Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have been the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.
VundoFix v. 4 by AtribunePlease download VundoFix.exe from here:
http://www.atribune.org/ccount/click.php?id=4and
save it to your desktopDouble-click VundoFix.exe to run it.
Checkmark the box "Run Vundo as task"
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt into a New Topic.
We will also need to see a diagnostic log from the free tool
HijackThisCreate a Diagnostic log using HijackThisPlease make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
See here for specific instructions and screen shots to help:
<a href="http://russelltexas.com/malware/createhjtfolder.htm" target="_blank">http://russelltexas.com/malware/createhjtfolder.htm</a>
Download HijackThis here
<a href="http://www.merijn.org/files/hijackthis.zip" target="_blank">http://www.merijn.org/files/hijackthis.zip</a>
or here
<a href="http://castlecops.com/downloads-file-328.html" target="_blank">http://castlecops.com/downloads-file-328.html</a>
Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*
When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
...................................................................................
Note: For older variants prior to Nov. 30 2005, there is a free removal tool offered by Symantec here:
http://securityresponse.symantec.com/avcen...moval.tool.htmlor here:
http://www.majorgeeks.com/Symantec_Trojan....Tool_d4430.htmlFollow the removal directions on the download page. Run the tool twice with a reboot inbetween to be sure it got everything.
It is recommended you may need to take additional steps to clean off any remnants by following this FAQ:
http://gladiator-antivirus.com/forum/index...showtopic=10517....................................
Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections Check your installed Sun Java versionsWe have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:
http://www.dslreports.com/forum/remark,14738046Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.
To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
http://www.java.com/en/download/windows_automatic.jspYou'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software
Or you can get the manual download here:
http://www.java.com/en/download/manual.jspAnd in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.
Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
http://isc.sans.org/diary.php?storyid=1039QUOTE
According to the bulletins you need at least:
* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)
to be safe.
AND you still need to
manually uninstall old verisons of Sun Java after updating!
QUOTE
Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.