Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have be the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.

VundoFix by Atribune

Please download VundoFix.exe from here:
»www.atribune.org/ccount/click.php?id=4

and save it to your desktop

•Double-click VundoFix.exe to run it.
•Click the Scan for Vundo button.
•Once it's done scanning, click the Remove Vundo button.
•You will receive a prompt asking if you want to remove the files,
click YES
•Once you click yes, your desktop will go blank as it starts removing
Vundo.
•When completed, it will prompt that it will reboot your computer,
click OK.
•Please post the contents of C:\vundofix.txt and a new
HiJackThis log.

•Please post the contents of C:\vundofix.txt into a New Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. Include the vundofix.txt contents and a fresh HijackThis log (instructions below) Please put in the Title of your topic: Vundo Removal.

We will also need to see a diagnostic log from the free tool HijackThis

Create a Diagnostic log using HijackThis

• Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm

•Download HijackThis here
»www.trendsecure.com/portal/en-US···this.php

• Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*

• When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.

Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

...................................................................................

Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections
Check your installed Sun Java versions
We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:
»Potential Vulnerability with Sun Java auto update

Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
»www.java.com/en/download/windows···atic.jsp

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

Or you can get the manual download here:
»www.java.com/en/download/manual.jsp

And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
»isc.sans.org/diary.php?storyid=1039

quote:

---

According to the bulletins you need at least:

* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)

to be safe.

---

AND you still need to manually uninstall old verisons of Sun Java after updating!

quote:

---

Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.

---

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by CalamityJane edited by lilhurricane
last modified: 2009-12-21 02:04:40