on the restart. For me, the problem was: C://Windows/Drivers/fax.dll It ate right through a paid Norton subscription, Zonealarm, and Spybot. Pretty nasty. I also had the "Winfixer" pop up add mentioned in a previous post. Best of luck to all of you battling this creation of people with nothing to do. FYI: Norton, if you can detect it, you have to be able to fix it or keep it from running. You lost one subscriber tonight.

help! i followed #48, nancyjo, and it was going along just fine until i got to the hijackhis part. i did see hijackthis mentioned on the screen, but nothing opened. i tried to reenter a second time (the reverse file name)and i got a faal error, and sstem shut down. i turned off puter and left it as i had to go , but since i didnt get to the hijackthis fix, i am afraid to start up puter again. is it safe to start in safe mode? crossing fingers here that my computer geru friend gets to return my phone call and save the day thanks btw i had the popups, and the winfxr mess also, and slow response.

in order for spy sweeper to work on some computers , you must first put your computer on safe mode, follow these instructions. 1. first download spy sweeper onto your computer, then restart 2 as soon as your computer starts press F8, on the screen there will be a put computer on safe mode. 2. press safe mode 3. three if you get a black screen,please alt control del at the same time 4. task manager will appear, where it say browse .hit the browse button, then look for spy sweeper in should be in your desktop . spy sweeper will ask you to convert6 to a diagnostic spy sweeper, click yes and procees to scan your computer, it should take less than a half and hour

Ran into this little bugger on a clients computer. I have yet to do anything to try and eliminate it, but I did have an idea that I haven't seen here yet. Use the Win XP system disk to boot up and get to the system restore part where you end up in the DOS mode and try to erase that way. Not sure if it will work but I am going to give it a try Friday evening. I think Symantic created this little @#$%^(& and all other viruses, that is my conspiracy theory, lol.

thanks to the folks who recommended this website -- it's the only thing that worked for me. i'm finally Trojan.Vundo-free. http://forums.techguy.org/t404827&highlight=trojan.vundo.html

All, NAV might have developed a solution and released it w/o fanfare. I just updated NAV. I then ran a full scan. Trojan.Vundo was found and quarantined. I deleted the quarantined file and all seems well. I hope this works and saves others the pain y'all have been through. Thanks to all for the education.

got the virus yesterday and read thru this whole thing to find a soln. i used response 48 and i think it worked. i used spysweeper at first but the virus was still there when i restarted the comp. so i followed the directions on 48 but skipped #3 and #5 and the part where it says to put the name backwards didn't go thru and i didn't have hijackThis. But, when i restarted the computer that darn virus was gone! i ran my stupid norton virus and spysweeper again- and GONE! by the way my file was C:\windows\web\mfcdisk.dll Good luck to everyone- hope this helps!

Go to http://www.techguylive.com/ Spy Sweeper didn't work for me. Go to techguylive.com It's the best $25 bucks you'll ever pay to get rid of this nasty Trojan Vundo. They do it all for you. They log into your desktop and you watch them go through all the steps. I tried for hours to do it myself. It took the techguy a little over and hour to do everything that has to be done but it's well worth the $25. GOod luck everyone! I'm so glad I found this site. Maggss

Thanks to response # 109, I downloaded the trial version of SpySweeper and then followed directions. Happy to report that Trojan.vundo is now GONE! NAV recognized the virus but couldn't fix or quarantine the bugger. And the Symantec 'FixIt' tool wasn't up to the job either. There should be capital punishment for the cowardly a-holes who have nothing better to do than create viruses that harm innocent bystanders. PaulD

Many thanks to response #109. After trying Symantec's removal tool which couldn't find the virus that NAV was screaming about, I downloaded the SpySweeper trial version and followed the directions in response #109. Virus gone! As well as some other annoying 'stuff'. Thanks also to everyone who contributed, it was nice to know that I wasn't alone with this problem.

I followed directions in msg 109 as well. The sweep turned up not only virtumonde, but trojan-downloader-conhook, and close to 100 items and traces not picked up by Norton . Not sure if the trojan virus is related. In any case, the computer appears to running back at normal speed now. Oh, also, when I restarted after running SpySweeper, there was a flash of a blue screen that said 2 dll files had been cleaned out by the program. I'd like to thank every person who has contributed to this thread. The spirit of cooperation gives me the goosebumps. THANK YOU from turning panic and frustration last night when the symantec patch for it didn't work, to a sigh of relief. Thanks again.

Ran process from #49 and managed to crash computer plus forgot to download Hijack This first. On restart, still had NAV alert but new filename associated with Trojan.Vundo. Ran SpySweeper (14-day free trial); it took 3:18 and on restart it gave me BSOD, but seemed to eradicate the file. To confirm I reran it in Safe Mode and is swept me clean and virus gone. Spy Sweeper Link: http://www.webroot.com/consumer?rc=266&ac=653&wt.srch=1&wt.mc_id=653 Thanks and good luck.

I declared victory over mine tonight, gebyw.dll was the offending file. I used a free program called Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) obtained from instructions on McAfee's site. http://vil.nai.com/vil/content/v_127690.htm. Known by Mcafee simply as the Vundo Virus. I also downloaded and installed the 30 day free trial version of Kaspersky Anti-Virus personal. Process Explorer was used to suspend the Explorer.exe, Winlogon.exe and rundll32.exe processes. Simply right click on each and select suspend. I could not find the rundll32.exe on mine so I just suspended the other two. I then ran a full scan using the Kaspersky Anti-Virus. It found the files and after I selected delete on reboot, the screen went blue. I rebooted (had to press the power button)and it was all gone!!! Macafee's instructions indicated these errors were to be expected. Actually a very simple process, compared to some I've read about. Read McAfee's instructions, it is by far the most simple instructions I've read on removing this $%^&* thing. Process Explorer along with a good virus program will defeat it.

I have experienced most of what everyone is reporting and my file was iifef.dll. Followed #109 as the latest responses have reported. Had to run spy sweeper three times with a reboot between each- the first what a powerdown to continue what appeared to be a locked spy sweeper application. Briefly saw the blue screen of death at first and the second run found virtumondo.exe again. The third run has not found it, only cookies and no more NAV alerts. Thank you all for sharing your troubles and your successes. kat

I also have this trojan.vundo virus., and the warning screen from norton that won't go away. I don't know how to find out the specific name of the infected file. I have tried downloading the "tools" from symantic to get rid of this virus and they didn't work. How do you find the name of the specific file(s) that are infected ?

I just got rid of the vundo virus. I used spysweeper, as suggested, while system restore was turned off. Then the "fatal blue screen" appeared after I said I wanted to restart my coputer. However. All I had to do was turn off the computer with the poqwer button for a few minutes, then turn it back on again, and all is well again.

I am curious if there is anyone who was running any other antivirus program besides Norton that was infected with this trojan? It appears to me, that all of us who were infected are using Norton. To be specific, I am using: Norton Internet Security 2005 Really curious if anyone using Trend Micro or Kaspersky Lab's antivirus programs were breached like Norton's was. Thanks, Nick

My son's computer was running Norton 2004 and still got it. The program Norton has to remove it did not work. McAfee's instuctions found by searching for "Vundo" in the virus section, were very simple and they did work to remove it. Norton is coming off all my computers. The 30 day trial version of Kaspersky also found two other viruses that Norton did not find.

I used the latest release of spysweeper 4.5 to removed the virus. I had their earlier versions but didn't do the trick. Run the sweep a second time after restarting the computer first since you may get the same norton message after the first one. Live Update version as of 10/12 doesn't get rid of the virus. Symantec really sucked on taking care of its customers on this one. Thanks all for recommendations and suggestions.

Better late than never. Trojan.Vundo Removal Tool Last Updated on: October 17, 2005 09:09:45 AM PDT Norton's updated tool

I am so glad I found this website! I contacted NAV tech support last night and was told to call their tech support (which would have cost approx 40 - 70 USD). Thankfully I found this website BEFORE I called them. I tried NancyJo's fix - but got stuck on #6. Then I did the SpySweeper - I have no more virus (yet, anyway). Thanks.

SpySweeper finally removed mine. Nothing else worked. The virus was attached to an email sent by my brother, except that my brother did not send the email. Sneaky!!!

YAY...spy sweeper worked for me!! the symantec patch wouldn't load and i was at wits end until i found this place. i figured i would try spy sweeper first as it looked to be the easiest. 2 regular mode scans and 1 safe mode scan and i am fresh and clean. it also found the trojan mentioned in a previous post that norton, spybot and ad aware overlooked. i am so happy i bought the full subscription and will use all my tools!!!