Vundo is a widely spreaded trojan that shows large amount of unsolicited pop-up advertisements. The spyware also silently downloads from internet and runs arbitrary potentially harmful files, mostly adware components. Vundo is distributed by email in messages containing links to insecure websites, which exploits certain security vulnerabilities of the internet explorer web browser. Once the user click on such link the internet explorer automatically installs the Trojan in computer without user’s knowledge. Vundo severely decreases the amount of virtual memory available and results in performance slowdown of PC, it also secretly runs itself on every windows start up.
VUNDO MANUAL REMOVAL INSTRUCTIONS:
Step 1: Use Windows File Search Tool to Find Vundo Path
1) Go to start > Search > All Files or Folder.
2) In the ” All or part of the file name ” section, type in “Vundo” file name(s).
3) To get better results, select ” Look in: “Local Hard Drives” or Look in: “My Computer” and then click “Search Button”.
4)When Windows Finishes your search, hover over the “In Folder” of “Vundo”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clip board because you,ll need the file path to delete Vundo in the following manual removal steps.
Step 2: Use Registry Editor to Remove Vundo Registry Values
1) To open the registry editor, go to Start > Run > type “regedit” and then press “OK”.
2) Locate and Delete the entry or entries whose date value ( in the rightmost column) is the spyware file(s) detected earlier.
3) To delete “Vundo” value, right-click on it and select the “Delete” option.
4) Locate and delete “Vundo” registry entries:
-HKEY_CURRENT_USERSoftwareMicrosoftInterneExplorerMainActive State 02F96FB7-8Af6-439B-B7BA-2F952F9E4800
-HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents. 1
-HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents 8109AF33-6949-4833-8881-43DCC232B7B2 231 6230A-C89C-4BCC-95C2-66659AC7A775
-HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunOnce*[filename]
-HKEY_CURRENT_USER SoftwareMicrosoftInternetExplorerMainActive State
-HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionRun Once*WinLogon
-HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser
Helper Objects{8109AF33-6949-4833-8881-43DCC232B7B2}
-HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser
Helper Objects{2316230A-C89C-4BCC-95C2-66659AC7A775}
-HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser
Helper Objects{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
-HKEY_LOCAL_MACHINE SOFTWARE ClassesCLSID{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
-HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents. 1
-HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents
-HKEY_CLASSES_ROOTCLSID{8109AF33-6949-4833-8881-43DCC232B7B2}
-HKEY_CLASSES_ROOTCLSID{2316230A-C89C-4BCC-95C2-66659AC7A775}
-HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunOnce*[filename]
-HKEY_CURRENT_USER SoftwareMicrosoftWindows CurrentVersionRunOnce*WinLogon
Step3 : Use Windows Command Promp to Unregister Vundo DLL Files
1) To open the Windows Command Promp, go to Start > Run > type “cmd” and click “OK”.
2) Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Vundo DLL file is located and press “Enter” button on your keyboard. If you don’t know where Vundo DLL files are located, use the “dir” command to display the directorys contents.
3) To unregister “Vundo” DLL file, type the exact directory path + “regsvr32/u” + [DLL_NAME]
( forexample, C:VundoSpy-folder> regsvr32 /u Vundo.dll) and press “Enter”. A message will pop up saying you have successfully unregistered the file.
4) Search and Unregister “Vundo” DLL files : vzbb.dll
Step 4: Detect and Delete other Vundo Files
1) To open the Windows Command Promp, go to Start > Run > type “cmd” and then press “OK”.
2) Type in “dir /A name_of_the_folder” ( forexample, C:Vundospy-folder), which will display the folder’s content even the hidden files.
3) To change the directory, type in “cd name_of_the_folder”.
4) Once you have the file you’re looking for type in “del name_of_the_file”.
5) To delete a file in folder, type in “del name_of_the_file”.
6) To delete the entire folder, type in “rmdir /S name_of_the_folder”.
7) Select the “Vundo” processes and click on the “End Process” to kill it in Task Manager.
Remove the “Vundo Process files : vzbb.dll.
Courtesy of NETMAG Pakistan
I have Malwarebytes – excellent product overall!
But it won’t get rid of Vundo after a half dozen scans and re-boots.
Ran the searchs you mentioned above… no trace.
Did not detect Vundo until Malware updated on 3/26/2009. Wondered if there are false detects?
Any other advice would be just grand!
Mine and rattlesnake’s computer were infected by Vundo trojen on same day cos we were on lan having a lan party
I First Removed the trojen using Avast antivirus and then removed the remaining registries Manually too. The Thing is manual removal is for the case if ur antivirus anti malware dont detect it that is your case and you cant find these files manually too so i would suggest Give Avast a try… It will surely detect and remove most of the files and then find the remaining files if any and remove them manually from your registry also.
Flaw in Malware Bytes latest download (3/28/2009)
Maleware bytes detects popcaploader in the registry. By gollie, I use regedit, see these two and can’t read, change the name, chane permission or touch them.
Malware falsely reports that it has removed these registry items. Tried this with a computer reboot 8 times now. Malware Bytes does not do what it claims.
Memory Processes Infected: 0
(the rest all zeros too)
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Malwarebytes’ Anti-Malware 1.35
Database version: 1912
Windows 5.1.2600 Service Pack 2
(If I upgrade to Windows SP3 – Asus Motherboard firmware problem prevents firefox or IE from connecting to the internet. I can ping internet sites via cmd window, but can’t use any explorer or see Internet via network connections. Uninstalled SP 3 back to 2 and it works fine. ASUS Motherboard problem is unsupported. Beware of ASUS motherboards!)
Malware Bytes – just wont remove malware – but report it is removed – then reboots, scans again and it is still really there.
I went to the malware site and ran the complete diagnostic, installed console – and safe mode.
It is still there. Went ot CCleaner – ran massive updates – no effect.
Maleware Bytes Reports:
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Maleware Bytes need to look at this misleading report.