How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b

Options

D-Trojanator View Member Profile	May 13 2005, 10:09 AM Post #1
Forum Addict Group: Moderator Posts: 10,039 Joined: 28-October 05 From: London Member No.: 38,920	How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo. Credits: Atribune for VundoFix What this program does: The Vundo family of Trojans is one of the most common infections we find on userâ€™s PCâ€™s. The infection can cause popups which usually advertise rogue antispyware programs. Some common rogue antispyware programs that are advertised are WinFixer, SysProtect and winantispyware for example. Users are normally targeted by false positives, and warning of infection â€“ an example of this could be popups alerting users they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. Thankfully, the infection is relatively easy to remove, and a specialised tool has been created to remove the vundo trojan from infected computers. The following guide will explain how to use the tool, and hopefully rid your system of this malware. Tools needed for this fix: Vundo Fix VirtumundoBegone (if VundoFix does not work) Note: This infection is normally detectable by users receiving popups when they use the internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer. If you happen to have Hijackthis installed on your computer, you will be able to verify whether you have the Vundo infection, as there will be a matching O2, and O20 entry, with the same randomly named .dll file. In older infections the O2 entry normally contained the word "MSEvents". Please note you normally do not need Hijackthis installed to remove this infection, and the above details may only make sense to experts in this field, so don't panic. Symptons from a Hijackthis log: Below is an example of a Vundo infection, though there are many different filenames. O2 - BHO: (no name) - {EFCB1D95-FFF6-47BB-B6C9-61A523F04322} - C:\WINDOWS\system32\vturr.dll O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll Revision History: 01/09/07 - Updated guide to reflect updates to the tools. Removal Steps: Please print these instructions as they will be needed later when Internet access is not available. Save these instructions in word or notepad to the desktop where they can be easily found. Download Vundo Fix and save it to your desktop. When it has completed downloading, double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click the OK button. When the computer has shutdown, turn your computer back on. The WinFixer and Vundo infection should now be removed from your computer. If you are still having a problem then please perform the following steps. This step should only be used if the instructions in the previous steps did not remove the infection: Download VirtumundoBegone and save it to your desktop. Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Select safe mode with networking using your arrow keys on the keyboard and then press enter. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps, Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions. Exit when it has finished, and reboot back to normal mode. The WinFixer and Vundo infection should now be removed from your computer. Conclusion If after attempting the instructions in this guide the infection is still present, then it is advised that you post your HijackThis log so one of our experts can help you remove the infection. It may be that you have a new variant that the tools cannot yet remove, or you have a stubborn infection. Instructions on how to post a HijackThis log can be found here: Preparation Guide For Use Before Posting A Hijackthis Log This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Although my help is free, if I have saved you some money or helped in any way, please consider a donation:

Grinler View Member Profile	Jan 19 2006, 07:57 PM Post #2
Bleep Bleep! Group: Admin Posts: 27,962 Joined: 24-January 04 From: USA Member No.: 3	This guide has been updated to reflect the new version of VundoFix. -------------------- Lawrence

Grinler View Member Profile	Jan 26 2006, 03:30 PM Post #3
Bleep Bleep! Group: Admin Posts: 27,962 Joined: 24-January 04 From: USA Member No.: 3	It has been reported that Vundo is now using a Root Kit to hide itself. If after running VundoFix you are still infected, please post a HijackThis log in the HijackThis Logs and Analysis forum. When posting the log make sure you include in the title Winfixer/Vundo using Rootkit -------------------- Lawrence

Grinler View Member Profile	Jan 28 2006, 07:26 PM Post #4
Bleep Bleep! Group: Admin Posts: 27,962 Joined: 24-January 04 From: USA Member No.: 3	VundoFix can now remove the Rootkit that was previously hiding it. I have updated the instructions for this new version. -------------------- Lawrence

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

16 User(s) are reading this topic (16 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 11th May 2008 - 06:34 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database