Sunday, May 4, 2008

Win32.Vundo adware manual removal

Intro

This is yet another adware that spies your computer and should be removed!
The AOL Active Virus Shield license has expired and sadly AOL isn't continuing the service. So its left to me to defend my sys against the world of viruses trojans and adwares or in short all other malwares.

Win32.Vundo as experts call it,
Symptoms

  • Often get popups

  • Microsoft Internet Explorer: Work Offline , Cancel window even when not browsing


  • Strange tabs on Firefox like
    http://82.98.235.210/go//?cmp=nm_firefox_rn
    &uid=565E335C0FAF11DD8105F67908CFFFFF&rid=ggthnks
    &guid=3CF72C3808684EFABBDA369C4C32ABAF&affid=67908
    &lid=http&url=http:%2F%2Fwww.kitiyo.com%2F



Apparently this virus is a spy, it sends information on sites you are visiting to the suspicious IP address.

Removal
The virus resides in the famous folder %SYSTEM_ROOT%\system32 (,for example C:\windows\System32). There are so many files in this folder, so the makers find it easier to hide'em in the system32 folder.

As usually you would need the help of regedit to get rid of the virus.
run regedit and go to the usual location

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Check for any anomalies in names like wierd combination of letters which doesn't mean anything. The virus names itself randomly for example (jmmjqusl.dll) a combination of 8 letters. Look for the RunDll32.exe XXXXXXXX.dll,X.
Thats where the virus is and XXXXXXXX is its name.

  • Now navigate to the System32 folder rename the virus to something say DELETEME.

  • Reboot your system.

  • Now a popup must appearing saying Rundll32: Cannot find XXXXXXX.dll

  • Now goto the regedit as before and delete the entry.

  • Repeat for the same in RunOnce in regedit.
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce


Now you must be free.
:)

Delete this registry folder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider
if it contains an entry to one of the malware dll. Don't know what it stands for, but its better to be deleted.

Waiting for more viruses ...

Someone do something about 82.98.235.210

Related Pages
Vundo Removal Tool

7 comments:

Anonymous said...

Thankyou, was stuffed without this

Cristian said...

Thanks!
I had similar symptoms (i found your post by searching that strange IP that appeared sometimes in Firefox linking to a visited website)
It was found before by Spybot S&D but no changes noticed.

thank you!
cheers from Chile.

tuxcayc.

Legend said...

ADDITION: You will need to use safe mode for deleting files in the System32 directory, otherwise a "File in use" error will be the result.

The website seems to have changed to http://89.188.16.37 and the affilliate id for the hacker is given. It may even be a hacker that is making money from porn site referrals by sending hits to that site on his id number to claim the traffic revenue.

Cheers
Legend

Shawn said...

Thanks a lot!!!! I followed Symantec's trojan removal instructions which were useless. Your method really helped me out!

Moose said...

Thank you so very much for the information. McAfee and Symantec were useless in getting rid of this trojan.

I had to do it manually, and you're information was one of the few that was helpful in this regard.

Anonymous said...

Hi, my bogus dll file is gone from the system32 folder..... but when I delete the reg entry, it instantly reappears. Any ideas on what is making it reappear?

buyesufole
Rundll32.exe "C:\WINDOWS\system32\dukiwava.dll",s

Anonymous said...

Hi all,

I noticed the following key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\0c5eea16
containing data passed on http query:
Version=affid=172472&resid=pkll
and the popup url was:
http://83.149.115.159/go//?cmp=nm_firefox_rn&uid=EFF2E8CED06A11DDB4A4172472CFFFFF&rid=pkll&guid=A9F50073583D4FC3B3E3DCFE36A7AC59&affid=172472&lid=http&url=http:%2F%2Fa4.g.akamai.net%2F7%2F4%2F43496%2Fv1%2Fmulticastsmb.download.akamai.com%2F43496%2FchairVideo12.flv&v=1176&m=1oo1

Probably a good thing to remove this too...

--mihai