Posts by kylethedarkn

Everybody Lies
-Dr. House

If you use my own method (posted 3-Sep-07) and reachable by searching on the mis-spelt term "Virtunonde", it's all detailed step by step.

The other method, the one used by Crunchie in this forum, is well documented if you just follow one of the threads. I'd much rather you did the work; your HJT files are abnormally long and unless there's anothe knight on the forum prepared to give the time, you should do this yourself - coming back to us where you might have a point of clarification, of course.

I'll take a crack at it if you don't mind.

Ok heres the process of getting rid of virtumondo via vundofix.

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt.

Also after running …

Nice Find! Now Combofix is working again so I'd like you to run it just to make sure everything is gone. Just to let you know it restarts your computer so don't freak out.

Please download Combofix.exe from here to your desktop. Double click it to run and and when prompted type 1 and enter. Now DO NOT touch the mouse or keyboard until the scan is done completely. It should finish shortly after it restarts the computer. After its done it will open up notepad, copy and paste the contents here in your next post.

Combofix and Deckards system scanner are similar, but combofix deletes problem files automatically and dss does not. It also has the abitlity to delete files.

Also you have entries in your hosts file that were created by this trojan, so you should use hjt this to fix that. To do this run hjt and select "open misc tools section" and then click on "Open hosts file manager"
Now select the bogus entries by click on them and then click delete line. (The ones you should delete will be pretty obvious...if youve never seen the site thats listed delete the line)

First of all Norton is the worst firewall protection available. GEt mcafee or something better. Norton takes up more memory than any other thing and its protection is third rate. AVG is fine let in run and then delete everything it finds. There is a norton removal tool that you can get by googling norton removal tool. That should help the process lag.

Looks good. You can mark this thread as solved then.(theres a link in the top left corner above your name)

Xxpenetrator is right. lsass.dll(not to be confused with lsass.exe)Is the Adware Purityscan. And the other is a nastie toolbar.

Lets Start by doing the following. Run HJT and place a checkmark next to the following.
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nso78.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\lsass.dll
Click fix checked.

Now reboot to safe mode by tapping F8 during starup and selectiing safe mode.

Using my computer find and delete the following files.
C:\Windows\System32\lsass.dll
C:\WINDOWS\system32\nso78.dll

Reboot back to normal mode.
Post a new HJT log here.
Still having pop-ups?

Yup and also do the following.

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be …