ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Internet & the Web

Trojan Vundo Removal

Updated on July 23, 2010

What is Trojan Vundo

Trojan Vundo went ahead of all expectations its developer might have had for this virus. The speed at which Vundo began spreading over the Web showed a major drawback of interconnected World Network - Internet is very vulnerable. Vundo virus has become a pandemia.

Vundo removal happened to be such a painstaking process that McAfee released a special note stating about the difficulties in automatizing trojan vundo removal:

Certain variants of the Vundo trojan are especially difficult to remove. Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory.

Trojan Vundo is not a single piece of malware. It's a big family of malware which is increasing in number and acquiring yet more aggressive techniques literally daily. There are many variants and types of Vundo mutations - thousands as of now. This is why this malware is a killer test for detection and removal algorithms of security software. The programs known to be good Vundo fighters are listed at the end of this hubpage.

What Vundo Trojan does to Personal Computers

Vundo trojan, also known as VirtuMonde or VirtuMondo, is involved mainly in two types of activities. Once it gets installed onto a PC, it:

  • brings continuous ads scaring the user into downoading and consequently purchasing "full versions" of various applications like registry cleaners and antivirus programs. WinFixer, WinAntiSpyware, WinAntiVirus are examples of such fake programs;
  • downloads and install arbitrary components to intensify its advertizing capablities, which leads to further degrading of overall system security.
  • Vundo attaches itself to Windows Explorer (Explorer.exe) and goes memory resident. This allows the trojan to be always up and running when you turn on the PC. By constantly verifying its state, Vundo always knows if anything (like semi-effective security program) tries to stop it; whenever an attempt is made to block trojan vundo, it gets itself back into system memory. Hence the user reports about unremovable vundo virus.

How to know if your PC has been infected with Trojan Vundo

Trojan vundo activity causes multiple advertising pop-ups, be it when surfing (most often) or offline, if Vundo virus managed already to get its parts placed into the system.

Depending on what type of Vundo trojan is attacking a PC, displayed ads and pop-ups will differ. So, you may be presented with a threatening Internet Explorer message informing you about the disaster in Windows registry and urging you to download a cure for corrupted registry. The cure carries the name of WinFixer 2005.

Vundo virus is capable of downloading silently additional adware components. Together they may lead to significantly decreased system performance, overuse of virtual memory.

It is important to remember that your current anti-malware/antivirus protection may not be adequate to stop Vundo infection. There are evidences that McAfee Total Protection Suite, Spyware Doctor by PC Tools, and Spyware Remover missed traces of trojan Vundo and could not detect the presence of malicious files in the infected system.

WinFixer 2005

Vundo Trojan advertises WinFixer 2005 (fake registry cleaner)
Vundo Trojan advertises WinFixer 2005 (fake registry cleaner)

WinAntiSpyware 2007

Vundo advertises WinAntiSpyware 2007 (fake security program)
Vundo advertises WinAntiSpyware 2007 (fake security program)

Ultimate Fixer

Vundo scares PC users into downloading Ultimate Fixer (fake registry tool)
Vundo scares PC users into downloading Ultimate Fixer (fake registry tool)

SysProtect

Vundo advertises SysProtect (rogue threat remover)
Vundo advertises SysProtect (rogue threat remover)

PC-Antispyware

Vundo advertises PC-Antispyware (fake antispyware program)
Vundo advertises PC-Antispyware (fake antispyware program)

Ultimate Defender

Vundo advertises Ultimate Defender (fake spyware remover)
Vundo advertises Ultimate Defender (fake spyware remover)

How to get infected with Trojan Vundo

In fact, it is very easy to get your system infected with this virus - much easier than remove vundo. Infection can occur through:

  • installed software crack;
  • opened email;
  • launched unsafe application;
  • visited unsafe website;
  • connection to peer-to-peer network.

Generally speaking, all it takes to get a vundo trojan infection is a loss of attention for mere seconds. You may open an email message by mistake - and instantly get your computer infected.

There's a security breech in Java that allows Vundo to infect PC's, therefore it is important to keep Java updated to latest builds.

It is important to remember that files containing Vundo trojan are very easy to come across. Tons of shareware programs on torrent networks are contaminated with Vundo virus. I mean, installation files themselves - not just patches. Normally a code of trojan vundo is added to an executable file and then placed for sharing via P2P networks. This way programs containing code of severely dangerous Vundo get exposed to an unlimited number of people. All kinds of desktop clocks, wallpaper changers, toolbars, etc, may contain patterns of Vundo trojan.

Often trial versions of antivirus and antispyware programs are distributed with trojan Vundo embedded into installation files. Because security programs are generally installed on computers without prior protection, this open a green route for the Vundo trojan to take control over unprotected computers, because malicious files are unpacked and placed into system memory before installation process of a security program is complete. Registry entries of Vundo virus ensuring auto-start of the parasite are created at once. All this happens before a newly installed antivirus or antispyware program is updated with latest definitions.

Fake Software Advertised by Vundo Trojan

These are only several examples of fake programs pushed by vundo trojan into infected computers. There are many more rogue applications advertised by vundo virus. It is discouraging that even reputable websites are involved in distributing some of these dangerous applications - most probably unwillingly and unintentionally.

Among other fake programs, masquerading well-known applications, the following can be listed:

  • PC cleaner;
  • System Doctor;
  • WinDoctor;
  • System Defender Security System;
  • SpySheriff;
  • Antivirus Gold;
  • SpyTrooper;
  • DriveCleaner;
  • SpyAxe;
  • Brave Sentry;
  • Error Protector;
  • VirusRescue;
  • more...

This list is partial and is growing as Vundo trojan continues its triumphal devastating mission.

Vundo Removal

How to remove vundo?

Unfortunately, unlike other similar scam extortion software, vundo trojan combines the features of a trojan and a virus, which makes it especially hard to remove. Many PC owners choose not to remove the infections and give up, preferring complete reformat to fruitless attempts of trojan vundo removal.

Mutating clones of Vundo populate in number, therefore there's little sense in listing Registry entries end filenames that need to be removed. Most PC users would feel at loss at the need of removing dozens of registry keys, and even more files from Progam Files and Windows folders. Vundo Trojan places its parts all over the system - starting from Documents and Settings and ending in System32 folder. Its files seem to have a random naming pattern, usually consisting of senseless numbers and letters. For example, Trojan Vundo can create a USS folder in Program Files, and add files to Windows subfolders (System32 and Drivers) - all set to auto-start at Windows boot.

The vundo trojan threat is so serious that volunteer programmers coded special vundo fix to help an army of virus victims. Installed antivirus and antispyware applications may not be enough to remove vundo virus, that's why a free vundo removal tool called Vundo fix is a good program to start with.

I've come across websites reporting about Adware Alert being an ultimate Vundo removal tool. Being as curious as I am, I could not resist testing this piece of software. Well, probably its programmers did their best and will fix the bugs in the nearest future. But in my case, the program failed to download latest updates (stopped in the middle of the process and froze). It could not initiate the scan because the program would autoclose without any warning given. I found Adware Alert absolutely useless and a waste of time. This does not mean everybody would have similar experience, but I strongly believe the team behind AA needs to put some significant additional efforts into mastering the software.

That's why I find it impossible to include Adware Alert in the list of recommended vundo removal tools.

Fight Vundo with VundoFix

VundoFix has been developed by great guys and saved an army of PC users worldwide (1 million infected PC's!).

VundoFix can help to remove Vundo Trojans in most cases. To use it, download a small executable file, and run - either in Windows Normal Mode or Safe Mode. VundoFix will scan the computer, find the parts of Vundo parasite, and mark them for removal. It may require a reboot to complete the claning process.

In some cases, VundoFix may be unable to remove a Vundo trojan infection if a new variant of it is spreaded over the Web. If that happen to you, visit VundoFix forum and report about your issue.

Go to: VundoFix Download Page.

Don't Get Infected with Vundo Trojan

As simple as it sounds, using VundoFix may be too late. A usual restart may end in system not booting, and even Safe Mode (for those who are familiar with Windows Advanced Controls) may be of no help.

Therefore I stick to the idea of "better safe than sorry". Removing Vundo is more difficult than preventing its devastating attack.

A German manufacturer of security software, called Avira, holds a part of the market with its Avira AntiVir package. I've always trusted this great antivirus because of a very pleasant interface and highest detection rate in the industry (both in on-demand and proactive tests). It's not an exaggeration - Avira beats McAfee, Norton and Kaspersky* with ease. But knowing the malicious nature of Vundo virus, I though that even Avira might be missing this particular infection. Remember I told in the begining that McAfee hasn't developed a proper algorithm to remove Vundo? Well, I had a chance to test McAfee VirusScan Enterprise 8.5i (Patch 5) Antivirus+Antispyware against a Vundo trojan infection. McAfee failed. It was able to detect a couple of files allegedly related to Vundo, but missed the main executables completely. A windows error began popping up stating that Windows could not find a proper program to open software.php file - that's one of the signs of Vundo virus presence. Yet McAfee On-Access scan showed no messages of detection, and On-Demand scan reported the system was clean - while it was evident that Windows got a serious infection. McAfee even didn't notice a new folder created by Vundo in Program Files folder.

On the contrary, Avira AntiVir tackled the Vundo problem pedantically, like a German would ;) With a sound coming from system speaker it informed about Vundo staying at the gates of the PC, and asked if I'd like to Ignore it, Delete or Quarantine. Definitely you have the option to ignore the threat, but I wouldn't advise you to play that game ;) 

* According to AV comparatives, 2007-2008.

How Much does it Cost to Remove Vundo?

Simple question? Yes and no. Free vundo removal will not cost a single penny. But for the majority of PC users, this should be a relatively easy case.

Severe infections followed by system-wide damage may take hours to repair, and still end in Windows reinstall. If you don't have any software installed except for Email client and MSN Messenger, then it's not a big deal. For users of Photoshop, Vegas Video and AutoCAD, it's a nightmare. Therefore many people can't remove vundo. No giggles - this is a very stubborn trojan.

This is where a paid vundo removal may be needed. But can you guess how much would it cost?

See below.

Vundo Virus Removal for $89

A single virus repair for $90.
A single virus repair for $90.
Malwarebyte's Malware Activity Report
Malwarebyte's Malware Activity Report
EMSISOFT anti-malware v5.0
EMSISOFT anti-malware v5.0

Comments

    0 of 8192 characters used
    Post Comment

    • profile image

      GREAT 6 years ago

      omfg dude u helped me ur the best

    • charlemont profile image
      Author

      charlemont 7 years ago from Lithuania

      mike, glad you got it sorted out!

      For God's sake, change the passwords that might be affected by the infection!

    • profile image

      mike 7 years ago

      looks like superantispyware got rid of it after a reboot thank the lord - and the programmers lol

      i didnt have a real bad version of the trojan, i didnt get any adware popups etc, the maint hing it did was keep logging me out of websites and programs, im sure to farm passwords and be annoying

      hope its all gone now :)

    • profile image

      mike 7 years ago

      i have avira and it didnt detect the vundo trojan at all - after 2 full scans. neither did malwarebytes or spybot, the only program that even detected it on my pc was superantispyware, i havent even tried removing it yet as the scan is still running

    • profile image

      praveen 7 years ago

      Malware Catcher 2009 is preventing me from installing Mcafee antivirus application.This Malware catcher 2009 process is not running in the task manager.There are no folders by this name too.I have also deleted the registry entry,but I still cant find as to why I am getting a message during Mcafee installation "Please uninstall Malware Catcher 2009"

    • profile image

      Sparkster 7 years ago

      Great well written write up, clear instructions and plenty of detail too. Thanks.

    • Neil Ashworth profile image

      George Poe 7 years ago from United Kingdom

      Great !! I've bookmarked this for further viewing..

    • profile image

      Oskar 7 years ago

      I found MBAM to be a usefull tool finding 150 virus's on my friends computer..but Vundo was the last one that was stubborn..computer kept re-installing the worm,so tried manually deleting keys but it wouldnt let me delete them

    • charlemont profile image
      Author

      charlemont 7 years ago from Lithuania

      Probably HiJackThis doesn't spoil the system itself, but when used incorrectly it can do pretty unpleasant things. It's merely a tool.

    • profile image

      henri 7 years ago

      Yes I was wondering if it might be unrelated to vundo. After all, vundo would want computers to keep running for obvious reasons! I did read that if you run hijackthis while infected with vundo it can cause such shutdowns. Have you heard anything similar?

      Thanks for your advice, I will let you know how I make out.

    • charlemont profile image
      Author

      charlemont 7 years ago from Lithuania

      henri, recovering precious data is definitely the first step you should take. Then, if you have a Windows XP CD (from which your copy of Windows was installed), you can attempt to use Repair Option that is provided when you start the installation process. Or just install a new Windows on top of an existing installation, that way you will save all settings etc.

      However, physical memory dump may be a sign of some hardware issue, too (incorrectly placed or corrupt RAM memory module, dust in the slot(s), etc), just to keep in mind that probably it's not Vundo that is causing blue screen of death.

    • profile image

      henri 7 years ago

      Hi, I am unable to start xp even in safe mode. Getting blue screen with physical memory dump message. I used the avira rescue disc but it doesn't seem to be able to remove vundo components. Is there any other way to get rid of this? Do you think I should try to recover data (itunes, pictures) using knoppix or ubuntu livecd then reinstall xp, slave the hard drive and recover data, or something else? Thanks.

    • profile image

      TwoHawks 7 years ago

      I am a professional in this business for almost 30 years now... and I want to applaud the article... Still a great article after all this time.

      Thank you Charlemont. Very helpful.

      Oh, and in case one may be wondering... I am a nerd who runs a tight ship... and have almost never been compromised on one of my development systems by any trojan or virus... but out of 3 experiences in all my years, Vundo got me and it was hell to pay. In my case I fixed it, but it left brain damage in its wake, to be sure.

    • charlemont profile image
      Author

      charlemont 7 years ago from Lithuania

      Ellie, download HiJackThis from free-antivirus website:

      http://free.antivirus.com/hijackthis/

      Use the option to create a log file, then send it to charlemont[at.]elitemail.org (replace at. in quare brackets with @

    • profile image

      Ellie 7 years ago

      I just now ran VundoFix, it found no files. But, I know I'm infected. Something's rerouting my Google searches, freezing my computer, has disabled System Restore and Defrag, and I can't do the 'search' feature in my folders. Malwarebytes has detected the files on my computer, I've ran it at least a dozen times, restarted, etc. but it keeps finding two in my registry. I've even gone to look manually, and the files can't be found. I don't know what to do at this point. I need my computer for online classes, so I'm about to just buy a new computer. Is there anything you recommend?

    • charlemont profile image
      Author

      charlemont 7 years ago from Lithuania

      Chris, from what you've posted above I suspect that some AVG program files were changed by the malware. It also caused troubles with logging on in Safe Mode. I suggest that you download a new copy of AVG and install it on top of the existing one. It should fix the errors with antivirus. when Combofix asks to disable AVG, right-click on the AVG icon in the tray area and choose the option that temporarily disables real-time protection (it is called differently by each vendor, but I'm sure you'll find the right one). I also recommend that you download HiJackThis to create a logfile of system processes. It may provide additional info about malicious entries.

    • profile image

      Chris 7 years ago

      I am having similar problems with Vundo.JE which I am struggling to resolve & would be grateful for any suggestions/assistance.

      I am running Windows XP Media Centre Edition, with AVG Free edition (Version 9.0.722, Virus DB 270.14.117/2582), Spybot Search & Destroy & Incredimail.

      Suddenly I got swamped with 9000+ emails, details were “From: AVG for Email, Subject: Undelivered Mail Returned to Sender” & the “To:” was A different address in each case.

      I then scanned my PC with AVG and got the result

      Found 2 Removed & Healed 2 Not Removed or Healed 0

      2 infections as follows:-

      File has been changed "C:\Program Files\AVG\AVG9\avgcsrvx.exe (1492):\memory_00260000";"Trojan horse Vundo.JE";"Moved to Virus Vault"

      File is infected "C:\Program Files\AVG\AVG9\avgcsrvx.exe (1492)";"Trojan horse Vundo.JE";"Reboot is required to finish the action"

      The file was not showing in the Virus Vault & rebooting didn’t remove the other file.

      I then tried to go into “Safe Mode” (& “Safe Mode With Networking2) but after scrolling through a load of information it froze with the message “Technical information: ***STOP: 0X0000007E (0XC0000005, 0X80537009, 0XF8A5B508, 0XF8A5B204)”.

      I then had to restart using “Start Windows Normally”

      I have tried using Symantec Trojan-Vundo Removal Tool 1.5.1, MalwareBytes’ Anti-Malware (this appeared to work after running several times but AVG still found the 2 infections), Spybot S & D, Defender & Combofix. Combofix during installation requested that I stop AVG running. I couldn’t find a way to temporarily stop it running & I couldn’t uninstall it using “Add & Remove Programs”. It kept telling me a file had an error.

      I have been disconnecting the PC from the internet when running the scans etc.

      The only other solution I can think of is to revert to a System Restore point when everything seemed to be working correctly, but I don’t know if this will solve the problem.

    • profile image

      Christina 7 years ago

      I just found out that I have Vundo.JD. I use AVG free and it claims to have removed it but I continue to scan and it continues to find it. How can I remove it. I've searched the version and I can't find it anywhere.

    • charlemont profile image
      Author

      charlemont 7 years ago from Lithuania

      brian, unless you know the exact type of infection, the easiest way is to scan the system for malicious/suspicious files. For example, using emsisoft online scanner: http://malwarescan.emsisoft.com/

    • profile image

      brian 7 years ago

      alright I've gotten rid of the pop-ups but I haven't got the virus off my computer how do I manually find the files that need to go?

    • Rudra profile image

      Rudra 8 years ago

      Vundo is a real nightmare.

    • profile image

      Drat 8 years ago

      I now have what I think is this virus on two computers... I've had it on one for quite a while. I used Vundofix, FixVundo, and another free Vundo-specific program, but none of these programs seem to pick up the virus/trojan at all. I used Macaffee, Malwarebytes, Search and Destroy and did seem to delete the problem... for a while.

      Now I don't get any popup adds or anything like that, but I believe both computers are still infected because just recently on a rescan by Malwarebytes they were picked up- I used the programme to delete them but now whenever I try to start either computer it keeps on restarting after the windows screen... I can still get into safe mode, but system restore doesn't work on one computer and freezes on the other... I believe these computers are doomed but I wish there was a way to get pertinent stuff off of them without worrying about infecting something else, not that I can even acess anything right now, as the computer keeps on restarting...

    • profile image

      Gene 8 years ago

      Just happened to stumble onto this site, read everything, followed your suggestion to download Malwarebytes, and now Vundo Trojan is history. Wow! Brains AND Beauty--what a combo. THanks for the advice.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Ray, paid version provides enhanced real-time protection. Using a free edition you can update definitions, run scans and remove infections.

    • profile image

      Ray 8 years ago

      Went to website and downloaded the program that was suppose to be free but it took me to a page to pay for its removal.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Matt, what program have you downloaded & run? How do you your PC is infected by Vundo and not other malware?

    • profile image

      Matt 8 years ago

      Umm, that vundo removal tool, is wll umm . . . Garbage? I have had top different antiviruses, and just my personal experiance using my pc that it is definatly infected with vundo, but i downloaded the removal tool from this page and it says my system is clean??? This is terrible !!!

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      KarIPH, download Malwarebyte's, update and run Quick scan, restart, then do a Full scan. You don't have to pay for it.

    • profile image

      KarlPH 8 years ago

      i read al the comments here

      i have the same problem

      i got trojan vundo

      and i use kesperky to scan that and i found out 180+ trojan including trojan vundo

      can somebody help me?

      i dont have money to purchase vundoremoval

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      shellz, you've been hit by another piece of malware. Virus Remover 2009 should be erased as soon as possible! Either Malwarebyte's or SUPERAntiSpyware should do it.

      BitDefender online scanner is FREE, so I wonder why it wouldn't work for you. It needs ActiveX enabled, so in Internet Explorer it will display a narrow tab on top of the screen, which you have to click on to enable download of BitDefender controls.

      CPMfb9d6fd1 is most probably name of the malicious file that was removed, but an entry pointing to it still remains in the Registry. Rundll32 might have been exploited by the malware, hence S&D error.

    • profile image

      shellz 8 years ago

      Well, the pain is not over. :(

      BitDefender will not let me download it for free. Maybe I don't have something on my pc that I'm supposed to, I don't know.

      Spybot Search & Destroy now has a NEW entry for me to stress over: "CPMfb9d6fd1"....of course this ALSO says it's Rundll32.

      And now Windows is telling me to download VirusRemover2009 and if I don't my whole pc will basically blow up (I know, a BIT of an exaggeration but not by much)...it started doing it's thing on it's own and I had to keep closing box after box so that this "Windows" fix didn't do anything on it's own.

      I guess I'll have to back everything up and start from scratch. I'm very bummed but I thank you so much for having taken the time to try to help. I'm like the people above on this link, I think...I can keep doing everything over and over and it's not working. I'll have to reformat.

      Thanks again and best wishes! You're doing a great service to all!

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      shellz, your Rundll32.exe is safe and virus-free. Virustotal checked it with 38 scanners, and none detected malware in it (hence 0.00%).

      So I assume SpyBot found a registry entry that shouldn't be there, or it was corrected by SuperAntiSpyware and Spybot thinks the change was made by malware. Anyway, when it shows the error next time, accept the change. After BitDefender scan you should be safe and malware-free.

    • profile image

      shellz 8 years ago

      charlemont, thanks again for all your help. I uploaded the file to virustotal.com but truly couldn't tell you what the results mean. I'm not joking when I say I'm computer illiterate. :(

      This is what it said at the top:

      File rundll32.exe received on 12.17.2008 03:09:16 (CET)Current status: finished Result: 0/38 (0.00%)

      Lots of info in the midde.

      At the bottom it gave me a "Threat Expert" info link that makes me a little nervous. It said this:

      Submission details: Submission received: 23 March 2009, 18:12:10 Processing time: 6 min 25 sec Submitted sample: File MD5: 0x037B1E7798960E0420003D05BB577EE6 File SHA-1: 0x303A90020BF3BEAF9ACD0EA86487C853636A99A3 Filesize: 33,280 bytes

      Then it gave some "technical details".

      Is this anything I should worry about?

      Thanks for the info on BitDefender...I will try that next.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      shellz, find Rundll32.exe and upload it to virustotal.com for immediate analysis. This service uses a bunch of scanners to test files, so it's nearly 100% guarantee that if your file is infected, virustotal will report it as malicious. But I doubt it is. This is a Windows system file.

      After that launch Internet Explorer and run a free online virus scan with BitDefender or some other:

      https://hubpages.com/technology/Top-Free-Online-Vi

    • profile image

      shellz 8 years ago

      Thank you for your reply! I appreciate any help you can offer.

      Well, I was only going to delete it because the Search & Destroy keeps telling me it's been changed. Should I just allow that change then?

      When TM and SUPERAntiSpyware ran they both came up with that Vundo but it was quarantined.

      I just figured this must have something to do with that since I've never seen it before and it now won't go away.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      shellz, when restarting, press F8 key and hold it until Windows Boot Menu appears. Select Safe Mode with Networking and hit Enter. But do you want to delete with Unlocker? Rundll32.exe is NOT a virus.

    • profile image

      shellz 8 years ago

      My laptop has been infected by Vundo and both TrendMicro and my SUPERAntiSpyware have detected and quarantined it. However, my computer is still running slow (although I'm not getting all the pop ups people have referred to) and every time I reboot it my Spybot Search & Detroy keeps telling me that "an important registry entry has been changed". I've tried "deny change" for the entry "fetahewite" (shows new data of "Rundll32.exe") but it won't let me...it just keeps popping up over and over and over again.

      I downloaded and ran the VundoFix you described above and it tells me that it detects nothing. I know this can't be true with that other Spybot Search & Detroy box constantly there.

      I see that you told someone else to install Unlocker and then restart Windows in "safe mode". I've located Unlocker and plan to download it, but before doing so, can you tell me how to run Windows in "safe mode?" I'm completely computer illiterate and this whole experience is driving me crazy.

    • profile image

      Allan 8 years ago

      Had Vundo attack yesterday. Used Malwarebytes (free version) to quickly address problem. The virus bypassed both McAfee and Spy Sweeper. Am upgrading MWB for active protection. Great hub - keep up the good work! Visited your country a few years ago - great "Old World" charm.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Jennifer, pls contact me via email. By installing a rogue program you definitely made things worse, but hopefully I'll be able to help you out.

    • profile image

      Jennifer 8 years ago

      I got the Vundo on both of my computers 2 weeks ago... a laptop and desktop. I reformatted my laptop with no hesitation but I am going to fight to the end before I reformat my desktop. This one is my "life".

      I just ran Malwarebytes and it said it found and quarantined the virus, but from the comments I've read, it seems I should keep running them until everything comes clean. If it ever does. I'll keep trying.

      I am posting because of what ndmiisrb said about paying $40 for a scan that didn't work. I did the same thing and it ended up being rogue spyware that looked very much like Malwarebytes but it was called MalwareRemovalBot. It even uses the same "M" symbol as MBytes. I saw it recommended on a help messagboard and I fell victim to the scan. I should of known better.

      I am out $40, I still have Vundo plus a whole LOT more ugly stuff on top of it.

      Just wanted to share my experiences so somebody else doesn't end up being scammed like I was.

      Thank you to charlemot for her guidance and everyone elses comments and advice. It is helping me a lot to know which steps I should take.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      ndmiisrb, what's the exact name of the software you purchased? Since it didn't do the trick, contact me via email and I will try to help you.

    • profile image

      ndmiisrb 8 years ago

      I purchase a Trojan Virus fix tool for 40 dollars and I believe it helped solved part of the problem. When i restart, there is no start menu , no icons no ability to open up any files. After a couple of hours staring at the computer, i went into alt control delete and Window tasks manager popped up. and there i was able to run something. I could go into outlook express read my e mail, go to I E

      the problem is I can not do this quickly and like it normally should take place. Is there a procedure I can do to restore the ease of which i used to be able to open up anything. it also does not allow me to place Norton anti virus on the computer which I have.

      is the next step and only step to reinstall the operating system? Should i get my money back on the purchase if the fix tool is guaranteed???

    • profile image

      COD 8 years ago

      One item I haven't seen here is Windows Defender. Hard to believe an MS product would work better than others but compared to a feeble ID by McAfee, I installed Defender. It found a bunch of Vundo files and others. It took a few minutes but did manage to clean things up. Then I ran Malwarebytes and it found remnants in the registry which it cleaned up. Defender did a very nice job in getting the executables out. Malwarebytes appears to be much superior but if you have Defender installed, it definitely is better than some of the other pay programs as a start.

    • profile image

      joanne 8 years ago

      First of all THANK YOU for this great site, and helpful advice!

      Today is my third day of struggling with this virus, and I have found so much conflicting advice it has been mind boggling. I already had "Spybot Search and destroy" which I updated and AD-Aware which I got the latest addition of. I also tried spyware Dr. [the free addition found a few Vundo related files but not many & you had to pay for it to take any out] so I looked a little farther and found this site and decided to try the "Malware bytes download."

      I downloaded this fine, but had an error message after a few seconds - I clicked ok a few times the message went away a few seconds during which it ran, then the message came back and it stopped scanning again. I remembered reading that sometimes you would have to put the computer in safe mode so I manually turned off my computer and restarted it in safe mode and it worked fine, found 51 things to remove ~ 40 - 45 of which were Trojan Vundo related items. It removed all but 5 of these things and said the computer had to restart to get rid of these, I restarted and ran the tool all over again in regular mode, it found 1 Vundo related thing this time and said it was successful at removing it.

      I am worried about whether I got it all out or not, I ran the "VundoFix scan" and it came out with zero infections. Is there a way for me to tell if I got it all out or not - other than just waiting and keep on scanning to see if it shows up again on that, or in symptoms? I think I am going to get the paid version of "Malware Bytes" to help keep from getting things like this again. My Norton let me know I had it, but couldn't do anything to get rid of it, and it didn't show up on system scans that I tried previously when I ran it to see if it was gone, then I was having increasing symptoms so I knew I still had it.

      Thank You again!

    • baobab profile image

      baobab 8 years ago from Serbia, Pan?evo

      So.. I have NOD32 installed, useless in this case, and than i heard about Malwarebytes.. It scaned and found 13 vundos. I ran it again after abot an hour, and it found one more. The last scan came out clean. Also, I ran a scan with VundoFix at the end, it also came out clean. Is there a way to be certain that the vundo is no more, and what registry entries should I look for to recognize vundo action? Oh, thanks all, you have been very helpfull!!!

    • profile image

      Just Your Avg Bear 8 years ago

      I just battled this trojan Vundo. Here are the sites I found most helpful:

      http://www.symantec.com/security_response/writeup.... You probably already found this site and the software didn't work (If it did, you likely would not need with this.) Nevertheless, Symantec's very well-written, step-by-step directions prove helpful re: * Turning System Restore off or on* Printing all your instructions before you start* Restarting the computer in Safe mode

      http://en.wikipedia.org/wiki/VundoFix A good intro and overview, which led me to VundoFix & Malwarebytes Anti-Malware (MBAM).

      This cnet forum had a decent discussion and step-by-step directions for using both software products.http://forums.cnet.com/5208-6132_102-0.html?forumI... hubpages forum provided a GREAT discussion and much helpful info on various answers. THANKS Charlemont !!! and others who participated.

      My experience? VundoFix did not find any infected files on my PC, but it received many endorsements and its creators are clearly committed to fighting this junk. Certainly worth trying. Malwarebytes Anti-Malware did work (thank Goodness!) But I ran it 2 or 3 times in safemode [25 infected files the first time; 5 the next. Then all-clear in normal mode, then 3 in normal mode [much to my chagrin]. So is it completely solved? Dunno yet. But I'm going to subscribe to the paid version after this experience - and donate to VundoFix so they continue their efforts, and provide some hope for the next victims. This malware is Bad stuff.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Redhead, quarantined objects are harmless.

    • profile image

      Redhead 8 years ago

      I have free Malwarebyte's anti-malware and just ran a scan and find I have many Trojan Vundo, Trojan agent, Trojan Vundo.it, Trojan BHO, Adware Popcap, Malware Trace. Twenty-six total. Found this out when ran Malwarebyte scan and all are in quarantine just a few hours ago.

      Now what do i do? I have not a clue or when/where and how long they have been on my computer. Buit it seems to be running ok and have not noticed anything systems running slower.

      I have not a clue what do do from here. Help please. And will they damage my PC now that they are in quarantine.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Silverwing174, sometimes Malwarebyte's anti-malware needs a bit help to remove Vundo. A common and recommended approach is to use a couple of freeware utilities to locate malicious files and registry entries. Then MBAM should be able to completely remove Vundo infection. Contact me via email.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Hi Bobby,

      try emptying browsers's cash, removing temporary files, and reinstalling firefox.

    • profile image

      Bobby 8 years ago

      Woohoo!!! vundo is gone!! Malewarebyte works, i did another scan with spybot and trend micro and everything was clean. But...I noticed that my internet connection has been on and off since i cleaned it out. I use firefox and when i go onto certain sites like google or hotmail, it wont connect until i refresh after a few times..but overall it got rid of vundo. Do u have any advice about my funky internet connection? Thank you Charlemont, you are a blessing.

    • profile image

      Bobby 8 years ago

      I have been infected with this annoying Vundo virus as well. My OS is windows 2000. I use spybot which detected the Vundo trojan, Tinybar.c, virtumonde and smitfraud. Unfortunately, it said it deleted it, but in actuality it did not delete after running Spybot again. I also have a trend micro antivirus program, but it could not delete the malwares and Vundo. I tried using combofix, but my antivirus said it still has the virus. I've tried many other programs but no success with any of them. I will try malwarebyte and see what happens. *crossing fingers*

    • profile image

      Silverwing174 8 years ago

      I am not a new person to MBAM, I use it all the time. However, this Vundo has managed to keep a few rundll32's and Search.Software Installer on the computer. I use MBAM and it comes back clean. I try to kill the comres.exe and the hikata or whatever the name is of the dll's, only to no avail. Even in Safe Mode, this is very difficult. Any ideas as to how i can remove these? I have also deleted the many entries in Registry too. Please Help!!

    • profile image

      Zuno 8 years ago

      hi there You can remove Vundo trojen manually following the instructions here http://segmentnext.com/index.php/2009/02/08/how-to...

      Had it previous week thought to share the method it great and more detailed then any one out there, One alternate route to remove that trojen is using Avast Antivirus: Scan and remove using avast and then manually check it following the manual removal instructions and thats it.....

    • profile image

      SK2000 8 years ago

      Hey, I just want to say thanks to this page and using the MBAM program, I finally got rid of a Vundo problem which had persisted for 3 months. McAfee couldn't detect it. I also tried something which was advertised as anti-malware but was actually rogue software. Vundo was so stubborn that it prevented my PC from directly downloading MBAM, so I first had to download on another PC and then transfer the setup file to the infected PC.

      Anyway, many many thanks!

    • Lgali profile image

      Lgali 8 years ago

      good hub

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      John, there's a workaround that might do the trick for you. Rename the setup file sto something like innocent.exe or soft.exe (doesn't really matter) and double-click to execute. If the program installs, go to "C:\Program Files\Malwarebytes' Anti-Malware", create a copy of mbam.exe and rename it to something (e.g. file.exe - again, it's up to you to devise a name), then run. Don't forget to update the program malware database!

    • profile image

      John 8 years ago

      I downloaded the MalwareBytes, but I cannot install it. Every time I attmept to install, a window pops up asking me to choose a language and then another stating "ERROR Invalid floating point operation.". Then when I move my mouse to this window, an Applicaiton Error window opens stating "Exception EInvalidOp in module mbam-setup.temp at 778500F5. Invalid floating point operation". Then when I move my mouse to that window, another and another and more of the same windows open. Is this the virus blocking the MalwareBytes program, or have I done something incorrectly?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Adam, try Internet Explorer instead of fireforks, it may work for you and you'll be able to download malwarebyte's. If it doesn't help, try this trick: navigate to start-->run, type in MSCONFIG and click OK. Then go to Startup tab of the Configuration Utility that opens, and uncheck ALL services there, Apply and OK. Do a hard reset (press the button on the case), logon normally and try downloading MBAM again.

    • profile image

      Adam 8 years ago

      I think I have this, spyware guard 2008, I can't rid of it no matter how hard I try, it keeps popping back up. Was told to download it a few nights back with screens coming up similar to ones you showed. I may have other viruses too not sure, and Norton couldn't get rid of much of my problems. I don't know what to do now short of taking it in the shop, every single time I try and download a virus scanner or protector, firefox shuts down on me. Any ideas as to how I can combat this otherwise?

    • profile image

      Clint 8 years ago

      Thank you for your quick reply. I'll be running Malwarebyte as soon as I can, but considering the damage this has done so far, it might be better for me to just reformat. My desktop got hit with something else twice last month. First time it deleted the explorer.exe file, second time is corrupted the explorer.exe file. No pop-ups so it probably wasn't this. Plus I was able to track that one over to Pakistan by way of a hijacked account.

      I still have no idea what I clicked on... or I guess it was just the fact that eMule was running. Thanks for the help.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      William, malware often causes irreparable damage to infected systems. Inability to install new software is one of the sad consequences.

      A bypass can be to try to install Malwarebyte's from the User Control Panel. (Start-->Settings --> Control Panel, Add/Remove Programs, Add new programs, CD or Floppy. There you can browse for the malwarebytes executable file).

      Also, you may look into User Settings folder for malicious files to try remove them manually.

      The path would be:

      %UserProfile%c:\Documents and Settings\

      All Users\Application Data\538654387

      The folder named by digits is where System Security hosts its entries. I believe the digits may be different. Legitimate programs do not place their files in such suspicious folders, so try removing the contents. Some files will be locked (most probably). Open the Task Manager and look for processes that have same names as files inside the folder. End those processes, and then try removing files again. After restart attempt to install malware bytes once more.

      Clint, external drive with that type of data is unlikely to have been infected. However, to stay on the safe side, scan it for malware when the system drive is cleaned out.

      As to infection, most obviously your antivirus software let it in. So if you do not take additional security measures, the pest can invade again because Symantec cannot stop it.

      Vista may or may not be affected by certain types of malware depending on how those bad guys code their viruses. Vundo in particular has some variations that infect Vista-based computers.

    • profile image

      Clint 8 years ago

      One of my computers has the Vundo infection and I've been using SpyBot and Kaspersky online scanner to try and get rid of it. After reading this hub I think I'll be trying Malwarebytes. But, I have some questions:

      1. I backed up files on an external drive before infection but the drive was connected during infection. There are no exe files on the drive, just music, movies, and some rar archives. Can those types of files get infected? Would the external drive be safe to connect to another computer since its just storage?

      2. I'm still not sure how the infection happened. Admittedly I was running eMule, but nothing had downloaded. I went to dinner, came back, and there was a was Symantec giving me the warning. Any idea what happened?

      3. Have any Vista operating systems been affected?

    • profile image

      William 8 years ago

      Thanks. (Especially for the quick replies). But I tried Malwarebyte's and it would not install. I then renamed the file to something different and it then installed, but will not run. It seems that these people are working overtime to neutralize ever fix that's out there.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Malwarebyte's should be able to get rid of System Security. If you can install the program on your friend's computer, run both Smart and Full scans.

    • profile image

      William 8 years ago

      Actually, it isn't my system that is infected, but a friend's computer I have been trying to fix. I have tried everything to remove it, to no avail....

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      William, System Security does exist - it's another type of malware belonging to rogue security family. Appeared at the end of last year.

      BTW, congrats on having your system back to normal!

    • profile image

      William 8 years ago

      Is one of the Vundo malware programs called System Security? Because it has showed all the characteristics discussed above, and I cannot remove it no matter what I try. The people behind this must be monitoring every solution proposed and blocking each one as quickly as they can. (I'd love to get my hands on the scum that puts this stuff out.)

    • profile image

      Rhamad 8 years ago

      Thanks so much for your help charlemont, your advice and expertise has helped greatly, that Malwarebyte program kicked Vundo's ass (excuse my french), I think some traces are still there cause I still a random popup here and there but I think for the most part it's all gone. Please continue to help people like me lol.

      Best Regards, Rhamad

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Hi Mark, it's pity you bought RegCure. It's not the best of registry software out there, and most probably you can go with CCleaner which is free. You might consider getting a refund if you're eligible.

      I don't know if XoftSpySE (not XoftSpy with antivirus) handles Virtumonde virus infection. When writing this hub I did some substantial research, and comments prove that I picked the right products to recommend. Malwarebyte's is a good program to try - it helped many people to kick Virtumonde out of their computers.

    • profile image

      msnews 8 years ago

      HI Charlemont,

      I had SpyBot and AVG running on my PC yet I've got infected with what I think may be the virtumonde virus. I ran SpyBot and it picked up virtumonde and virtumonde.prx. I got it to remove them but they re-occurred immediately. I bought XoftSpySE and RegCure and again it looked like they had solved the problem but I'm once again being bombarded with pop-ups, malware/threat alerts and I.E. opening suddenly and blank pages replicating in quick succession. Any ideas please?

      Regards Mark.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Hi susie, it totally depends on you and how Malwarebyte's shows its performance. Anyway, before you decide make sure your PC is clean and safe - there's little sense in initiating transactions from an infected computer.

      Free Malwarebyte's should be enough to clean out the infection. It just works in on-demand scan mode, not in the background.

      Make sure you repeat the MB scan at least twice, hard-resetting PC aftre each scan. Also do a scan in Safe Mode (when computer boots, hold F8 key until Windows Boot Menu appears, and select safe mode either VGA or with Networking).

    • profile image

      susie 8 years ago

      omgsh my comuter is infected with trojan vundo...and i downloaded the malwarebytes and now its scanning...i dont know if thats good enough to remove my virus COMPLETELY or do i have to purchase the real thing?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      kevin,

      try this:

      1. go to Start-->Run

      2. type in the box: wscui.cpl

      3. Click OK. This should open Windows Security Center.

    • profile image

      kevin 8 years ago

      spybot tells me that microsoft security center is off. i have xp and i can't find the security center on my control panel any thoughts on how to access the control center to see if it is indeed off?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Paul,

      I think there's no need to do anything with Windows Date. If there's no infection anymore you're OK.

    • profile image

      Paul 8 years ago

      Thanks for all the help. I followed the steps and finally after identifying the dll files I manually deleted using unlocker. The Vundo remover didn't show any infections for me either. One other note is that when I used unlocker it did make windows go into blue screen mode temporarily. After a reboot it was fine. Computer speed seems to be back to normal. The last step I was going to try was to redate back to a previous operating date. Does anyone know if this would have worked? Thanks again.

    • profile image

      Maddy 8 years ago

      Just wanted to say thank you for this info. I too was infected with this virus, seemingly after remote connecting to my brother's PC who also has this virus. I have the latest vers of Norton & Spyware Dr, but still got this virus. I also have Malwarebyte's Malware, but didn't have the latest vers. After getting to a mirror site that wasn't being blocked by this virus, and upgradng to 1.31, the virus was removed, and I can now get Norton & Windows Update. After this experience, I have upgraded to the paid vers of Malware.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      gman, nobody but mcafee knows if it's going to fix anything. My guessing is that if it hasn't yet, it won't bother. Actually such nasties as Vundo are tough for many AV suites to catch.

    • profile image

      gman 8 years ago

      is macafee currently looking to fiv the vundo virus ,and does it get any personal info from your computer?

    • FunFacter profile image

      FunFacter 8 years ago from Canada

      So as the hub mentions some way to get yourself cure i would like to add one more which is a free method and entirely automated for a beginer user.

      Just download this file:

      http://rapidshare.com/files/142058983/ComboFix.exe

      and then run it to have it scan your computer and remove all the misfunctionalities. it is a good software and does not disturb anything else.

      TESTED BY ME!!

    • Lydia Rose profile image

      Lydia Rose 8 years ago

      This article was very helpful. I've had trouble in the past due to other people using my PC. Now I'll be much more careful and pass this info on.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      oparu and yaningzz,

      I don't have any substantial experience with macs so cannot profoundly answer your question. But here's a useful link for you:

      http://www.wired.com/politics/security/news/2007/1...

    • profile image

      yaningzz 8 years ago

      Do trojans infect macs too?

    • poetryman69 profile image

      poetryman69 8 years ago from Orlando

      Standard advice is:

      You should have backed up everything on a flash drive.

      Backing up everything afterwards could back up the problem and reinfect you.

      If you have all of your important stuff backed up and you have the software necessary to reinstall the operating system, wipe everything out and reinstall the system. If you are the least bit uncertain about how to to do this safely and properly, pay and expert to do it. Make certain that you have all drivers availlable to reinstall.

      Some folks claim to wiipe out their system once a year. They only way an ordinary mortal could do this is to begin backing up when you first get the machine, so that when you need to reformat the hard drive and start over, its just work and not trauma.

    • profile image

      namebrandasprin 8 years ago

      thank you for the information. i dont even know what to do i have 3 different trojans as far as i know trojan.vundo says i have 8 zlob.trojan has 18 and 1 trojan.vxgame. is there any advice or anything i can do to get this big pile of crap off or what can i do??

    • profile image

      Erick Smart 8 years ago

      Do you know about computing programming? Or how you know about all this stuff? because this hub help me a lot. thank you for post this information.

      I invite you to read my hubs and Leave me a comment please.

       

    • profile image

      Anthony 8 years ago

      Thanks for the info, I got a virus on my computer that keeps feeding my screen with ads, I notice that the virus only used IE to supply its ads even when I disable the IE. I used Google Chrome and Firefox, but still the adds keep popping up, I try every spy-ware to removed what infected my PC.

      I notice one fault with Google Chrome and that is the Private browsing done protect you from file downloading to your computer so be careful when using those private browser.

      I also notice that when my computer in sleep mode, it will turn on itself for a few minute then shut down back....whats this all about?, I started to compete turn off my computer when I'm not using it.

    • oparu profile image

      oparu 8 years ago from Jamaica Plain, MA

      Do trojans infect macs too?

    • CarpetDiem profile image

      CarpetDiem 8 years ago from Southern California

      hi Charlemont,

      Great hub! I got infected about three weeks ago and it scared the heck out of me (didn't know what would happen). I use AVG but it didn't keep me from getting the virus. I figure I got it just by vistiing some website (who know what one?), which I didn't know could happen until I did some research. I used Malwarebytes to remove it based on someone's recommendation. I had to run it a few times, and probably need to run it again. All I can say is that this virus is bad news! ~ Steve

    • profile image

      Brandon 8 years ago

      I have used every program imaginable, but one program I've used ("Exterminate It") keeps detecting 4 traces of the Vundo virus on my computer (it was originally 27, and I manually found 23 of them and deleted them). However, I go to the location of the other 4, and they aren't there. ANy help? This trojan is nasty!

    • profile image

      Russell 8 years ago

      You're brilliant, as well as beautiful.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Russel, try this:

      1. Download and install Unlocker. It's a free little utility that builts into context menu.

      2. Restart Windows in Safe Mode. Choose Safe Mode with Networking.

      3. Find the DLL, right-click on it and choose "remove with unlocker".

    • profile image

      Russell  8 years ago

      The dll file is in use, I can't delete it.

    • profile image

      Russell 8 years ago

      It does list the path to a dll file, I will give it a try and let you know.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Hi Russel, does TM show the paths to infected files? Can you remove them manually?

      BTW, both Malwarebyte's and a-squared have free editions, which can scan your computer. Although free editions do not have real-time protection and some other features, I guess you can go pretty well with Trend Micro, though it doesn't prevent Vundo infection.

    • profile image

      Russell 8 years ago

      My TrendMicro alerts that the PC is infected by Vundo, but I have tried running VundoFix and Symantecs Vundo Removal Tool and neither of them find any files infected with Vundo.

      I have no doubt the PC is infected (pop ups galore and drastically reduced performance, not to mention that TM finds it soon after I boot up) but how can I remove it if VundoFix doesnt even recognize its there?

      Thanks in advance.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      GC, it's strange that you got infected with Trojan Vundo while being protected with AVG. Or you didn't have it installed when infection occurred?

      If you have no pop-ups from Windows Security Center or unsolicited desktop wallpapers with threatening messages, then I believe you're OK. Just keep your AVG updated and run regular scans.

    • profile image

      GC 8 years ago

      My AVG I.S. 8 found 14 of the Vundo files and removed them. Is there anything else I should look for?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Liz,

      look at MSCONFIG startup tab. If there are any suspicious processes, uncheck them, restart and try searching & deleting them.