As the title suggest’s i need some help with the removal of some Malware that I think is Vundo.
I’m using Avast Home AV which catches random .DLL which it calls Vundo@dll, sadly Avast can’t get to the source.
I’ve tried Spybot, Ad Aware, Combofix and a few other that I forget, even used HijackThis but to no avail.
Please find HJT log below.
Any advice would be greatfully recieved.
Scan saved at 10:53:46 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.
A log will be produced which you can post in your next response.
4. If VundoFix responds with a "No infected files were found" message, right-click the list box (white box) in the main VundoFix window.
* Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
* You must examine your HJT log. and copy and paste the complete file path present in your 02 BHO and 020 WinLogon Notify entries into the first field of the list box.
Using our first HJT example above, this would be: C:\WINDOWS\system32\mljjj.dll
* In the second field, copy and paste the same path but the filename should be spelled in reverse and an asterisk (wildcard symbol) should replace the file extension:
Using our first HJT example, this would be: C:\WINDOWS\system32\jjjlm.*
Note: You must substitute the filename found in your own HJT log for the filename used in the example
* Click the Add Files button.
* Click the Close Window button.
* Click the Remove Vundo button.
5. You will receive a prompt asking if you want to remove the files, click Yes
6. Once you click Yes, your desktop will go blank as it starts removing Vundo.
7. When completed, it will prompt that it will shutdown your computer, click OK.
8. Restart your computer
9. A log called vundofix.txt will be created in your C:\ directory
10. Inspect C:\vundofix.txt with Notepad to be sure the fix completed properly</blockquote>
Sorry Freewhlin, skipped your advice and wentsraight to the wiki page and used VirtumundoBeGone.
It got rid of the BHO and .DLL, all appears normal.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:11 AM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
I believe I safely got rid of vundo using virtumundo but I still have some files infected files in my chest. Is it ok to delete them? There are 8 infected files?
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.