Winfixer|Virtumonde|Msevents|Trojan.vundo

[Ruby]

How to remove the Trojan.Vundo.B
Credits: Attribune for developing the canned fix

What this program does:
This program will produce popups and redirect web traffic to Search42.com.

Tools Needed for this fix:

* HijackThis
* Killbox
* Process Explorer
* FixVundo.reg

Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware

Symptoms in a HijackThis Log will look like the below lines:

This infection will always have at least one DLL that is called an MSEvents Object as shown below. This same DLL will also appear as a O20 Winlogon Notify entry as shown below. These DLLs will have random names but you can spot them based on the information just given.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll

Code:

Removal Instructions:

1
Remember that Hijackthis must be run in an own folder.
C:\Program Files\HJT\HijackThis.exe of C:\HJT\HijackThis.exe
Only if Hijackthis runs in an own folder it will create backups!

Please change this: C:\Documents and Settings\Owner\Desktop\HijackThis.exe

2
Please download Process Explorer by Systernals and extract it to your desktop. Do not run this now as we will use it later.

3
Download KillBox and extract it to your desktop. Do not run this now as we will use it later.

4
Download FixVundo.reg and save it to your desktop. Do not run this now as we will use it later.

5
Reboot your computer into   Safe Mode.

6
Double-click on procexp.exe which is the Process Explorer that we downloaded earlier.

7
In the top section of the Process Explorer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

8
Once you see this screen click on each instance of the sstqq.dll found when analyzing the log and click on the kill button. If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well.

9
After you have killed all of the instances of the DLL under winlogon click on the OK button.

10
Now double-click on explorer.exe, select the Threads tab, and again click once on each instance of the DLL you determined to be part of the infection. Once they are highlighted click on the Kill button like you did in step 7. If you have disabled the BHO (O2) in some manner, you will not find this dll listed in this step and can move on.

11
When this is done, click on the OK button again.

12
Now run HijackThis again, close all windows, and press the Scan button.

13
Place a check next to each of the entries that you determined were bad from the log that you printed earlier. 

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll

14
Once all the entries are checked, press the Fix button and then exit HijackThis.

15
Now double-click on the FixVundo.reg file that you downloaded earlier and allow it to merge the information.

16
Double-click on Killbox.exe that you downloaded and extracted earlier. Select the delete on reboot option. Then enter the full path to the DLL that is part of this infection into the Full path of file to delete field. 

      C:\WINDOWS\system32\sstqq.dll

17
Click the red circle with the white X and select Yes to the delete prompt and then Yes to reboot now.

18
Your computer should now be free of the Trojan.Vundo.B 
It is likely, though, that this infection was installed with other malware. 

19
Run HijackThis once more.
Have it save a new Logfile.
.

-> Please post the new HJT-Logfile.

With Many Thanks to Bleepingcomputer for this great help.

For more information have a look -> here and -> here

[Ruby]

Atribune´s Updated Instructions for the VundoFix:

VundoFix.exe is a removal tool developed to remove Virtumonde infections.
To use the tool follow the instrctions below.

Please download the VundoFix.exe to your desktop.

• Double-click the VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the

• Scan for Vundo button." when VundoFix appears at reboot.