Virtumonde/Vundo Removal Instructions
Trojan Vundo is a component of an adware program that downloads and displays pop-up advertisements. (Such as Winfixer)
Entries to look for in the HJT log that will identify the infection.
O2 - BHO: MSEvents Object - {39D2FC9B-041C-470E-AE72-F8C001247626} - C:\WINDOWS\REGIST~1\pcdb.dll
O20 - Winlogon Notify: pcdb - C:\WINDOWS\REGIST~1\pcdb.dll
O2 - BHO: MSEvents Object - {AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6} - C:\WINNT\addins\asip.dll
O20 - Winlogon Notify: asip - C:\WINNT\addins\asip.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\med.dll
O20 - Winlogon Notify: med - C:\WINDOWS\SYSTEM32\med.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\******.dll
O2 - BHO: ATLDistrib Object
GUID {659E147E-BD03-4605-988C-AA6D7EA497CA} C:\WINDOWS\system32\****.dll
O20 - Winlogon Notify: **** - C:\WINDOWS\SYSTEM32\****.dll
O2 - BHO: MFCOptimizeClass Object - {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - C:\WINDOWS\System32\ssqrs.dll
O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\System32\opnop.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\fccdd.dll
With each O2 entry, there will be a corresponding O20 entry in Winlogon Notify section. The file in the
C:\WINDOWS\system32 folder will be a random named
.dll file.
The Fix
+++++++++++++++++++++++++++++++++++++++++
Please download
VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a set of logs from Deckard's System Scanner in a new thread in the HijackThis Log Help Forum if you need further assistance.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button" when VundoFix appears upon rebooting.
You should now be free of
Virtumonde/Vundo and the popups it was generating. If you require help with the removal of
Virtumonde/Vundo or to check your HJT log, then please start your own thread in the
HijackThis Log Help Forum and a trained Analyst will review your log.
WARNING:
Use of the information in this fix is to be used at
YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.