Privacy & Security
Winfixer - Vundo trojan
Information and removalSince September 2005 Wnifixer has been plaguing internet users suggesting they have critical system errors, and they should buy Winfixer to repair them, Its sister sysprotect began appearing on 11th April 2006. To remove SysProtect see here
The program is installed by a trojan, which has been given the name of Vundo or Virtumundo. The trojan has been modified on several occasions and can be installed with other difficult to remove malware like Aurora and Look2me.
The Vundo trojan has a few variants, each one has caused different problems. Security software has difficulty successfully removing it. One recent version came complete with a rootkit to make its files and processes invisible.
Visible signs of infection are -
- A warning bubble from the system tray (near the clock) suggesting you have system critical errors, clicking on the warning will take you to the Winfixer website.
- Pop up advertisements for Winfixer 2005 or Winfixer 2006. The pop ups cannot be closed and clicking anywhere on the pop up, including the close 'X' will take you to their website winfixer.com and initiate the download.
- False warnings of an infection of the Blackworm virus generated from the the system tray.
- Fake Windows security warnings promoting Winantivirus Pro 2006 and Winantispyware. These products are made by the same company as Winfixer, WinSoftware Corporation, the warnings are generated by amaena.com
- A false box, generated in the style of Windows, from 'Microsoft Internet Explorer' warning of errors in the registry or file system and recommending Winfixer to check your computer for free
- Hijacking of search enquiries, which are redirected to MorWillSearch.com
- Advertising pop ups.
- Your PC may close down if the anti-spyware scanner Ad-aware is run.
This application should not be confused with the legitimate program Winfix from winfix.com.
Users of Hijack This, will see one of the following O2 - BHOentries.
- ADOUsefulNet Object
- ATLDistrib Object
- DosSpecFolder Object
- DPCUpdater Object
- InfoDocReader Object
- MFCOptimizeClass Object
- MSEvents Object
- (no name)
- RawExecAction Object
- WTLHelper Object
In most of the above cases there will also be a O20 - Winlogon Notify:item with a file path to the same .dll file as shown in the O2 entry.
Note- recent variants can hide their presence from HijackThis, to resolve this, rename Hijackthis.exeto something else, HJT.exefor example. This will allow the 02and 20entries to be seen.
In addition, there is a variant that installs a rookit to hide its processes and registry keys. No evidence of infection will be seen in a Hijack this scan. However, this infection can be seen by running the Hijack this start up list in Safe Mode, It will show the following entry
DP1112: \??\C:\WINDOWS\system32\Drivers\DP.sys (autostart)
under Enumerating Windows NT/2000/XP services.
References to C:\WINDOWS\qaz4.txtwill also be seen in the results of Rootkit revealeror Backlight
As is becoming common in recent widespread Malware infections, the security industry is having problems incorporating an automatic fix in their software to successfully remove infections. So forum volunteers are coming to the rescue by writing small programs to delete these parasites.
Manual removal procedure
You will need -
Download Vundofixfrom Hereto your desktop ready for use.
Credit where it is due - This removal file was developed by, and provided courtesy of www.atribune.org.
If you would like to make a donation for using this removal utility, please make it direct to Atribune.
Ace Utilities. A comprehensive system cleaner. A free trial version is available from Here.
Cautionary note: This collection of cleaning tool includes Remove Duplicate files, Remove Empty foldersand Auto-Start manager. these options should not be attempted unless you are fully able to understand and investigate the output. Acting on a misinterpretation of the results could result in damage to your System.
Removal proceedure
1)Double click on the Vundofix.exeicon on your desktop to open the program.
 2) Click to put a checkmark in the Run VundoFix as a taskbox, which will open this window. Click OK.
 When VundoFix reopens, click Scan for Vundo
When the scan is complete, click Remove Vundo
Click yesat the prompt to confirm you want to remove the files.
When VundoFix has finished, you will get a message saying your computer will now be shut down, click OK
3) Restart your computer.
4) Open Ace Utilities and perform the following scans.
Depending on your usual clean up routine there could be a lot of issues to remove.
 Click clean up, select remove Junk Files. Scan and delete everything found. Close the remove junk files box.
Select Clean system registry. Click optionsand select Thorough. Scan and delete everything found. Close the Clean system registry box.
Select Delete History, click the Windows taband select the following-
Empty the Windows Prefetch Folder.
Delete empty folders on the Windows Temp folder.
Erase Folder streams in the Windows registry.
Click Execute Now
Click the internet Explorer/MSNtab and select the following-
Delete cookies
Delete locked URL cache file.
Clear typed URL's of Address bar
Clear Browser History
Delete Cache (Files in temporary Internet folder)
Click Execute Now.
You can of course select any of the other options you wish to clean.
Your computer will now be free of the Winfixer/Vundo infection.
Winfixer may have installed additional malware and I recommend you scanning your computer with Ewidow (XP and 2000 only). A free trial which reverts to a free version and a Free online scan is available.
For other operating systems, use an updated A squared A free version and free online scan is available.
To prevent future infections, check for, and install any critical Windows updates, and install the latest version of Java from here. Sun Java
This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
|
Privacy & Security
Information
E-mail
Viruses
hackers, crackers & firewalls
Trojans
Spyware
Keyloggers
Cookies
BHO's & Hijackers
Drive by downloads
diallers
Scams & Hoaxes
Hijack this-
automatic analysis
Free pest scan
Unwanted processes
How to-Tutorials
Clean up/repair after malware infection
Prevent malware installing
Install Hijackthis
Start in Safe mode
Show hidden files/folders
enable/disable Active X controls
Disable Messenger service pop-ups
Use the Host file
Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool
Kill E2Give
Kill MySearch
Kill Sdbot-ADD / lockx.exe
Kill seeve.exe / mediamotors pop ups
Kill Winfixer2005
Kill SysProtect
News/Articles
New Winfixer infection displays fake Blackworm warning
The real cost of Free security software
|