From: <
[email protected]>
| I fought the Vundo successfully but it was not easy. Malwarebytes did
| not work. Hijackthis did not work. Manual registry deletion did not
| work. These registry keys kept coming back.
| I would see new dlls running under explorer.exe each time I booted
| up. These were named randomly with alternating consonants and vowels:
| timorasu.dll might be one example. When I looked in the windows/
| system32 directory, these dlls did not exist, therefore could not be
| deleted.
| To make a long story short, you need to be thorough and work through
| it. I used the tools from sysinternals.com: autoruns and process
| explorer.
| Autoruns will show you everything that starts up when you boot up the
| computer. It will be a long list and you need to go through
| everything.
| The part that made it easier for me is that the Vundo stuff did not
| have any company name listed. The majority of start-up items show up
| as Microsoft and then there are the other normal ones like Adobe,
| etc. Some normal programs showed up without a company name (Winrar is
| an example), however, be suspicious of all of them.
| Through detective work, I found one startup item named cits.exe in
| windows/system32. Now this name is very similar to a legitimate
| program called cits_.exe....so it is likely the virus will use a
| different name on a different computer to try to blend in with other
| legitimate executables. To be safe, I just renamed this file to
| cits.txt, just in case it was a useful thing, I could restore it.
| However, this turned out to be the root cause of the problems. When
| this did not run, I could go in and delete the registry entries with
| the bad dll names. They did not come back again. I could run
| hijackthis.
| Importantly, when my bad .exe file was started, hijackthis showed an
| 020 entry. When the .exe file did not start this 020 entry was gone.
| With the 020 entry gone, I could use hijackthis and Malwarebytes and
| the system was cleaned thoroughly. And the cleaning stuck.
| So you need to find the root cause of the problem. Then it can be
| fixed. Good luck.
The Vundo uses self preservation techniques to protect the Winlogon/notify and BHO
Registry loading points.
However, one can easily boot into the Recovery Console and delete or rename the DLL file.
Then boot in Normal Mode and remove the Registry load points.