[HOWTO] Remove Vundo from your PC

Discussion in 'Windows Desktop Systems' started by calcal, Jan 21, 2009.

  1. calcal

    calcal OSNN One Post Wonder

    Messages:
    6
    hello please help me, i ran a avira scan last night and i got two detections,

    1. tr\vundo.gen it is located in C:\documents and settings\owner\temp\tmpbc.tmp
    2. tr\patched.cl also in the same directory.
    3. when i try to open my external hardrive it gives me the error code "C:\recycled\ntldr.com is not valid win32 application" which is a result of the vundo i believe.
    *but i can open it when i right click - explore*

    after the Trojan was triggered avira caught it and warned me i had the vundo trojen, i clicked delete on the pop up, i tried to go into my c drive to see if i could get it but when i clicked on it nothing happened and same with my external, after i realized my hard drives where locked i panicked and promptly wiped out my hard drive. which might have not been the best thing to do.

    i had tried vundofix twice and both times did not get any detections, but when ever i run and avira scan it detects it and i select "delete" on the pop up. i have un-plugged my computer form the internet whether that helps or not and am currently running a full in-depth scan with nod32 on all my drives including my external hard drive, with no threats detected yet. the scan finished it scanned 367,938 files and 0 infected files and it is still giveing me the error code when i try to open my external hardrive.

    i am currently doing a full Avira scan in safe mode

    *i am more concerned about my external hard drive it has everything on it*

    can someone help me please.
     
    Last edited: Jan 21, 2009
  2. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    Re: please help me, i got trojens and maybe a virus

    First I would unplug that External HD

    second, if you can backup on a DVD, any personal files I would do that.

    now you can go about this at many angles. you can start by doing a quick sweep for the trojan.


    I follow this process by Mathew Rizos which works perfectly and will remove the Vundo/winfixer trojan

     
  3. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Thread stuck, renamed.
     
  4. calcal

    calcal OSNN One Post Wonder

    Messages:
    6
    hello thank you for the response i will try it, but one question is it possible for me to have vundo or some other virus/Trojan on my external hard drive itself?

    and :p im new to the forum i don't really know how to rename the thread

    to back up my files is it okay to move to my computer then more the files the another hard drive or will that possibly spread the virus to another hard drive? also what if i plug my external into another computer will it infect that computer?

    :p im going to have to be very selective on what i back up, have 500+ gigs on external :p
     
  5. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    it is possible it got to your external drive.

    I renamed it so that its easier for people to find when searching google :)
     
  6. calcal

    calcal OSNN One Post Wonder

    Messages:
    6
    okay, thank you... im really afraid of my external :p

    also if i apply these steps provided by tdinc to my external hard drive will it clean it?
    because iv tried vundofix and i cant get it to scan my external hard drive
     
  7. calcal

    calcal OSNN One Post Wonder

    Messages:
    6
    than you to you all i removed the vundo, and also i got rid of the error thing when i open my hard rive i used ComboFix its very good :D
     
  8. sonyvega

    sonyvega I'am weightless ;)

    Messages:
    1
    Location:
    Poland
    I found better solution. You have to click on "My Computer". Next click on "Explore". At this moment we have access to harddrive. Later click on "tools" and "Folders Options". Click on "view" and you have to fore tittle "hyde protect system pliks (recommended)" and you have to mark "show me hyde and protect pliks and folders". You have to confirm this changes. On harddrive you should find folder "recycled" and plik "autorun.inf". You must delete it. Later restart computer and thats it:) (I think you understand what I mean:p I dont speak vey good english xP)
     
  9. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    replace hyde with hide, pliks with files and your golden :)
     
  10. greggustin

    greggustin OSNN Addict

    Messages:
    166
    for the first time ever
    I broke down and paid $ for an anti-virus program
    got the ONLY one that detected Vundu in its trial version
    (this was in early Jan)
    StopZilla
    got rid of all traces of vundu
    and btw - I got it merely by visiting a site
    I did NOT access any links or downloads
     
  11. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    stopzilla is 32bit only. Needs to be 64bit as well to be any good, theres no excuse these days not to be.
     
  12. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    stopzilla is garbage. plenty of freeware as mentioned above that does the job better.
     
  13. greggustin

    greggustin OSNN Addict

    Messages:
    166
    as I said - NONE of the other programs found VUNDU
    much less deleted it - this was a month ago - maybe others can now = and it is NOT garbage - it worked for me
    grisoft and avast and several others did not
    and yes - StopZilla has many bad reviews over the years
    but I risked my 30 day money back guarantee (from my credit card bank) and spent the money - which I normally use freeware - but not this time

    I am not pushing the program - just sharing what worked for me
     
  14. zuno

    zuno OSNN One Post Wonder

    Messages:
    1
  15. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Stopzilla is still garbage. He is dead on. Uninstall, ask for refund.

    Safe mode, a pair of eyes, hijackthis, spybot and adaware are the only tools you need for any of the vundu variety (spoofing DLLs and sticking silly, obvious hooks into the system - usually via rundll32, LOL these writers are getting dumber by the second)

    If you still have it, please post hijackthis log and screens of full spybot (updated) and adaware from Windows Safe Mode.

    At one point last week I loaded a girlfriend's lappie in safe mode, took a look at the RUN key in registry, and set about renaming the DLLs listed in it. bye bye vundu. Stumbled across it whilst browsing tunes at a party last Sunday eve.

    The trick with this one - is you should go after it manually - no program stays current enough to track all the iterations of this trojan - it's every 13 year old's dream program - they piggyback it with whatever nefarious goals they have in their insignificant lives.
     
  16. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    nuke the pc :p
     
  17. Johnny

    Johnny .. Commodore .. Political User

    Messages:
    5,015
    Location:
    Happy Valley
    don't go to porn sites ...
     
  18. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    dont go to your porn sites ;) also it not just porn sites you have to watch out for any site and be hijacked and hosting drive by downloads
     
  19. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN

    3D is right, thats why i stress to use Spywareblaster to block the drive by rouge hosts and malware active x
     
  20. Punkrulz

    Punkrulz Somewhat eXPerienced

    Messages:
    790
    Location:
    Woodbury, NJ
    Hey guys,

    I'm having a huge predicament here. Windows XP SP3. I know there is an instance of Vundo on this laptop that I'm using. I was able to successfully able to download SuperAntispyware (My initial go-to for removal of anything), however when it found 2 instances of Vundo, while it was scanning I would get a BSOD and it would say "Page_Fault_In_Nonpaged_Area".

    Whenever I attempted to download Vundofix, or even google Vundo, both IE and Firefox close themselves down. Same with searching for Malwarebytes, but I can search for anything that wouldn't be related to fixing it. This happens in both normal mode and safe mode. I don't see any out of the ordinary processes under safemode, which I'm sure is because it tied itself into a normal process.

    If I use a thumb drive to download the stuff from one computer and place it on the laptop, will Vundo infect my thumb drive?