Help removing trojan Vundo

scorplett · 13-01-2006 2:03am #1

I have McAfee and scan is showing the trojan 'Vundo' and that the virus scan tool cannot clean, quarantine or delete the file. Followed instructions on McAfee's site to download process explorer and using this, suspending explore, winlogon and rundl32... I went into the process explorer and could not find rundl32. tried to proceed anyhow but my system keeps freezing??? Any ideas on how to get rid of this thing???

Ruu_Old · 13-01-2006 2:28am

Vundo Removal Tool

scorplett · 13-01-2006 2:55am

Ruu wrote:

Vundo Removal Tool

I downloadwd and run that symantec programme and to my unlearned eyes seemed to work but moments later McAfee alerted me again to the same virus infection in the same filepath????

Ruu_Old · 13-01-2006 2:59am

did you remember to turn off System Restore before running the tool?

scorplett · 13-01-2006 3:23am

How do I do that???
BTW I hadn't even re-booted before the virus detect came up again

Ruu_Old · 13-01-2006 3:49am

scorplett wrote:

How do I do that???
BTW I hadn't even re-booted before the virus detect came up again

Right click on my computer then click Properties, then System Restore. Tick the box to turn it off on all drives.

scorplett · 13-01-2006 2:13pm

Did that and still no joy. It also seems that I am getting winlogin fatal errors???

scorplett · 13-01-2006 11:59pm

help please.... its really starting to drive me bonkers
:eek: :eek: :eek:

scorplett · 14-01-2006 1:39am

Ok, I just re ran the symantec tool in windows safe mode and with my network and internet connections turned off and system restore turned off. The removal tool returned with 'trojan vundo was not found on your computer'. I rebooted in normal windows mode and McAfee is still telling me I'm infected... Does this mean that the trjan is on the network? Or the host computer??

Zoned · 14-01-2006 5:44pm

Try this.....

Certain variants of the Vundo trojan are especially difficult to remove. Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory. However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat.

Instructions

Download Process Explorer (procexp.exe) from Sysinternals
Reboot the infected machine
Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet
Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, and rundll32.exe processes (right-click on these process names and choose suspend)
Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]
Physically power the machine off and back on.(a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).
These steps will removal all relevant registry entries and identified Vundo components.

scorplett · 15-01-2006 12:19am

Finally got rid of that blasted thing... I just happened to do a scan on the root flder that contained the trojan (system32) it came up and I was able to clean in with McAfee's virus scan tool... simple... But I still have a problem with restoring winlogon, I'll post a new thread on that one if nothing follows this thread..
Thanks for all the suggestions people... Nice one:D

Help removing trojan Vundo

Comments