internetinspiration logo
Home Internet Guides Privacy & Security Must have software Internet Shopping Earn Money Fun & Games Freebies

Privacy & Security
Winfixer - Vundo trojan
Information and removal

Since September 2005 Wnifixer has been plaguing internet users suggesting they have critical system errors, and they should buy Winfixer to repair them, Its sister sysprotect began appearing on 11th April 2006. To remove SysProtect see here

The program is installed by a trojan, which has been given the name of Vundo or Virtumundo. The trojan has been modified on several occasions and can be installed with other difficult to remove malware like Aurora and Look2me.

The Vundo trojan has a few variants, each one has caused different problems. Security software has difficulty successfully removing it. One recent version came complete with a rootkit to make its files and processes invisible.

Visible signs of infection are -
  • A warning bubble from the system tray (near the clock) suggesting you have system critical errors, clicking on the warning will take you to the Winfixer website.

  • Pop up advertisements for Winfixer 2005 or Winfixer 2006. The pop ups cannot be closed and clicking anywhere on the pop up, including the close 'X' will take you to their website and initiate the download.

  • False warnings of an infection of the Blackworm virus generated from the the system tray.

  • Fake Windows security warnings promoting Winantivirus Pro 2006 and Winantispyware. These products are made by the same company as Winfixer, WinSoftware Corporation, the warnings are generated by

  • A false box, generated in the style of Windows, from 'Microsoft Internet Explorer' warning of errors in the registry or file system and recommending Winfixer to check your computer for free

  • Hijacking of search enquiries, which are redirected to

  • Advertising pop ups.

  • Your PC may close down if the anti-spyware scanner Ad-aware is run.

  • This application should not be confused with the legitimate program Winfix from

    Users of Hijack This, will see one of the following O2 - BHOentries.
  • ADOUsefulNet Object
  • ATLDistrib Object
  • DosSpecFolder Object
  • DPCUpdater Object
  • InfoDocReader Object
  • MFCOptimizeClass Object
  • MSEvents Object
  • (no name)
  • RawExecAction Object
  • WTLHelper Object

  • In most of the above cases there will also be a O20 - Winlogon Notify:item with a file path to the same .dll file as shown in the O2 entry.

    Note- recent variants can hide their presence from HijackThis, to resolve this, rename Hijackthis.exeto something else, HJT.exefor example. This will allow the 02and 20entries to be seen.

    In addition, there is a variant that installs a rookit to hide its processes and registry keys. No evidence of infection will be seen in a Hijack this scan. However, this infection can be seen by running the Hijack this start up list in Safe Mode, It will show the following entry
    DP1112: \??\C:\WINDOWS\system32\Drivers\DP.sys (autostart)
    under Enumerating Windows NT/2000/XP services.

    References to C:\WINDOWS\qaz4.txtwill also be seen in the results of Rootkit revealeror Backlight

    As is becoming common in recent widespread Malware infections, the security industry is having problems incorporating an automatic fix in their software to successfully remove infections. So forum volunteers are coming to the rescue by writing small programs to delete these parasites.

    Manual removal procedure

    You will need -

    Download Vundofixfrom Hereto your desktop ready for use.
    Credit where it is due - This removal file was developed by, and provided courtesy of
    If you would like to make a donation for using this removal utility, please make it direct to Atribune.

    Ace Utilities. A comprehensive system cleaner. A free trial version is available from Here.
    Cautionary note: This collection of cleaning tool includes Remove Duplicate files, Remove Empty foldersand Auto-Start manager. these options should not be attempted unless you are fully able to understand and investigate the output. Acting on a misinterpretation of the results could result in damage to your System.

    Removal proceedure

    1)Double click on the Vundofix.exeicon on your desktop to open the program.

    2) Click to put a checkmark in the Run VundoFix as a taskbox, which will open this window. Click OK.

    When VundoFix reopens, click Scan for Vundo

    When the scan is complete, click Remove Vundo

    Click yesat the prompt to confirm you want to remove the files.

    When VundoFix has finished, you will get a message saying your computer will now be shut down, click OK

    3) Restart your computer.

    4) Open Ace Utilities and perform the following scans.

    Depending on your usual clean up routine there could be a lot of issues to remove.

    Click clean up, select remove Junk Files. Scan and delete everything found. Close the remove junk files box.

    Select Clean system registry. Click optionsand select Thorough. Scan and delete everything found. Close the Clean system registry box.

    Select Delete History, click the Windows taband select the following-
    Empty the Windows Prefetch Folder.
    Delete empty folders on the Windows Temp folder.
    Erase Folder streams in the Windows registry.

    Click Execute Now

    Click the internet Explorer/MSNtab and select the following-
    Delete cookies
    Delete locked URL cache file.
    Clear typed URL's of Address bar
    Clear Browser History
    Delete Cache (Files in temporary Internet folder)

    Click Execute Now.

    You can of course select any of the other options you wish to clean.

    Your computer will now be free of the Winfixer/Vundo infection.

    Winfixer may have installed additional malware and I recommend you scanning your computer with Ewidow (XP and 2000 only). A free trial which reverts to a free version and a Free online scan is available.
    For other operating systems, use an updated A squared A free version and free online scan is available.

    To prevent future infections, check for, and install any critical Windows updates, and install the latest version of Java from here. Sun Java
    This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
    However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
Privacy & Security




hackers, crackers & firewalls





BHO's & Hijackers

Drive by downloads


Scams & Hoaxes

Hijack this-
automatic analysis

Free pest scan

Unwanted processes

How to-Tutorials

Clean up/repair after malware infection

Prevent malware installing

Install Hijackthis

Start in Safe mode

Show hidden files/folders

enable/disable Active X controls

Disable Messenger service pop-ups

Use the Host file

Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool

Kill E2Give

Kill MySearch

Kill Sdbot-ADD / lockx.exe

Kill seeve.exe / mediamotors pop ups

Kill Winfixer2005

Kill SysProtect


New Winfixer infection displays fake Blackworm warning

The real cost of Free security software

About us Contact us FAQ Links Privacy Statement Site Map Webmasters
Click here to add this page to your favorites
©Internet Inspiration, 2003.      All registered trademarks are observed and respected.
If you receive advertising pop ups whilst viewing this site, you are infected with an ad-serving parasite, because we don't use pop ups. See our Privacy & security section for help with detection and removal.