Hi, i hope there is somebody that can help.
I'm having a lot of trouble with a Vundo Trojan. Symantec catches it when i log into Windows, but it doesn't seem to remove it. I've tried running full scan, 10 layers deep, in safe mode to no avail. I also tried the latest version of the VundoFix.exe from Symantec, which didn't work. My latest attempts at removal have been running another VundoFix by Arribune, version 6.3.23. This does find some rouge dll and ini files but the vundo keeps coming back.

I've also checked for all the registry keys that Symantec think might need delete but didn't find any. It does occasional put a new key in the software/windows/current version/run sections in the registry.

The main symptom is that i get loads of IE windows popping up with adverts, some of them with the WinAntiVirus 2007 ads in them. I think i may have more than one problem going on.

Thank you for your time reading this post.


oh yeah - here is my hijackthis log from a moment ago

Logfile of HijackThis v1.99.1
Scan saved at 08:48:04, on 21/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Plaxo\\PlaxoHelper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Documents and Settings\Neil Anthony\Desktop\VundoFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Neil Anthony\My Documents\Setup-Install Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE" /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\snbglrov.dll",realset
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\\PlaxoHelper.exe -a
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

10 Years
Discussion Span
Last Post by NellyPledge

It is maybe coming back because it is hiding in your system restore area?

My system restore area was already disabled before this started. Is there a way to delete the system restore area totally?



It's coming back because it's hookstrapped to a startup process, usually winlogon. Sounds bad but there is no need to do a system restore. You are lucky a google news alert sent me this. I just encountered this and it has to be the most difficult boot hookstrapped trojan I have ever experienced. Normally I can sterilize a system within 30 to 45 minutes manually. Every time I cleaned this up, a hookstrap would reinstall it at next boot. Major pain. I positively identified the precise day and time infection occured and tried to surgically excise all trace of it using about 15 different security and malware tools. Finally cleaned it up and then found a tool that could have saved a lot of headache. It is specifically written for a vundo infestation. I asked the client for $100 in service fees and the guy was so happy he gave me $150. Most tech shops would have told him all he can do is restore and/or reinstall the OS.

Download the tool:
I attached it but you need to rename it to a .exe extension.
Good instructions:
(Response #48)

If you can get around your browser hijack (where you try to visit one website and it redirects you to a different one) you can temporarily fix that by disabling the browser helper object (BHO). Go Tools -> Internet Options -> Programs (tab) -> Manage Add-Ons. This will list all BHOs. Click where it says "Publisher" (it doesn't look like it, but it is a button so you can sort the list). Use the "Disable" radio button at the bottom to disable any that do not have a publisher name. I would tell you exactly what name to disable, but vundo tends to have different BHO names for different infestations.



Here's what's partly responsible for the hookstrap in your instance. Others infection cases may vary and there are no doubt other files are involved with the infection beyond this dll.

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\snbglrov.dll",realset


nelly, point your vundofix at that O4 file vundofixer put up. Paste the pathname in the window [add more files..]


Thanks for you help everybody, i got it fixed. The vundo kept changing it's name and leaving a new file in the system32 directory that couldn't be deleted. It also changed the startup programs to include it's new version. I wish i read the post a little earlier as that tip for the 'add more files' would have helped. In the end i used VirtumundoBeGone.exe in safe mode which flagged it as .vir and then it could be deleted.

I'm 99% sure it's gone now. Fingers crossed.

Thanks for your time.


This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.