BleepingComputer.com: How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b

<div align="center"><b>How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.<br>Credits: Atribune for VundoFix</b></div><br><font color="#0000FF"><br>
<b> What this program does: </b> </font><br>
<br>The Vundo family of Trojans is one of the most common infections we find on user’s PC’s. The infection can cause popups which usually advertise rogue antispyware programs. Some common rogue antispyware programs that are advertised are WinFixer, SysProtect and winantispyware for example. Users are normally targeted by false positives, and warning of infection – an example of this could be popups alerting users they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. Thankfully, the infection is relatively easy to remove, and a specialised tool has been created to remove the vundo trojan from infected computers. The following guide will explain how to use the tool, and hopefully rid your system of this malware.<br><br>
<b><font color="#0000FF">Tools needed for this fix</font></b><font color="#0000FF">:
</font>
<ul><li><a href="http://www.atribune.org/ccount/click.php?id=4" target="_blank"><b>Vundo Fix</b></a></li><li><a href="http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe" target="_blank"><b>VirtumundoBegone</b></a> (if VundoFix does not work)</li></ul>
<br />
<b>Note</b>: This infection is normally detectable by users receiving popups when
they use the internet. Your antivirus program might also notify you via an alert
that you have a Vundo Trojan on your computer. If you happen to have Hijackthis
installed on your computer, you will be able to verify whether you have the Vundo
infection, as there will be a matching O2, and O20 entry, with the same randomly
named .dll file. In older infections the O2 entry normally contained the word
"MSEvents". Please note you normally do not need Hijackthis installed to remove
this infection, and the above details may only make sense to experts in this field,
so don't panic.<br>
<br>
<b><font color="#0000FF">Symptons from a Hijackthis log</font></b><font color="#0000FF">:</font><br>
<br>
Below is an example of a Vundo infection, though there are many different filenames.<br>
<br>
<b>O2 - BHO: (no name) - {EFCB1D95-FFF6-47BB-B6C9-61A523F04322} - C:\WINDOWS\system32\vturr.dll<br>
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll</b><br>
<br>
<b><font color="#0000FF">Revision History:</font></b> <br>
<em>01/09/07 - Updated guide to reflect updates to the tools.</em><br>
<br>
<hr>
<br /><br />
<b><font color="#0000FF">Removal Steps:</font></b>
<ol>
<li> Please print these instructions as they will be needed later when Internet
access is not available.<br>
<br>
</li>
<li> Save these instructions in word or notepad to the desktop where they can
be easily found.<br>
<br>
</li>
<li>Download <a href="http://www.atribune.org/ccount/click.php?id=4" target="_blank"><b>Vundo
Fix</b></a> and save it to your desktop.<br>
<br>
</li>
<li>When it has completed downloading, double-click<i> </i><strong>VundoFix.exe</strong><i>
</i> to run it.<br>
<br>
</li>
<li> Click the<strong> Scan for Vundo</strong> button.<br>
<br>
</li>
<li> Once it's done scanning, click the <b>Remove Vundo </b> button.<br>
<br>
</li>
<li>You will now receive a prompt asking if you want to remove the files, click
the <b>YES</b> button. Once you click yes, your desktop will go blank as it
starts removing Vundo.<br>
<br>
</li>
<li>When completed, it will prompt that it will shutdown your computer, click
the <b>OK</b> button.<br>
<br>
</li>
<li> When the computer has shutdown, turn your computer back on.</li>
</ol>
The WinFixer and Vundo infection should now be removed from your computer. <br />
<br /><strong>If you are still having a problem then please perform the following
steps.<br>
</strong><br>
<i>This step should only be used if the instructions in the previous steps did
not remove the infection</i>:
<ol>
<li> Download <a href="http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe" target="_blank"><b>VirtumundoBegone</b></a>
and save it to your desktop. <br>
<br>
</li>
<li>Now reboot into <a href="http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/" target="_blank">Safe
Mode</a>. <br>
<br>
<ol>
<li>This can be done tapping the F8 key as soon as you start your computer
<br>
<br>
</li>
<li>You will be brought to a menu where you can choose to boot into safe
mode. <br>
<br>
</li>
<li>Select safe mode with networking using your arrow keys on the keyboard
and then press enter.<br>
<br>
</li>
<li>When you computer reaches the desktop make sure you log in as the same
user which you had performed the previous steps,<br>
<br>
</li>
</ol>
</li>
<li>Once you are logged into safe mode, double-click <strong>VirtumundoBeGone.exe</strong>
file you just downloaded and follow the instructions.<br>
<br>
</li>
<li>Exit when it has finished, and reboot back to normal mode.</li>
</ol>
The WinFixer and Vundo infection should now be removed from your computer. <b><font color="#FFFFFF">Conclusion
</font></b><br>
<br>
If after attempting the instructions in this guide the infection is still present,
then it is advised that you post your HijackThis log so one of our experts can
help you remove the infection. It may be that you have a new variant that the
tools cannot yet remove, or you have a stubborn infection. Instructions on how
to post a HijackThis log can be found here:
<br /><br /><a href="http://www.bleepingcomputer.com/forums/topic34773.html"><font color="#0000FF"><strong>Preparation
Guide For Use Before Posting A Hijackthis Log</strong></font></a>

<br />
<br />
<hr />
<div align="center"><br>
<font color="#0000FF"><strong>This is a self-help guide. Use at your own risk.</strong></font><br />
<font color="#0000FF"><strong><br>
BleepingComputer.com can not be held responsible for problems that may occur
by using this information. If you would like help with any of these fixes, you
can post a HijackThis log in our <a href="http://www.bleepingcomputer.com/forums/forum22.html" target="_new"><font color="#FF0000">HijackThis
Logs and Analysis forum</font></a>.<br>
<br>
If you have any questions about this self-help guide then please post those
questions in our <a href="http://www.bleepingcomputer.com/forums/forum25.html" target="_new"><font color="red">AntiVirus,
Firewall and Privacy Products and Protection Methods forum</font></a> and someone
will help you. </strong></font><strong> </strong></div>

This guide has been updated to reflect the new version of VundoFix.

It has been reported that Vundo is now using a Root Kit to hide itself. If after running VundoFix you are still infected, please post a HijackThis log in the HijackThis Logs and Analysis forum. When posting the log make sure you include in the title Winfixer/Vundo using Rootkit

VundoFix can now remove the Rootkit that was previously hiding it. I have updated the instructions for this new version.