Vundo.B is a Trojan that connects to adware, and once a machine is infected it causes many popups to be displayed. It will slow your computer down to a crawl. Even worse, if you have Norton Antivirus you won't see popups, but every 1 to 2 seconds you get a warning from Norton saying it stopped the Trojan but it can't clean, move, or delete it.
First, you're going to need to get three tools:
1. Process Explorer (Download Here)
2. Pocket Killbox (Download Here)
3. C-Cleaner (Download Here)
NOTE: It's a good idea to download these to the desktop so that they are easy to get to. Once you get these downloaded, make sure you install C-Cleaner. Process Explorer and Killbox don't need to be installed. Now, follow these instructions. (It's a good idea to read through these instructions first, and if you can print them out because you will need to reboot your computer during cleanup.)
Step 1:
Get the security alert that says you are infected and then copy down the whole name (path) of the file it says is infected. In this example, I am infected in c:\windows\system32\ddccd.dll **WRITE THIS DOWN!**
Step 2 (This step will require you to reboot your computer, so make sure you've printed these instructions):
You need to set your computer up to always boot into safemode during this removal process. If you know how to do this, go to Step 3. If you don't, follow the set of instructions below, then continue to Step 3.
How to boot up into Safe Mode
(Start > Run > Type in msconfig > Select the Boot.ini tab > select Safeboot > Apply > OK)
or
watch the
Video how to start in Safe Mode?
Step 3:
After you set you're computer to always boot into Safemode, you should have followed the prompt to reboot your system. If so, you should be in Safemode now. (if not, you need to reboot your computer now and try Step 2 again.)
First thing is to open all of the following programs and processes:
- Process Explorer
- Pocket Killbox
- Open Windows Explorer or My Computer (something to give you the ability to browse through your computer)
- Registry Editor (go to Start then Run then type regedit and hit enter )
You should have 4 windows open now. It might be a good idea to have a corner of each of them showing, so you can see a bit of each of the 4 windows, so take the time to reposition or resize your windows.
Step 4:
Once all the programs in Step 3 are open, go to Process Explorer and find the explorer.exe process on the list. Right click it and choose the "kill" option. (this will kill your windows shell, which is why you opened everything needed in this tutorial in Step 3).
**You can still switch back and forth between programs by holding ALT and tapping the TAB key**
Step 5:
Go to the Registry Editor (regedit) and delete the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]
Note: [Trojan File Name] is the name of the DLL minus the ".dll" part. In my case, the folder was called DDCCD.
For those of you who haven't done this before, t his means click on the plus + symbol next to each of the names, HKEY_LOCAL_MACHINE, then SOFTWARE, then Microsoft, etc, until you see your Trojan file name. Once you see it you will delete the whole folder with the Trojan file name. You can delete it by right clicking and choosing delete, highlighting it and hitting the delete key, or highlighting it and choosing EDIT on the menu at the top and then choosing delete.
Step 6:
Go back to Process Explorer and find the process called " winlogon.exe ". Double click it to open up another window that has 8 tabs on the top. Click the tab that says "threads". In this tab you will see a names listed under "Start Address". There should be about 4 of them (there might be more or less, either way follow the directions) that will have the name of your trojan.dll file. One by one, click each trojan dll file in the list, then click the KIILL button. When all are gone, click the OK button at the bottom to close that window and go back to the Registry Editor.
Step 7:
Now, the next key hides in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ part of the registry. To find the specific key, go to the top "My Computer" icon in the list, then go to EDIT on the menu bar, then click "Find" and search for the trojan name. In my case, I will search for ddccd.
Step 8:
It may take a while to scan, but it should find a file in that registry tree I mentioned above. It will open the folder up so you know which one it found it in. In my case, it found the tree "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}". Write down that name, then delete the tree, the folder with that long name.
Step 9:
You have to delete one more registry key that is hiding in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ . Go there and look for the same name (file tree) as the one you just deleted, in my case I'm looking for "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}". Find it and delete it.
Step 10:
Go to your Pocket Killbox and type into the "Full Path of File to Delete" box:
c:\windows\system32\[Your trojan DLL file here]
In my case, I typed: c:\windows\system32\ddccd.dll
Next, click "Delete on Reboot" and check the "End Explorer Shell While Killing File".
Click the red circle with a white X to kill the file and follow the prompts to continue with the kill.
Step 11:
It may take a minute or so for your system to finally reboot, so be patient, and when it does it will be in SafeMode again (this is good).
Step 12:
When your computer completely reboots, open up Process Explorer again and double click on the WinLogon.exe file to go back to Threads. If you do not see your trojan dll file in there, then congratulations, you're almost clean!
Step 13:
Just one more step. You should, before you reboot into normal Windows, scan your computer for the DLL file. It can sometimes copy itself into folders, so a second scan is necessary. Sometimes it may hide itself in C:\!Submit, however, it may be different for you, so scan. After you delete where it copied itself, or verified it is not on your system anymore, go on to the next step.
Step 14:
Go back to Start , click run , type msconfig , and go to the Boot.ini tab and uncheck the safeboot mode option. Your computer will now reboot back to normal Windows.
Step 15:
The last thing, you will want to clean out all of your temporary folders on your computer. This can be done by running C-cleaner. Double click on the icon, then click on Anaylaze > (let it run the search) > then select Run Cleaner. After the clean is completed, reboot your computer.
Congratulations, you removed Vundo and you are finished!
|
