Removing Vundo Spyware

• Fire Star

  17 May 08, 10:51

  Lately the vundo sypware has become widely known. And I myself contracted it. Here is what happen when you are contracted. After some work I manage to remove it.

  When you open up firefox or IE, additional popup brings you to random advertisement sites. Then a system popup ask you to install systemerror fix, if you click yes, you will install a virus.

  Not all antivirus can detect this. Here is how it works. Firstly, it is a .dll file and manifests as an IE add-on. Just go to IE tools and click manage add-ons. This Vundo has a characteristic, it comes up with a random word makes up of 8 characters, plus a dll as extension.

  Then, everytime you open a net-connected browser, this .dll will generate another .dll file composed of 8 characters. and everytime you open and close browser a new .dll file is generated. All are of the generic Vundo trojans variety.

  
  1) open up system32 folder and arrange by date created foremost in details view

  2) note all the .dll files with 8 random characters, you can only delete them in safe mode.

  3) run msconfig to restart in safe mode

  4) go to system32 folder and remove all these .dll files

  5) start in normal windows and open up IE

  6) go to tools manage add-ons and see the spyware, you will see a .dll

  7) download and use virtumundobegone and see the log file, note the BHO classid

  8) restart, insert windows cd and select Windows Recovery Console, you need to use WRC because the mother virus .dll cannot be deleted even in safe mode, this is because the .dll file is assigned to winlogon.exe, which is essential for explorer to run

  9) before (8), hack the regedit and turn the sercuritylevel of WRC from 0-1, if not you must have the administrator password

  10) in the cmd, type cd c:\windows\system32

  11) del (xxxxxxxx).dll

  12) restart

  13) run virtumundobegone and hijackthis and note/fix all areas

  14) note the classids again and open regedit and search all suspected classids

  15) delete the entries

  16) virus is solved

  If you do not know any step just google for it.

  Just my 2 cents.

• Alucard101

  17 May 08, 11:24

  I was infected by this before.Nice guide tho didn't try it out.

• Xcert

  17 May 08, 12:10

  Originally posted by Fire Star:

  Then a system popup ask you to install systemerror fix, if you click yes, you will install a virus.

  Actually...if U click "no" or close the window straight...it will also install itself.

• ndmmxiaomayi

  18 May 08, 01:32

  I will need to mention that this in general what Vundo will do to you.

  New Vundo does a couple of nice things to you. If you are lucky, you will probably be able to boot up Windows.

  Identifying Vundo is pretty easy to trained people, but removing it isn't.

• Fire Star

  18 May 08, 22:06

  Anyway HijackThis does not detect the mother Vundo trojan only the children Vundo. Thus I recommend Virtumundobegone for detection as the mother trojan manifest as a BHO rather than an active object.

   

  Also it is a good idea to consult totalvirus.com to identify the type of virus.

• ndmmxiaomayi

  19 May 08, 15:35

  HijackThis doesn't detect because it's meant to be hidden from it.

  http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure