Thursday, January 26, 2006

How To Remove Winfixer

How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.
Credits: Attribune for VundoFix

What this program does:

Trojan.Vundo is a component of an adware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email.

Tools needed for this fix: Note: The entries shown below may have different file names. You will though, have a 02 entry, that may contain the word "MSEvents" and a 020 entry that has the same file name as the 02 entry. For example, as you can see the following color coded sets each have a O2 and O20 entry with the same filename.

O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\ddaya.dll
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mljjk.dll
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll

Preperation Steps:

Please do both of the following before we start:

1. Please print these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop where they can be easily found.

At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things will help to get it back to how it was in a faster manner.

Removal Steps:

step1.gif Download VundoFix.exe and save it to your desktop.
  • Double-click VundoFix.exe to run it.

  • Click the Scan for Vundo button.

  • Once it's done scanning, click the Remove Vundo button.

  • You will receive a prompt asking if you want to remove the files, click the YES button.

  • Once you click yes, your desktop will go blank as it starts removing Vundo.

  • When completed, it will prompt that it will shutdown your computer, click the OK button.

  • When the computer has shutdown, turn your computer back on.

  • The Winfixer/Vundo infection should now be cleaned from your computer. If you are still having a problem then please proceed to Step 2.
step2.gif This step should only be used if the instructions in Step 2 did not remove the infection.

Download VirtumundoBegone and save it to your desktop.


Reboot your computer into Safe Mode

Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished

If after attempting the instructions in this guide the infection is still present, then it is advised that you post your HijackThis log so one of your experts can help you remove the infection. You can post your HijackThis log at this forum:

HijackThis Analysis and Spyware Removal


Anonymous said...

I needed to get a real vundo infection for testing purposes. It took me less than fifteen minutes of googling, downloading and installing a piece of software that contained embedded code of Trojan Vundo. It's no surprise McAfee VirusScan showed no signs of infection - yet errors started popping up, one of them being a software.php file which Windows was unable to open (that's natural - a don't have a Win32 PHP parser installed). Just
curious what Vundo can make if it executes a php code?.. Also, the parasite quickly created a folder in Program files, settled in restore point, places autorun entries in the registry, etc. No wonder this is a hard to remove trojan.

Johnny Kessel said...

Hey Vundo

I believe that PHP file is used to pitch the install cause the initial Vundo infection usually is a drive by from a jacked video codec and then it proceeds to beat the user to death with popups insisting he/she downloads the actual WinAntivirus 200X or 200X WinAntispyware software for $50 to "clean their system". Crazy stuff but last year these guys supposedly grossed $800M doing this crap.