What is Vundo? (known as Vundo and Vundo.dldr)
Vundo is a component of an adware program that downloads and displays pop-up advertisements and eventually hijacks Internet Explorer. It is usually installed via a weblink in email, but can be contracted by a pop-up ad on the internet. The most popular web distribution is through an adware program called Winfix.
 

How do I know I have Vundo?
If a customer has pop-ups associated with Winfix, it is almost certain that they have Vundo. Most updated Antivirus will find the file names, such as awvvs.BAK, but you will not be able to delete them. Attempting to delete these files manually will most likely result in the following message: Cannot delete the following file: (File Name). Access is denied.

What does Vundo do?
Vundo contains the following payload items: HTML code, written specifically to exploit IE via IFRAME Remote Buffer A downloader executable Adware module that creates and associates DLL files Once the program is executed, an EXE file is created with a random file name that attaches itself to dozens of registry strings. Then it saves these associations within C:\Windows to every program and folder that it tied to Internet Explorer. Once this takes place, the Trojan then attaches itself to certain Windows Services registry values. For example, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*WinLogon" = "[Trojan full path file name] rentime:[random number]" And this is just the tip of the iceberg. Vundo then create other registry keys that will gaurantee that user interaction will replicate itself. It then tries to call out to a website to download more components.
 

Why is Vundo so tough to get rid of?
The main problem with Vundo is that it injects an embedded DLL into the address space of several running processes. Because most of these processes are required for Windows to run, simply running a removal tool or antivirus scan will not get rid of it. Suspending the services manually will usually cause an NT Authority error and cause the system to shut down or will hard lock the system. This is why Vundo's threat level has recently been raised. Most all updated antivirus software will detect it, but will not remove it. At first It had a low distribution, damage, and low wild rating. The damage and wild rate have now been raised to medium. This is why, at first, the antivirus companies did not focus heavily on this Trojan. It was mostly just an annoyance. But this is what we do in HelpDesk.
 

Use the following updated procedures to remove Vundo and it's components.

Step One: Turn off System Restore. (DO NOT SKIP) The latest variant of Vundo loves to put an entry into the Restore Folder.
In XP:
1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, put the check in Turn off System Restore.
4. Click Yes, then OK.
In ME:
1. Click Start > Settings > Control Panel.
2. Double-click the System icon. (If the System icon is not visible, click View all Control Panel options on the left to display it).
3. On the Performance tab, click File System.
4. On the Troubleshooting tab check Disable System Restore.
5. Click OK. Then Yes to restart the computer.
 

Step Two: Look for Winfix in Add/Remove Programs and Program Files
1. Click Start, Control Panel. (In 98 and ME, Start, Setting Control Panel).
2. Double-click Add/Remove Programs icon.
3. Look for Winfix. If there, click remove, or change/remove, depending on the OS.
4. Once deleted, or if it is unable to delete it, navigate to the C:\Program Files directory and delete the Winfix Folder, if there. Do not reboot.
 

Step Three: Download the necessary tools NOTE: if you cannot get online in Normal mode in XP, go to Safe mode with Networking. XP Only. First we need the removal tool from Symantec. It is located here: http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html Then we need the Process Explorer tool. It is located here: http://www.sysinternals.com/Utilities/ProcessExplorer.html . Save both of them to the Desktop.
 

Step Four: Boot to Safe Mode
Restart the computer. Tap F8 at the Dell screen. Choose Safe Mode from the menu. DO NOT choose Safe Mode with Networking, unless you cannot get to Normal mode to download the tools as stated in step three.
 

Step Five: Removal process
1. Open the Symantec Vundo Removal Tool. DO NOT click Start! Move the window to the upper left corner of the screen so it is not blocked by the next tool.
2. Open the Process Explorer tool. Right-click the following processes and choose Suspend. Explorer.exe Winlogon.exe rundll32.exe (may not be listed)
3. Once Explorer is suspended, you will not be able to open any programs because Explorer is required to do so. This is why we already opened the Vundo Removal tool.
4. Click the Start button on the Vundo removal tool. The tool should detect and remove the main Vundo components.
 

Step Six: Clean up
Run an Antivirus scan again. If any files are discovered, try to manually delete the found files. If you get Access Denied error, follow this process:
1. Write down the file name and the directory it lives in.
2. Boot to the Recovery Console. NOTE: If 98, boot to Command prompt only by tapping F8 and choosing that. If ME, boot to the ME cd and choose Start computer without CDROM support.
3. Once at the prompt, type cd\ and press <enter>. This should put us to a C:\ prompt.
4. Navigate to the directory of the file that cannot be deleted. For example, if the file is in the system32 folder, type cd windows\system32 and press <enter>.
5. Once in the directory, we will need to remove the attributes on the file. We will use awvvs.dll as an example. EXAMPLE: To remove all attributes on awvvs.dll, at the prompt we will type attrib -r -a -s -h awvvs.dll and press <enter>
6. Next we will rename the file. We will use awvvs.dll as an example again. EXAMPLE: To rename awvvs.dll, at the prompt we will type ren awvss.dll awvss.old and press <enter>
7. Once we have renamed it, we simply type del awvss.old and press <enter> 8. At the next prompt, type exit. Take out the CD and let the system reboot. NOTE: If 98 or ME, press CRTL+ALT+DEL. Take out the CD.
 

Step Seven: Turn on System Restore and create a fresh restore point. Just follow the reverse of Step One in this article to turn on System Restore. Once back on, click Start, Programs, Accessories, System Tools, System Restore. Put the dot in Create a Restore Point. Click Next. Have the customer call it whatever they can remember. Click Next. This seven step process should remove Vundo from the system.