To get rid of Vundo do the following

To start the Vundo removal process:

1. Backup any personal data to CD, DVD or flash drive.

2. Download and install MalwareBytes Anti-Malware.

3. Load MalwareBytes Anti-Malware and click the update tab and then click update to receive the latest updates.

4. Download and install SuperAntiSpyware.

5. Load SuperAntiSpyware. SuperAntiSpyware will ask you if you want to check for new rules and definitions. Choose yes.

6. Close SuperAntiSpyware.

7. Download VundoFix.

8. Download UnDLL.

9. Reboot your PC in Safe Mode.

10. While in safe mode load MalwareBytes Anti-Malware and perform a full scan.

11. When the scan is complete click show results.

12. Remove any checked items.

13. Reboot if MalwareBytes asks you to.

14. Enter Safemode again.

15. Load SuperAntiSpyware.

16. Click Preferences and click the scanning control tab.

17. Check on "Terminate memory threats before quarantining".

18. Close preferences and click the "Scan your computer " button.

19. Select "Perform Complete scan" and click next

20. Let the scan complete and remove anything it finds.

21. Next, we'll finish up the Vundo detection and removal process by using VundoFix

22. Open VundoFix and click the "Scan for Vundo" button.

23. If any Vundo infections still remain click the "Fix Vundo" button.

24. At this point Vundo has most likely been neutralized.

25. Reboot your pc.

26. You should be Vundo Free now.

27. Download and install the latest copy of the Java Runtime Environment and keep it updated.

Please download Malewarebytes anti-malware software at:



http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button





If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.



* Make sure you are connected to the Internet.

* Double-click on mbam-setup.exe to install the application.

* When the installation begins, follow the prompts and do not make any changes to default settings.

* When installation has finished, make sure you leave both of these checked:

o Update Malwarebytes' Anti-Malware

o Launch Malwarebytes' Anti-Malware

* Then click Finish.



MBAM will automatically start and you will be asked to update the program before performing a scan.



* If an update is found, the program will automatically update itself.

* Press the OK button to close that box and continue.

* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.



On the Scanner tab:



* Make sure the "Perform Quick Scan" option is selected.

* Then click on the Scan button.

* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

* Click OK to close the message box and continue with the removal process.



Back at the main Scanner screen:



* Click on the Show Results button to see a list of any malware that was found.

* Make sure that everything is checked, and click Remove Selected.

* When removal is completed, a log report will open in Notepad.

* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM



Hope this helps!



-Mark

There's three things that you need to have to fix it:



(1) Spybot

(2) Process Explorer (PE)

(3) Hijack This



Make sure you disconnect the PC/Laptop from the network. (If its ethernet, unplug the cable). If its Wi-fi, disable the Wireless card). Do this before cleaning and after downloading the above files.



The way Vundo works is it adds HKLM../RUN registry entries to your Windows startup. Also, it adds BHOs (Browser Helper Objects to Internet Explorer) . Also, it adds CLSIDS to your registry. What this means is that when your PC/Laptop is started, Rundll32.exe is called (Don't delete this .exe file, its a WIndows system file) in conjunction with DLL files (which are Vundo). What rundll32.exe does is it "injects" the infected DLL files into Windows processes, such as the windows shell (Explorer.exe) or the logon client (Winlogon.exe). This means that if you want to delete the infection, you can't because its "hiding" behind a system application, which cannot be stopped because it has SYSTEM authority.



You're probably thinking, "why don't I just end these processes using the Windows Task Manager?". Well, if you end Winlogon.exe, you will get a Blue Screen and will have to reboot. If you end Explorer, you halt your shell, which means you can't do anything unless you reboot. This is a recent trend of malware/trojans/viruses/worms - they add DLL files, usually to the system32 folder, then add registry keys to your startup so that Rundll32.exe loads these DLL files (rundll32.exe = Run dll as an application = application extension).



What you need to do is use Hijack this to locate the O4 entries (These are the HKLM../Run entries) that point to Vundo. Usually, Hijack this will tell you where the .DLL files are. You need to open the MISC tools section of Hijack this and click the "delete file on reboot". Navigate to the location of the DLL files (as pointed to by the Hijack this O4 entries), and select them for deletion on reboot. Some of these DLL files are "super hidden", which means that you will not see them when navigating to the file. You will need to type the name of the path and the file in order to delete it on a reboot. There should be 3-4 files that need to be deleted on reboot.



Then, go back and scan again using Hijack this. You will notice that you have "HKLM../RunOnce" lines. These were created by Hijack this. Do not delete these. Only delete the original "HKLM..Run" keys that point to the System32/*.dll file. Select these and click "fixed checked"



There also will be an O20/O21 entry in the Hijack this scan. These entries will point to the same dll files as the O4 cases. Select these entries, click the "Fixed Checked" button.



Now, for the spybot part:



(1) Download and run process explorer (from System Internals, and can be downloaded from Microsoft's website).

(2) Click the line that has "explorer.exe".

(3) Start spybot (but don't scan yet)

(4) Go back to PE, select "explorer.exe", right click, "suspend". This will pause/suspend explorer.exe and will let you delete the DLL files (Caused by Vundo) that are "hooked" onto Explorer.exe.

(5) Start the spybot scan. 3/4 of the way, it will detect Vundo.

(6) Select "fixed selected items" from spybot.

(7) Go back to PE, right click on EXPLORER.exe, select "RESUME"

(8) Now select Winlogon.exe, right click, select "SUSPEND"

(9) Re scan using Spybot. Fix selected items, as needed.



Now, you won't be able to "RESUME" Winlogon.exe, so you need to force your PC to turn off. Hold the power button for > 5 seconds, and your PC will turn off. Wait about 15 seconds, then turn on again.



You should see a couple of error messages at login, saying that it can't find the DLL files. (That's good, Vundo is gone).



Go back to Hijack this, Scan, and if the O2 (BHO), O4 (HKLM../Run), O20 and O21 entries are back, select them, and click the "fixed checked" button. This should finish the job.



Last, I would download ccleaner, install it, and run it. It will clear out all the temporary/Cache locations.



Reboot the PC, and you should be good to go.



Hopefully you learned something here about DLL injection, and why its so hard to remove it (because its hooked onto a Windows process)



Good luck!



Best Regards,

Thomas B Toy

Once you get through all of the above (some neccessary) install AVAST.