Vundo Virus. Heeeelp!

J

johnmonek

Dear Community,
One of my laptops is infected with the Vundo.gen!Y virus. Neither McAffee
nor Windows OnCare safety scanner were able to remove it. I attained
information on deleting the Vundo virus manually in the registry.
Unfortunately, of the 11 registry values to delete, I was only able to delete
two.
Please help me. Thanks and have a great and wonderful New Year.
Sincerely,
John Monek
(e-mail address removed)
 
D

David H. Lipman

From: "johnmonek" <[email protected]>

| Dear Community,
| One of my laptops is infected with the Vundo.gen!Y virus. Neither McAffee
| nor Windows OnCare safety scanner were able to remove it. I attained
| information on deleting the Vundo virus manually in the registry.
| Unfortunately, of the 11 registry values to delete, I was only able to delete
| two.
| Please help me. Thanks and have a great and wonderful New Year.
| Sincerely,
| John Monek
| (e-mail address removed)

Vundo is NOT a virus, it is a Trojan.

Start by using Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
 
M

Mick Murphy

As David suggested: Malwarebytes.
Also install "Spybot search & destroy"
Once installed, and updated, reboot, go into Safe Mode, and scan while there.
All info below.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

If unable to install above Programs in Normal Mode:
Sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating
Programs to remove them.
If that happens, reboot into Safe Mode with Networking (from F8 list of
Startup Options), and install, update and scan from there.
 
D

David H. Lipman

From: "Alias" <[email protected]>



| Don't download *anything* this troll suggests.

| Alias

Even if his plagiarized crap worked, it doesn't even target the Vundo trojan.
 
D

David H. Lipman

From: "Randem" <[email protected]>

| How would you even know! You would have to be able to comprehend to discuss
| this...

Since I have been studying malware for almost 20 years now, I know more than you think and
can discuss the subject matter very well.

This includes the fact that the web page you propose does nothing to pinpoint the loading
points of the Vundo trojan.
 
R

Randem

It doesn't have too. I guess your 20 years trumps my over 30 years... It
solves the problem for 95% of the viruses unless you think that is usless...
 
M

Mick Murphy

Stop SPAMMING Idiot..

Mad Mick
--
My Address: PO Box 2131
City: Milton
State: QLD
PostalCode: 4064
Country: AU

Sunny land
 
D

DG

johnmonek said:
Dear Community,
One of my laptops is infected with the Vundo.gen!Y virus. Neither McAffee
nor Windows OnCare safety scanner were able to remove it.
Click to expand...

John -
I fought a variant of the Vundo trojan myself for 2 days. Went from annoying
pop-ups to where it would load a blank desktop with my main profile and then
started restarting Windows about a minute after logon. I tried McAfee, Norton
and various fixes to no avail. I finally read on a thread about
SUPERantispyware (superantispyware.com) and their FREE download got rid of
it. Good luck to you.
 
T

tunenut

John -
I fought a variant of theVundotrojan myself for 2 days. Went from annoying
pop-ups to where it would load a blank desktop with my main profile and then
started restarting Windows about a minute after logon. I tried McAfee, Norton
and various fixes to no avail. I finally read on a thread about
SUPERantispyware (superantispyware.com) and their FREE download got rid of
it. Good luck to you.
Click to expand...
 
T

tunenut

John -
I fought a variant of theVundotrojan myself for 2 days. Went from annoying
pop-ups to where it would load a blank desktop with my main profile and then
started restarting Windows about a minute after logon. I tried McAfee, Norton
and various fixes to no avail. I finally read on a thread about
SUPERantispyware (superantispyware.com) and their FREE download got rid of
it. Good luck to you.
Click to expand...

I fought the Vundo successfully but it was not easy. Malwarebytes did
not work. Hijackthis did not work. Manual registry deletion did not
work. These registry keys kept coming back.

I would see new dlls running under explorer.exe each time I booted
up. These were named randomly with alternating consonants and vowels:
timorasu.dll might be one example. When I looked in the windows/
system32 directory, these dlls did not exist, therefore could not be
deleted.

To make a long story short, you need to be thorough and work through
it. I used the tools from sysinternals.com: autoruns and process
explorer.

Autoruns will show you everything that starts up when you boot up the
computer. It will be a long list and you need to go through
everything.

The part that made it easier for me is that the Vundo stuff did not
have any company name listed. The majority of start-up items show up
as Microsoft and then there are the other normal ones like Adobe,
etc. Some normal programs showed up without a company name (Winrar is
an example), however, be suspicious of all of them.

Through detective work, I found one startup item named cits.exe in
windows/system32. Now this name is very similar to a legitimate
program called cits_.exe....so it is likely the virus will use a
different name on a different computer to try to blend in with other
legitimate executables. To be safe, I just renamed this file to
cits.txt, just in case it was a useful thing, I could restore it.
However, this turned out to be the root cause of the problems. When
this did not run, I could go in and delete the registry entries with
the bad dll names. They did not come back again. I could run
hijackthis.

Importantly, when my bad .exe file was started, hijackthis showed an
020 entry. When the .exe file did not start this 020 entry was gone.
With the 020 entry gone, I could use hijackthis and Malwarebytes and
the system was cleaned thoroughly. And the cleaning stuck.

So you need to find the root cause of the problem. Then it can be
fixed. Good luck.
 
D

David H. Lipman

From: <[email protected]>


| I fought the Vundo successfully but it was not easy. Malwarebytes did
| not work. Hijackthis did not work. Manual registry deletion did not
| work. These registry keys kept coming back.

| I would see new dlls running under explorer.exe each time I booted
| up. These were named randomly with alternating consonants and vowels:
| timorasu.dll might be one example. When I looked in the windows/
| system32 directory, these dlls did not exist, therefore could not be
| deleted.

| To make a long story short, you need to be thorough and work through
| it. I used the tools from sysinternals.com: autoruns and process
| explorer.

| Autoruns will show you everything that starts up when you boot up the
| computer. It will be a long list and you need to go through
| everything.

| The part that made it easier for me is that the Vundo stuff did not
| have any company name listed. The majority of start-up items show up
| as Microsoft and then there are the other normal ones like Adobe,
| etc. Some normal programs showed up without a company name (Winrar is
| an example), however, be suspicious of all of them.

| Through detective work, I found one startup item named cits.exe in
| windows/system32. Now this name is very similar to a legitimate
| program called cits_.exe....so it is likely the virus will use a
| different name on a different computer to try to blend in with other
| legitimate executables. To be safe, I just renamed this file to
| cits.txt, just in case it was a useful thing, I could restore it.
| However, this turned out to be the root cause of the problems. When
| this did not run, I could go in and delete the registry entries with
| the bad dll names. They did not come back again. I could run
| hijackthis.

| Importantly, when my bad .exe file was started, hijackthis showed an
| 020 entry. When the .exe file did not start this 020 entry was gone.
| With the 020 entry gone, I could use hijackthis and Malwarebytes and
| the system was cleaned thoroughly. And the cleaning stuck.

| So you need to find the root cause of the problem. Then it can be
| fixed. Good luck.

The Vundo uses self preservation techniques to protect the Winlogon/notify and BHO
Registry loading points.

However, one can easily boot into the Recovery Console and delete or rename the DLL file.
Then boot in Normal Mode and remove the Registry load points.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cleaning up problems left after ad/malware infection 1
Trojan Horse Virus 1
Resycled/boot.com (virus) 8
Want advice on Virus Removal 4
General safety issue. 16
VIRUS ALERT!!! and ways to protect your pc 16
Blank Pages on Virus & Window Patches Pages 1
Microsoft TV/video connection 0

Top