How to Manually Remove the Vundo Trojan ?

Vundo is a widely spreaded trojan that shows large amount of unsolicited pop-up advertisements. The spyware also silently downloads from internet and runs arbitrary potentially harmful files, mostly adware components. Vundo is distributed by email in messages containing links to insecure websites, which exploits certain security vulnerabilities of the internet explorer web browser. Once the user click on such link the internet explorer automatically installs the Trojan in computer without user’s knowledge. Vundo severely decreases the amount of virtual memory available and results in performance slowdown of  PC, it also secretly runs itself on every windows start up.


Step 1: Use Windows File Search Tool to Find Vundo Path
1) Go to start > Search > All Files or Folder.
2) In the ” All or part of the file name ” section, type in “Vundo” file name(s).
3) To get better results, select ” Look in: “Local Hard Drives” or Look in: “My Computer” and then click “Search Button”.
4)When Windows Finishes your search, hover over the “In Folder” of “Vundo”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clip board because you,ll need the file path to delete Vundo in the following manual removal steps.

Step 2: Use Registry Editor to Remove Vundo Registry Values

1) To open the registry editor, go to Start > Run > type “regedit” and then press “OK”.
2) Locate and Delete the entry or entries whose date value ( in the rightmost column) is the spyware file(s) detected earlier.
3) To delete “Vundo” value, right-click on it and select the “Delete” option.
4) Locate and delete “Vundo” registry entries:
-HKEY_CURRENT_USERSoftwareMicrosoftInterneExplorerMainActive State          02F96FB7-8Af6-439B-B7BA-2F952F9E4800
-HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents 8109AF33-6949-4833-8881-43DCC232B7B2 231 6230A-C89C-4BCC-95C2-66659AC7A775
RunOnce*[filename] -HKEY_CURRENT_USER SoftwareMicrosoftInternetExplorerMainActive State
-HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionRun Once*WinLogon
-HKEY_LOCAL_MACHINE  SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser
Helper Objects{8109AF33-6949-4833-8881-43DCC232B7B2}
-HKEY_LOCAL_MACHINE  SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser
Helper Objects{2316230A-C89C-4BCC-95C2-66659AC7A775}
-HKEY_LOCAL_MACHINE  SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser
Helper Objects{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
-HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunOnce*[filename] -HKEY_CURRENT_USER SoftwareMicrosoftWindows CurrentVersionRunOnce*WinLogon

Step3 : Use Windows Command Promp to Unregister Vundo DLL Files
1) To open the Windows Command Promp, go to Start > Run > type “cmd” and click “OK”.
2) Type “cd” in order to change the current directory, press the “space” button,  enter the full path to where you believe the Vundo DLL file is located and press “Enter” button on your keyboard. If you don’t know where Vundo DLL files are located, use the “dir” command to display the directorys contents.
3) To unregister “Vundo” DLL file, type the exact directory path + “regsvr32/u” + [DLL_NAME] ( forexample,  C:VundoSpy-folder> regsvr32 /u Vundo.dll) and press “Enter”. A message will pop up saying you have  successfully unregistered the file.
4) Search and Unregister “Vundo” DLL files : vzbb.dll

Step 4: Detect and Delete other Vundo Files
1) To open the Windows Command Promp, go to Start > Run > type “cmd” and then press “OK”.
2) Type in “dir /A name_of_the_folder” ( forexample, C:Vundospy-folder), which will display the folder’s content even the hidden files.
3) To change the directory, type in “cd name_of_the_folder”.
4) Once you have the file you’re looking for type in “del name_of_the_file”.
5) To delete a file in folder, type in “del name_of_the_file”.
6) To delete the entire folder, type in “rmdir /S name_of_the_folder”.
7) Select the “Vundo” processes and click on the “End Process” to kill it in  Task Manager.
8) Remove the “Vundo Process files : vzbb.dll.

Courtesy of NETMAG Pakistan