Thursday, September 9, 2010

Remove Vundo/Virumonde the semi-manual Way

Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have be the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.
    VundoFix by Atribune
Please download VundoFix.exe from here:
»www.atribune.org/ccount/click.php?id=4
and save it to your desktop
•Double-click VundoFix.exe to run it.
•Click the Scan for Vundo button.
•Once it's done scanning, click the Remove Vundo button.
•You will receive a prompt asking if you want to remove the files,
click YES
•Once you click yes, your desktop will go blank as it starts removing
Vundo.
•When completed, it will prompt that it will reboot your computer,
click OK.
•Please post the contents of C:\vundofix.txt and a new
HiJackThis log.
•Please post the contents of C:\vundofix.txt into a New Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. Include the vundofix.txt contents and a fresh HijackThis log(instructions below) Please put in the Title of your topic: Vundo Removal.
We will also need to see a diagnostic log from the free tool HijackThis
    Create a Diagnostic log using HijackThis
• Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm
•Download HijackThis here
»www.trendsecure.com/portal/en-US···this.php
• Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*
• When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
...................................................................................
Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections
Check your installed Sun Java versions
We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:
»Potential Vulnerability with Sun Java auto update
Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.
To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
»www.java.com/en/download/windows···atic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software
Or you can get the manual download here:
»www.java.com/en/download/manual.jsp
And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.
Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
»isc.sans.org/diary.php?storyid=1039

AND you still need to manually uninstall old verisons of Sun Java after updating!

13 comments:

  1. Very very good guide. Are you a computer genius or are you a computer genius?

    ReplyDelete
  2. Had a vundo a few months ago, wish i'd had this guide back then.

    ReplyDelete
  3. I will definitely try this out if I run into that problem

    ReplyDelete
  4. lol been playin with computers for far too long is all

    ReplyDelete
  5. Good information there... Thanks allot

    ReplyDelete
  6. Hey bro, showing some love ;) Show me some love back plx ;)

    I'll do it daily.

    ReplyDelete
  7. hey thanks for the info bro


    daily lurvs

    ReplyDelete
  8. Thanks for the tut bro! I'll have to check it out :)

    ReplyDelete
  9. Great post, will be looking into this a lot more!

    Stewart Higgins
    Intranet Expert
    Intranet Software

    ReplyDelete