Privacy & Security
Winfixer - Vundo trojan
Information and removal
Since September 2005 Wnifixer has been plaguing internet users suggesting they have critical system errors, and they should buy Winfixer to repair them,
Its sister sysprotect began appearing on 11th April 2006. To remove
SysProtect see hereThe program is installed by a trojan, which has been given the name of Vundo or Virtumundo. The trojan has been modified on several occasions and can be installed with other difficult to remove malware like Aurora and Look2me.
The Vundo trojan has a few variants, each one has caused different problems. Security software has difficulty successfully removing it. One recent version came complete with a rootkit to make its files and processes invisible.
Visible signs of infection are -
This application should not be confused with the legitimate program Winfix from winfix.com.
Users of Hijack This, will see one of the following O2 - BHO entries.
In most of the above cases there will also be a O20 - Winlogon Notify: item with a file path to the same .dll file as shown in the O2 entry.
Note - recent variants can hide their presence from HijackThis, to resolve this, rename Hijackthis.exe to something else, HJT.exe for example. This will allow the 02 and 20 entries to be seen.
In addition, there is a variant that installs a rookit to hide its processes and registry keys. No evidence of infection will be seen in a Hijack this scan. However, this infection can be seen by running the Hijack this start up list in Safe Mode, It will show the following entry
DP1112: \??\C:\WINDOWS\system32\Drivers\DP.sys (autostart)
under Enumerating Windows NT/2000/XP services.
References to C:\WINDOWS\qaz4.txt will also be seen in the results of Rootkit revealer or Backlight
As is becoming common in recent widespread Malware infections, the security industry is having problems incorporating an automatic fix in their software to successfully remove infections. So forum volunteers are coming to the rescue by writing small programs to delete these parasites.
Manual removal procedure
You will need -
Download Vundofix from Here to your desktop ready for use.
Credit where it is due - This removal file was developed by, and provided courtesy of www.atribune.org.
If you would like to make a donation for using this removal utility, please make it direct to Atribune.
Ace Utilities. A comprehensive system cleaner. A free trial version is available from Here.
Cautionary note : This collection of cleaning tool includes Remove Duplicate files, Remove Empty folders and Auto-Start manager. these options should not be attempted unless you are fully able to understand and investigate the output. Acting on a misinterpretation of the results could result in damage to your System.
Removal proceedure
1) Double click on the Vundofix.exe icon on your desktop to open the program.
When the scan is complete, click Remove Vundo
Click yes at the prompt to confirm you want to remove the files.
When VundoFix has finished, you will get a message saying your computer will now be shut down, click OK
3) Restart your computer.
4) Open Ace Utilities and perform the following scans.
Depending on your usual clean up routine there could be a lot of issues to remove.
Select Clean system registry. Click options and select Thorough. Scan and delete everything found. Close the Clean system registry box.
Select Delete History, click the Windows tab and select the following-
Empty the Windows Prefetch Folder.
Delete empty folders on the Windows Temp folder.
Erase Folder streams in the Windows registry.
Click Execute Now
Click the internet Explorer/MSN tab and select the following-
Delete cookies
Delete locked URL cache file.
Clear typed URL's of Address bar
Clear Browser History
Delete Cache (Files in temporary Internet folder)
Click Execute Now.
You can of course select any of the other options you wish to clean.
Your computer will now be free of the Winfixer/Vundo infection.
Winfixer may have installed additional malware and I recommend you scanning your computer with Ewidow (XP and 2000 only). A free trial which reverts to a free version and a Free online scan is available.
For other operating systems, use an updated A squared A free version and free online scan is available.
To prevent future infections, check for, and install any critical Windows updates, and install the latest version of Java from here. Sun Java
This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
Information
Viruses
hackers, crackers & firewalls
Trojans
Spyware
Keyloggers
Cookies
BHO's & Hijackers
Drive by downloads
diallers
Scams & Hoaxes
Hijack this-
automatic analysis
Free pest scan
Unwanted processes
How to-Tutorials
Clean up/repair after malware infection
Prevent malware installing
Install Hijackthis
Start in Safe mode
Show hidden files/folders
enable/disable Active X controls
Disable Messenger service pop-ups
Use the Host file
Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool
Kill E2Give
Kill MySearch
Kill Sdbot-ADD / lockx.exe
Kill seeve.exe / mediamotors pop ups
Kill Winfixer2005
Kill SysProtect
News/Articles
New Winfixer infection displays fake Blackworm warning
The real cost of Free security software
About us Contact us FAQ Links Privacy Statement Site Map WebmastersClick here to add this page to your favorites
©Internet Inspiration, 2003. All registered trademarks are observed and respected.