Vundo Virus Removal Tools for Windows

If you are having any of these symptoms be sure to download and run the following virus removal tools.  The Vundo virus has spread to computers worldwide, often without user knowledge until the symptoms occur.  

There are many different varieties of Vundo trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Computers infected exhibit some or all of the following symptoms:

• Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix system "deterioration".
• The desktop background may be changed to the image of an installation window saying there is adware on the computer.
• The screensaver may be changed to the Blue Screen of Death.
• In the Display Properties Control Panel, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1.
• Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.
• Windows Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
• Infected DLLs (with randomized names such as "__c00369AB.dat" and "slmnvnk.dll") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.
• Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from booting into safe mode.
• Some firewalls or antivirus software may also be disabled by the virus leaving the system even more vulnerable. Especially, it disables Norton AntiVirus and in turn uses it to spread the infection. Norton will show prompts to enable phishing filter, all by itself. Upon pressing OK, it will try to connect to real-av.org and try to download more malware.
• Popular anti-malware programs such as Spybot - Search & Destroy or Malwarebytes' Anti-Malware may be deleted or immediately closed upon loading. Renaming the program executable can work around this. Malwarebytes' Anti-Malware's executable may be deleted as soon as it is installed (depending on your infection). Installing the program on another computer and copying the executable into the infected computer's Malwarebytes' Anti-Malware directory usually works too.
• Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
• Google search links may be directed to rogue antispyware sites, which can be avoided by copy and pasting addresses
• Vundo may cause webpages to fail to load after sessions of browsing and present a blank page in the browser instead of the webpage.When this happens any programs may also fail to start and it may become impossible to use windows shutdown.
• The hard drive may start to be constantly accessed by the winlogon process, thus periodic freezes may be experienced.
• Warnings about SuperMWindow not shutting down[3]
• Explorer.exe may constantly crash resulting in an endless loop of crashing then restarting.
• Creates a virus critical driver in C:/Windows/system32/drivers/ (ati0dgxx.sys)
• The virus can "eat" away at available hard drive space; hard drive space can fluctuate so much as +3 to -3 Gb of space, evident of Vundo's attempt at "hiding" when being antagonized.
• Vundo can impede download progress.
• Windows Automatic Updates service may become disabled.
• Entering safe mode after attempting to use HijackThis results in a true blue screen of death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or a reinstall of Windows.
• Sometimes gives a "Run a DLL as an APP" error when some of the randomly named DLLs have been deleted.
• Will rewrite randomly named DLLs while any of them reside on machine.
• Changes \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce entries to start itself when Windows starts.
• Installs adware that 25% of the time is pornographic

Fake Antivirus Popup (Vundo) removal

Note if you can't execute any of these applications in normal windows then boot to safe mode with networking and start with MalwareBytes AntiMalware. Then boot back into normal windows and try again.

1. Download and run ATFCleaner. It will clear the temp folders.

2. Download and run SuperAntiSpyware(don't forget to update the definitions).

3. Downlaod and run Malwarebites AntiMalware (don't forget to update the definitions).

4. Download and run Combofix.

Notes:

·         If you can't execute SuperAntiSpyware or AntiMalware in normal windows then boot to safe mode with networking and start with AntiMalware (Update if you can). Then boot back into normal windows and try again.

·         If you can't update the programs run them as is Reboot then attempt to update and RERUN them again with updates. Don't skip running them again with updates you'll regret it.

·         The default settings/options for these programs are fine. Just make sure you update the definitions on 1 & 2. Also run the complete scan don't shortcut it will cost you in the end. 

·         I usually kill the installed antivirus program while Combofix runs. It will speed up the scan.

·         If IE is still acting strange then try one or both of these: Go to Tools/Internet options/Connections/Lan Settings/ And make sure the use Proxy is turned off. Go to Tools/Internet options/Advanced and reset Internet Explorer settings and advanced settings.

·         Expect the whole process to take the system from the user at least 4 hours depending on amount of data on the system. Don't take shortcuts or you may have to start over again. 

From the Internet Experts @ BuilderConsulting.com

913-814-8844 Office