Sunday, May 4, 2008

Win32.Vundo adware manual removal


This is yet another adware that spies your computer and should be removed!
The AOL Active Virus Shield license has expired and sadly AOL isn't continuing the service. So its left to me to defend my sys against the world of viruses trojans and adwares or in short all other malwares.

Win32.Vundo as experts call it,

  • Often get popups

  • Microsoft Internet Explorer: Work Offline , Cancel window even when not browsing

  • Strange tabs on Firefox like

Apparently this virus is a spy, it sends information on sites you are visiting to the suspicious IP address.

The virus resides in the famous folder %SYSTEM_ROOT%\system32 (,for example C:\windows\System32). There are so many files in this folder, so the makers find it easier to hide'em in the system32 folder.

As usually you would need the help of regedit to get rid of the virus.
run regedit and go to the usual location


Check for any anomalies in names like wierd combination of letters which doesn't mean anything. The virus names itself randomly for example (jmmjqusl.dll) a combination of 8 letters. Look for the RunDll32.exe XXXXXXXX.dll,X.
Thats where the virus is and XXXXXXXX is its name.

  • Now navigate to the System32 folder rename the virus to something say DELETEME.

  • Reboot your system.

  • Now a popup must appearing saying Rundll32: Cannot find XXXXXXX.dll

  • Now goto the regedit as before and delete the entry.

  • Repeat for the same in RunOnce in regedit.

Now you must be free.

Delete this registry folder
if it contains an entry to one of the malware dll. Don't know what it stands for, but its better to be deleted.

Waiting for more viruses ...

Someone do something about

Related Pages
Vundo Removal Tool


Anonymous said...

Thankyou, was stuffed without this

tuxcayc said...

I had similar symptoms (i found your post by searching that strange IP that appeared sometimes in Firefox linking to a visited website)
It was found before by Spybot S&D but no changes noticed.

thank you!
cheers from Chile.


Anonymous said...

ADDITION: You will need to use safe mode for deleting files in the System32 directory, otherwise a "File in use" error will be the result.

The website seems to have changed to and the affilliate id for the hacker is given. It may even be a hacker that is making money from porn site referrals by sending hits to that site on his id number to claim the traffic revenue.


Anonymous said...

Thanks a lot!!!! I followed Symantec's trojan removal instructions which were useless. Your method really helped me out!

Unknown said...

Thank you so very much for the information. McAfee and Symantec were useless in getting rid of this trojan.

I had to do it manually, and you're information was one of the few that was helpful in this regard.

Anonymous said...

Hi, my bogus dll file is gone from the system32 folder..... but when I delete the reg entry, it instantly reappears. Any ideas on what is making it reappear?

Rundll32.exe "C:\WINDOWS\system32\dukiwava.dll",s

Anonymous said...

Hi all,

I noticed the following key
containing data passed on http query:
and the popup url was:

Probably a good thing to remove this too...