When running Nortan Virus Real Time Protection, I get a message saying that a virus Trojan.Vundo.B has been found and that it cannot be cleaned or quarantined. It goes on to find well over 200 files. I haven't let it run all the way through, maybe this is the problem.

When I downloaded Trojan Vundo Removal Tool from Symantec, it runs and says it does not find a Trojan Vundo virus on the system. I have even disabled System Restore and run this file from Safe Mode.

So basically the Symantec file scan finds it, but the removal tool does not.

Do I need to let the virus scan run COMPLETELY? Or is there some other solution?

Thanks

Hi
I also have the same problem, I have been looking all day at various sites and no one seems to have an answer for this! I do hope Im wrong and someone can help as it seems a lot of people are having the same problem with this virus! (Please Help)
James

with system restore off, start up in safe mode:
empty temp folder,

Using Regedit,search for:or
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\[Trojan file name]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}

scan again for files also do adaware scan,
try also toolbarcop and search for BHO plugins related and remove...:)

HELP we have also had the same problem since last night, we have now managed to delete most of the places this thing has put itself , however we are unable to delete it from the processor winlogin.exe and explorer.exe

Windows>msagent>chars>ADTASK.DLL
there are config files which are reversed names (i.e: ksatda.ini) ans also backup files
Any help would be very very much appreciated

Download Process Explorer, this will show you a list of all your processes running, once
open, open the "Search .dll" and type in the name of the virus (ours was called adtask.dll)
this will show you which processes are using the file (In our case explorer.exe and winlogin.exe)

Once you have completed this open a new text document using Notepad,

Type in the following:

del "C:\Location of the .dll"
pause

Then save the file as delete.txt, rename the ext to .bat and place in your startup folder (Start>All programs>Startup> then right click and explore.

Place the file in this folder and restart your computer, on restart the .bat file will run and delete the file before the proccess starts.

After delete the keys out of your registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}

This should hopefully delete the file.

Tried all the above and it does not find the .dll to delete at start up...

Could Not Find C:\WINDOWS\Help\vgasys.dll

Any other suggestions to get ride of this virus? It is the Trojan.Vundo.B.

Mine is attached as well to the winlogin.exe and explorer.exe.

HELP!!!

go to symantec website they have a removal tool available

u have to run the tool in safe mode if u dont it wont work

Safe mode will not work as winlogin.exe is a critical process and still needs to be run in safe mode.

Yes, as I stated, the Symantec Removal Tool does not work, yet it continues to find the virus in Real Time Protection...very annoying.

I think I saw on Symantec's site that they only found this virus on April 27, when I found it on my system.

Do you think we will just need to wait for Symantec to get on the ball with this?

If I reinstall Windows will it be gone?? I'm about ready to do that. It's alot faster and easier than some of the other solutions that don't seem to be working.

it worked 4 me i ran safe mode from start - run - msconfig it restarted then i ran tool and it was gone

When I go to start-run-msconfig, what option to I choose for restart?

Do I run safe mode, then start-run-msconfig?

when in msconfig go to- boot.ini -check safeboot option apply it then ok it then it will give you the option to restart click yes,it will reboot in safe then just run the removal tool,it will then get u to restart machine to finally remove it,once restarted go to msconfig uncheck safeboot and restart

I did exactly that and it said that the Trojan.Vundo removal tool said that it could not find the virus anywhere.

Any other suggestions?

make sure u got right removal tool u say trojan.vundo it is trojan.vundo.b removal tool hope u got right 1

Thanks....I just checked right after I posted and found that Symantec finally put up a Trojan Vundo B tool. I guess I got the virus about the same time it was found by them, so they didn't have the tool out yet.

Ran in safe mode, everything's fine now...Thanks again for your help.

I also have this problem with the Trojan.Vundo.B virus.

I have followed through everyone's instructions for removing this but alas... still no joy.

I have got the correct Norton removal tool for this virus and have run it in safe mode as suggested. The tool says it will delete the offending file (C:\WINDOWS\Registration\odbcwave.dll) upon next reboot, when I reboot, the file is still there as it is always in use. It is being used by Winlogon.exe and Explorer.exe

When I suspend explorer.exe using process explorer I am unable to perform any more actions as obviously explorer.exe is suspended. Catch 22 unfortunately.

So I am unable to stop anything using this file to delete it. Please help!!!

Many Thanks
Paul

i was disconnected from internet when i done mine try that and is it rebooting back into safe mode,sorry i am bit of a novice in this i got some of my info from majorgeeks.com try there,have you any anti virus software on your computer,you could always try and send them an e-mail if all else fails

To use Symtech Troajn.Vundo.B removal tool you have to disable Norton auto-protect so that no warning shows on your desktop. Run the removal tool now and restart the PC. Run the removal tool again and hopefully it would be clean.

Before I disable the auto-protect, the virus remained where it was on restart. So I thought it might be somehow linked to the Norton software which stoped you deleting the infected files. So I disabled the Norton and it worked.

just wanted to say i had tried all above and none worked but i now have it removed-used two things at once-process explorer and updated removal tool. Also turn off system restore and make sure your not connect to the internet or a network.
open the tool but do not press start, then suspend explorer.exe and winlogon.exe. Now press start on the tool. Once found you have to cut the power as computer will not restart with winlogon.exe suspened.
turn on the comp again and run tool agan to make sure it gone.
Re-enable system restore

Thank you all for your input and help, very much appreciated.

I have managed to clean the Trojan from my computer by doing the following.

I booted my pc using the XP Home edition cd, entered into the recovery console, cd C:\WINDOWS\Registration and removed the offending file, in my case "odbcwave.dll". I then restarted my pc and ran another scan which was clean.

I went back to the symantec website and noticed that they had updated their removal tool. I downloaded this and ran it just to be safe and it found the Trojan again (My guess was it found the registry entries which still needed to be removed). The tool cleared all this up for me. Hey presto, clean machine!!!

Good luck to the rest of you who are suffering with this problem. I hope it works for you also. ;-)

Hey Chaps- just found this site whilst searching for a solution to possibly the most irritating computer problem I have ever had! I spent hours and hours trying to get rid of this blasted virus, using various techniques described here and no joy. Still, I will try again tonight with the tips here so fingers crossed!
I really dont want to run a system restore. Anyone know exactly how dangerous this is, or what it is doing? So far I have noticed no side effects at all.
Cheers!
Tom

I would just like to thank the person responsible for "responce 18".
I tried to remove the trojan.vundo.b many times with the symtec removal tool with no succsess,however by the disable of norton auto-protect it was gone,thanks again!

I found all the tips here useful, and had to:
- unplug the internet cable
- turn off the norton auto-protect
- run in safe mode
- turn off system restore
- run the removal tool
- remember to turn system restore on again

I did this several times, because I usually forgot something.

So far it is now clean though!

Thanks

i have been trying to get rid of this since yesterday morning. i have done everything everyone says to do and the minute i turn norton back on its there again. the only thing i haven't done is suspend winlogon.exe and explorer exe. how do i do that. i need step by step please

Pleas could somebody help me i myself have got the virus Trojan.Vundo.B and cant get rid of it, i have norton antivrus 2005 and i also downloaded the tool remover from them i have started my computer in safe mode and done what it said but it still hasen't gone.it does find it and says 1 has been deleted and when i reeboot the computer the other one will go but it dont,also i do turn system restore of but it still dont work, could somebody please help and also try to explain what to do step by step as i am not to clued up on computers. This virus is starting to effect the computer! Thankyou....

VD

Did you disable norton auto protect before you ran the removal tool?

If not, then you will need to do that.

Here is how to do it:-

In the bottom right hand of your screen, next to the clock, you have lots of little icons, right click on the Norton one and select "Disable Auto Protect".

Run the removal tool again and it should work.

Good luck Vicky!!

Please can anyone help me with this problem?

My PC is infected with the trojan.vundo.b virus.

Norton Antivirus 2005 displays this message which won't leave my screen:

Object name C:\windows\msagent\chars\webbas.dll
Virus name trojan.vundo.b
Action taken Unable to repair this file.

I have tried all of the above, including Symantec's fixvundo program running in safe mode with System Restore turned off but to no avail.

As you can see webbas.dll is the trojan but nothing I have tried seems to work.

Please help,

Martyn

Martyn Valentine

My problem is getting into safemode. I get into safemode, get my Win XP login page, login, then my desktop icons flash up and then disappear. I am left with a black screen with "safe mode" in each corner

* I FOUND THIS ON ANOTHER FORUM *

download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

just reboot if your system "jams"
*********************

it's now time to report back to us: VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here.

* VirtumundoBeGone worked flawlessly and took only seconds plus a reboot. I was amazed because none of Symantec's suggestions helped remove the trojan.vundo virus on my computer. Good luck! *

* This was the log created after the removal of the trojan if you are interested. *

[01/01/2006, 23:15:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Paul\Desktop\VirtumundoBeGone.exe" )
[01/01/2006, 23:15:44] - Detected System Information:
[01/01/2006, 23:15:44] - Windows Version: 5.1.2600, Service Pack 2
[01/01/2006, 23:15:44] - Current Username: Paul (Admin)
[01/01/2006, 23:15:44] - Windows is in NORMAL mode.
[01/01/2006, 23:15:44] - Searching for Browser Helper Objects:
[01/01/2006, 23:15:44] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/01/2006, 23:15:44] - BHO 2: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/01/2006, 23:15:44] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/01/2006, 23:15:44] - BHO 4: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[01/01/2006, 23:15:44] - ALERT: Found MSEvents Object!
[01/01/2006, 23:15:44] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/01/2006, 23:15:44] - Finished Searching Browser Helper Objects
[01/01/2006, 23:15:44] - *** Detected MSEvents Object
[01/01/2006, 23:15:44] - Trying to remove MSEvents Object...
[01/01/2006, 23:15:45] - Terminating Process: IEXPLORE.EXE
[01/01/2006, 23:15:45] - Terminating Process: RUNDLL32.EXE
[01/01/2006, 23:15:45] - Disabling Automatic Shell Restart
[01/01/2006, 23:15:45] - Terminating Process: EXPLORER.EXE
[01/01/2006, 23:15:45] - Suspending the NT Session Manager System Service
[01/01/2006, 23:15:46] - Terminating Windows NT Logon/Logoff Manager
[01/01/2006, 23:15:46] - Re-enabling Automatic Shell Restart
[01/01/2006, 23:15:46] - File to disable: C:\WINDOWS\system32\awtsq.dll
[01/01/2006, 23:15:46] - Renaming C:\WINDOWS\system32\awtsq.dll -> C:\WINDOWS\system32\awtsq.dll.vir
[01/01/2006, 23:15:46] - File successfully renamed!
[01/01/2006, 23:15:46] - Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/01/2006, 23:15:46] - Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/01/2006, 23:15:46] - Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/01/2006, 23:15:46] - Deleting ATLEvents/MSEvents Registry entries
[01/01/2006, 23:15:46] - Removing HKLM\...\Winlogon\Notify\awtsq
[01/01/2006, 23:15:46] - Searching for Browser Helper Objects:
[01/01/2006, 23:15:46] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/01/2006, 23:15:46] - BHO 2: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/01/2006, 23:15:46] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/01/2006, 23:15:46] - BHO 4: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/01/2006, 23:15:46] - Finished Searching Browser Helper Objects
[01/01/2006, 23:15:46] - Finishing up...
[01/01/2006, 23:15:46] - A restart is needed.
[01/01/2006, 23:15:53] - Attempting to Restart via STOP error (Blue Screen!)

Please could somebody help me i myself have got the virus Trojan.Vundo.B and cant get rid of it, i have norton antivirus 2005 and i also downloaded the tool remover from them i have started my computer in safe mode and done what it said but it still hasen't gone.I have done everything everyone says to do and the minute,and i disabled Norton Antivirus auto protect,when norton turn back on its there again,also i do turn system restore of but it still dont work, could somebody please help and also try to explain what to do step by step as i am not to clued up on computers.

Thanks to everybody.

Let's talk

Here is the Quickiest Fix that is free...I have Windows XP Pro and am using Norton A/V 2003 to detect the virus and removal failed. Fixvundo file from Norton failed. My 2 minute remedy to get it removed was locating the file that was infected (C:\windows\system32\wvuvw.dll)...
I then used a Windows ME bootdisk I am sure any OS boot disk that boots to DOS will work..I then at the DOS prompt typed in (DEL C:\windows\systems32\wvuvw.dll and rebooted the machine. Norton no longer detected the virus. I then used www.spywaresguide.com (Free scan to check my system) a registery key was found and the scan removed it. I ran Norton Anti-virus again and the system was clean....