Trojan.vundo (out of date)

[Ruby]

How to remove the Trojan.Vundo.B
Credits: Attribune for developing the canned fix

What this program does:
This program will produce popups and redirect web traffic to Search42.com.

Tools Needed for this fix:

* HijackThis
* Killbox
* Process Explorer
* FixVundo.reg

Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware

Symptoms in a HijackThis Log will look like the below lines:

This infection will always have at least one DLL that is called an MSEvents Object as shown below. This same DLL will also appear as a O20 Winlogon Notify entry as shown below. These DLLs will have random names but you can spot them based on the information just given.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll

Code:

Removal Instructions:

1
Remember that Hijackthis must be run in an own folder.
C:\Program Files\HJT\HijackThis.exe of C:\HJT\HijackThis.exe
Only if Hijackthis runs in an own folder it will create backups!

Please change this: C:\Documents and Settings\Owner\Desktop\HijackThis.exe

2
Please download Process Explorer by Systernals and extract it to your desktop. Do not run this now as we will use it later.

3
Download KillBox and extract it to your desktop. Do not run this now as we will use it later.

4
Download FixVundo.reg and save it to your desktop. Do not run this now as we will use it later.

5
Reboot your computer into   Safe Mode.

6
Double-click on procexp.exe which is the Process Explorer that we downloaded earlier.

7
In the top section of the Process Explorer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

8
Once you see this screen click on each instance of the sstqq.dll found when analyzing the log and click on the kill button. If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well.

9
After you have killed all of the instances of the DLL under winlogon click on the OK button.

10
Now double-click on explorer.exe, select the Threads tab, and again click once on each instance of the DLL you determined to be part of the infection. Once they are highlighted click on the Kill button like you did in step 7. If you have disabled the BHO (O2) in some manner, you will not find this dll listed in this step and can move on.

11
When this is done, click on the OK button again.

12
Now run HijackThis again, close all windows, and press the Scan button.

13
Place a check next to each of the entries that you determined were bad from the log that you printed earlier. 

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll

14
Once all the entries are checked, press the Fix button and then exit HijackThis.

15
Now double-click on the FixVundo.reg file that you downloaded earlier and allow it to merge the information.

16
Double-click on Killbox.exe that you downloaded and extracted earlier. Select the delete on reboot option. Then enter the full path to the DLL that is part of this infection into the Full path of file to delete field. 

      C:\WINDOWS\system32\sstqq.dll

17
Click the red circle with the white X and select Yes to the delete prompt and then Yes to reboot now.

18
Your computer should now be free of the Trojan.Vundo.B 
It is likely, though, that this infection was installed with other malware. 

19
Run HijackThis once more.
Have it save a new Logfile.
.

-> Please post the new HJT-Logfile.

With Many Thanks to Bleepingcomputer for this great help.

For more information have a look -> here and -> here

[BipBip]

For vundo infection:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\vundo.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\vundo.dll

Please download VundoFix.exe ( http://www.atribune.org/downloads/VundoFix.exe ) to your desktop.
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.

Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):
C:\Filepath\file.dll
(ex:C:\WINDOWS\system32\vundo.dll)
Press Enter to continue with the fix.

Next you will see:

[QUOTE]
Please type in the second filepath as instructed by the forum
staff then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):
C:\Filepath\file.* (file dll invers, without extention)
(ex:C:\WINDOWS\system32\odnuv.*)

Press Enter to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:
enter hjt items here
After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.

Download and install CleanUp! ( http://www.stevengould.org/downloads.../CleanUp40.exe )

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Paste a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[Ruby]

Hi BipBip

is that good too: How to remove the Trojan.Vundo.B ? Thank you so much for your help

[BipBip]

Hi,
Sorry but my English is always bad
Yes your cleaning seems to be good too but vundofix clean the registry and stop some other process used by vundo.dll (winlogon, explorer and smss) and vundo protect himself by creating invers files which are not .dll ( .ini , .bak , .bak1,..) that vundofix kill. It's why it's so difficult to kill vundo only with Hijackthis.
Hoping that you understand my explanations in this bad English.

Have nice day.

[Ruby]

Download the VundoFix.exe (from Atribune) and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Button Scan for Vundo.
• Once it's done scanning, click the Button Remove Vundo.
• You will receive a prompt asking if you want to remove the files, click the YES Button.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click the OK button.
• When the computer has shutdown, turn your computer back on.
• Copy the content of C:\vundofix.txt in this Thread. Run HijackThis once more, have it save a new Logfile.
• Please include both logfiles into your following answer.

Thanks to Zebulon for the good news ;-).

[Ruby]

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

With Many Thanks to Atribune and Q001

[Ruby]

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 4 entries below into the top 2 boxes

C:\WINDOWS\system32\abcde.dll
C:\WINDOWS\system32\edcba.*
(abcde is the random part.)

* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.[/list]



(Instructions of Atribune and Many Thanks to Derek)

[Ruby]

The latest news about Atribune's VundoFix:

More new Vundo!
Written by Administrator (Atribune)
Wednesday, 16 August 2006

So here I was testing some dll's and changes I made to Vundofix.exe and out of nowhere appear these exe's with names that are 8 characters long and random. After doing some analysis I found that it was adding the Winanti and Sysprotect sites as well as others to the Internet Explorer trusted zone.

Vundofix 6 has been updated and uploaded to remove these exe's as well as the entries in the trusted zone of Internet Explorer.

The updated instructions for the VundoFix:

VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.