• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

[HOWTO] Remove Vundo from your PC

calcal

OSNN One Post Wonder
#1
hello please help me, i ran a avira scan last night and i got two detections,

1. tr\vundo.gen it is located in C:\documents and settings\owner\temp\tmpbc.tmp
2. tr\patched.cl also in the same directory.
3. when i try to open my external hardrive it gives me the error code "C:\recycled\ntldr.com is not valid win32 application" which is a result of the vundo i believe.
*but i can open it when i right click - explore*

after the Trojan was triggered avira caught it and warned me i had the vundo trojen, i clicked delete on the pop up, i tried to go into my c drive to see if i could get it but when i clicked on it nothing happened and same with my external, after i realized my hard drives where locked i panicked and promptly wiped out my hard drive. which might have not been the best thing to do.

i had tried vundofix twice and both times did not get any detections, but when ever i run and avira scan it detects it and i select "delete" on the pop up. i have un-plugged my computer form the internet whether that helps or not and am currently running a full in-depth scan with nod32 on all my drives including my external hard drive, with no threats detected yet. the scan finished it scanned 367,938 files and 0 infected files and it is still giveing me the error code when i try to open my external hardrive.

i am currently doing a full Avira scan in safe mode

*i am more concerned about my external hard drive it has everything on it*

can someone help me please.
 
Last edited:

tdinc

█▄█ ▀█▄ █
Political User
#2
Re: please help me, i got trojens and maybe a virus

First I would unplug that External HD

second, if you can backup on a DVD, any personal files I would do that.

now you can go about this at many angles. you can start by doing a quick sweep for the trojan.


I follow this process by Mathew Rizos which works perfectly and will remove the Vundo/winfixer trojan

How to remove Vundo using free software - My Vundo Removal Kit.
Removing Vundo for free can be a little tough since there are so many Vundo variants and every free program has a different detection database and heuretics algorithm.

When I encounter Vundo and a client does not want to pay for any software I "break out" my free Vundo removal kit. This kit is currently comprised of:

-MalwareBytes AntiMalware (malwarebytes.org)
-SuperAntiSpware (superantispyware.com)
-VundoFix (from atribune.org)
-UnDLL (from eset.com)

To start the Vundo removal process:
1. Backup any personal data to CD, DVD or flash drive.
2. Download and install MalwareBytes Anti-Malware.
3. Load MalwareBytes Anti-Malware and click the update tab and then click update to receive the latest updates.
4. Download and install SuperAntiSpyware.
5. Load SuperAntiSpyware. SuperAntiSpyware will ask you if you want to check for new rules and definitions. Choose yes.
6. Close SuperAntiSpyware.
7. Download VundoFix.
8. Download UnDLL.
9. Reboot your PC in Safe Mode.
10. While in safe mode load MalwareBytes Anti-Malware and perform a full scan.
11. When the scan is complete click show results.
12. Remove any checked items.
13. Reboot if MalwareBytes asks you to.
14. Enter Safemode again.
15. Load SuperAntiSpyware.
16. Click Preferences and click the scanning control tab.
17. Check on "Terminate memory threats before quarantining".
18. Close preferences and click the "Scan your computer " button.
19. Select "Perform Complete scan" and click next
20. Let the scan complete and remove anything it finds.
21. Next, we'll finish up the Vundo detection and removal process by using VundoFix
22. Open VundoFix and click the "Scan for Vundo" button.
23. If any Vundo infections still remain click the "Fix Vundo" button.
24. At this point Vundo has most likely been neutralized.
25. Reboot your pc.
26. You should be Vundo Free now.
27. Download and install the latest copy of the Java Runtime Environment and keep it updated. (Remove all the other Runtime builds)


If you think any Vundo Trojans have been missed in c:windows or c:windowssystem32 then you scan submit those files to virustotal.com for analysis. If the file you submit comes back as a possible infection then you may forcibly remove it using UnDLL. If you're still getting popup ads then you may want to run a HiJackThis log
 

calcal

OSNN One Post Wonder
#4
hello thank you for the response i will try it, but one question is it possible for me to have vundo or some other virus/Trojan on my external hard drive itself?

and :p im new to the forum i don't really know how to rename the thread

to back up my files is it okay to move to my computer then more the files the another hard drive or will that possibly spread the virus to another hard drive? also what if i plug my external into another computer will it infect that computer?

:p im going to have to be very selective on what i back up, have 500+ gigs on external :p
 

calcal

OSNN One Post Wonder
#6
okay, thank you... im really afraid of my external :p

also if i apply these steps provided by tdinc to my external hard drive will it clean it?
because iv tried vundofix and i cant get it to scan my external hard drive
 

calcal

OSNN One Post Wonder
#7
than you to you all i removed the vundo, and also i got rid of the error thing when i open my hard rive i used ComboFix its very good :D
 

sonyvega

I'am weightless ;)
#8
I found better solution. You have to click on "My Computer". Next click on "Explore". At this moment we have access to harddrive. Later click on "tools" and "Folders Options". Click on "view" and you have to fore tittle "hyde protect system pliks (recommended)" and you have to mark "show me hyde and protect pliks and folders". You have to confirm this changes. On harddrive you should find folder "recycled" and plik "autorun.inf". You must delete it. Later restart computer and thats it:) (I think you understand what I mean:p I dont speak vey good english xP)
 
#10
for the first time ever
I broke down and paid $ for an anti-virus program
got the ONLY one that detected Vundu in its trial version
(this was in early Jan)
StopZilla
got rid of all traces of vundu
and btw - I got it merely by visiting a site
I did NOT access any links or downloads
 
#13
stopzilla is garbage. plenty of freeware as mentioned above that does the job better.
as I said - NONE of the other programs found VUNDU
much less deleted it - this was a month ago - maybe others can now = and it is NOT garbage - it worked for me
grisoft and avast and several others did not
and yes - StopZilla has many bad reviews over the years
but I risked my 30 day money back guarantee (from my credit card bank) and spent the money - which I normally use freeware - but not this time

I am not pushing the program - just sharing what worked for me
 
#15
as I said - NONE of the other programs found VUNDU
much less deleted it - this was a month ago - maybe others can now = and it is NOT garbage - it worked for me
grisoft and avast and several others did not
and yes - StopZilla has many bad reviews over the years
but I risked my 30 day money back guarantee (from my credit card bank) and spent the money - which I normally use freeware - but not this time

I am not pushing the program - just sharing what worked for me
Stopzilla is still garbage. He is dead on. Uninstall, ask for refund.

Safe mode, a pair of eyes, hijackthis, spybot and adaware are the only tools you need for any of the vundu variety (spoofing DLLs and sticking silly, obvious hooks into the system - usually via rundll32, LOL these writers are getting dumber by the second)

If you still have it, please post hijackthis log and screens of full spybot (updated) and adaware from Windows Safe Mode.

At one point last week I loaded a girlfriend's lappie in safe mode, took a look at the RUN key in registry, and set about renaming the DLLs listed in it. bye bye vundu. Stumbled across it whilst browsing tunes at a party last Sunday eve.

The trick with this one - is you should go after it manually - no program stays current enough to track all the iterations of this trojan - it's every 13 year old's dream program - they piggyback it with whatever nefarious goals they have in their insignificant lives.
 

Dark Atheist

Moderator
Staff member
Political User
#18
dont go to your porn sites ;) also it not just porn sites you have to watch out for any site and be hijacked and hosting drive by downloads
 

tdinc

█▄█ ▀█▄ █
Political User
#19
dont go to your porn sites ;) also it not just porn sites you have to watch out for any site and be hijacked and hosting drive by downloads

3D is right, thats why i stress to use Spywareblaster to block the drive by rouge hosts and malware active x
 

Punkrulz

Somewhat eXPerienced
#20
Hey guys,

I'm having a huge predicament here. Windows XP SP3. I know there is an instance of Vundo on this laptop that I'm using. I was able to successfully able to download SuperAntispyware (My initial go-to for removal of anything), however when it found 2 instances of Vundo, while it was scanning I would get a BSOD and it would say "Page_Fault_In_Nonpaged_Area".

Whenever I attempted to download Vundofix, or even google Vundo, both IE and Firefox close themselves down. Same with searching for Malwarebytes, but I can search for anything that wouldn't be related to fixing it. This happens in both normal mode and safe mode. I don't see any out of the ordinary processes under safemode, which I'm sure is because it tied itself into a normal process.

If I use a thumb drive to download the stuff from one computer and place it on the laptop, will Vundo infect my thumb drive?
 

Members online

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,013
Latest member
Pdawgintown