Guide Lines by D-Trojanator

Hello and welcome to the WhatTheTech Forum's.



Use at your own risk: WhatTheTech forum, does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarante the outcome. If you are apprehensive, please post a log from HijackThis in the designated forum and let us take a look and guide you to a clean system.





Keep in mind this infection can be accompanied by other infections as well. We strongly suggest you register after running this fix and posting a HijackThis log for one of the pro's to check over.

Note: The entries shown below may have different file names. You will though, have a 02 entry, that may contain the word "MSEvents" or "ATLDistrib Object" or ADOUsefulNet Object and a 020 entry that has the same file name


Samples:

Newer Vundo infections can aslo look like this with a matching 02 / 020

O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\ljjiifd.dll
O20 - Winlogon Notify: ljjiifd - C:\WINDOWS\SYSTEM32\ljjiifd.dll

Another new one is NO 02's and NO 020's.

In this case, rename HijackThis.exe.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mllmk.dll
O20 - Winlogon Notify : mllmk - C:\WINDOWS\system32\mllmk.dll

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\efeby.dll
O20 - Winlogon Notify: efeby - C:\WINDOWS\system32\efeby.dll

O2 - BHO: ADOUsefulNet Object - {22E85F2A-4A67-4835-B2C3-C575FE4EC322} - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll



1. Please print out these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop

Open the folder where you saved HijackThis. Double click HijackThis.exe Do a system scan and save a log file.
Print the log file out.

Locate the infected 02 and 020 listings in the log to be sure you have this infection.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please register HERE

Please do not post your logs in someone else's thread. Start a new thread by clicking on New Topic

The "Topic Title" should contain the name of the infection that you are having a problem with

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Tell us if you're having any problems, and please be specific. Let us know what you've already done to fix it.

This post has been edited by LDTate: Aug 27 2007, 03:00 PM

After Vundo is removed, delete the C:\VundoFix Backups-folder since it contains the backups of the malware related files that were deleted.

Newer Vundo infections can aslo look like this with a matching 02 / 020

O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\ljjiifd.dll

O20 - Winlogon Notify: ljjiifd - C:\WINDOWS\SYSTEM32\ljjiifd.dll


Another one is NO 02's and NO 020's.

In this case, rename HijackThis.exe.
Example:
Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

This topic has been left open to allow specific questions and comments related ONLY to this guide.

It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.