How to remove the Vundo Trojan using the OSAM

Malware Analyst Joined: 08 Nov 2007 Posts: 121

How to remove the Vundo Trojan (also known as Virtumonde, Virtumondo, Virtumundo, Monder, Monderb, MS Juan) using the OSAM Autorun Manager.

Please note! These steps are only for the Windows XP / 2003 / 2000 users.

1. First you should click on the "Settings" button in the top menu:

And then change the value for "Disable objects using the driver" option to "Always", as it is shown below:

2. Now look through the list of the objects and find the randomly-named .DLL files under the following registry keys:

Internet Explorer

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Winlogon

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Explorer

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Randomly-named .DLL files means something like that: nnnkLcCU.dll, opNdccDV.dll, hgGxyXQH.dll, yfcfqtfd.dll, cbxvttsR.dll, pmnkLCSk.dll. And these files should be located in the WINDOWS\system32 directory.

Use the OSAM Online Malware Scanner function, if you have problems with finding the right ones (if the file is unknown - just rescan it in some minutes):

AppInit DLLs

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows

Logon

LSA Providers

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Explorer

Common

.job-files

utbvmvde.job

ehjhbzqf.job

dnwzjlks.job

3. Disable the trojan entries by removing the checkmarks in the checkboxes next to these randomly-named .DLL files.
You should disable all of the malware entries before the next step. If something will be left behind, it could restore all the rest entries after the system reboot.

4. Once you have finished with the disabling the items, press the "Apply" button:

You will see the list of the disabling items (press the "Close" button) and then the following message will be displayed:

Press the "Reboot now" button.

Once your computer will be rebooted, the Vundo Trojan will be disinfected.
________________

1. Start the OSAM again - you will see the report about deleted entries.
2. Press the "Settings" button to change the value for "Disable objects using the driver" option back to "For undeletable objects only".
3. Also you can use the "Jump to file" function to delete the inactive trojan files:

4. And then use the "Delete from storage" function to delete the disabled items from the list of the objects:

If you still need help or have any questions - you are welcome to our forum.

Joined: 28 Aug 2008 Posts: 1

Worked like a charm. Very Happy

Thank you so much!

Joined: 30 Aug 2008 Posts: 1

Just wanted to thank you guys!

Joined: 01 Sep 2008 Posts: 1

I tried to clean this using many other spyware tools, but yours worked the first time, exactly as you said.
Congratulations on a great product. I'm a believer...this is the real stuff, thank you! Razz

Joined: 05 Sep 2008 Posts: 1

I just wanted to write and say that this product truly works!!

I spent a day trying to get rid of a nasty infection of Vundo/Virtumonde with several other antivirus & spyware removers (some namebrand ones too). And while they would sometime catch part of the infection, it would come right back the next time the computer started.

But, after downloading OSAM and using it for the first time, I was able to able to delete a key component of the virus!! No more Vundo...Thank you so much!! Very Happy

Joined: 01 Dec 2008 Posts: 1

I need help so much, and yours seems to be best but I keep getting this error when I go to download the program?

You tried to access the address http://www2.online-solutions.ru/en/download_file.php?p=131096, which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.
Make sure your Internet connection is active and check whether other applications that rely on the same connection are working.

Posted: Mon Dec 01, 2008 6:17 pm

Queeva wrote:

I need help so much, and yours seems to be best but I keep getting this error when I go to download the program?

You tried to access the address http://www2.online-solutions.ru/en/download_file.php?p=131096, which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.
Make sure your Internet connection is active and check whether other applications that rely on the same connection are working.

Hello Queeva. Our file server was down since 18:10 30-Nov-2008 till 13:15 01-Dec-2008. But now everything is all right and our software is available for download.

Thank you for your report!

Joined: 03 Dec 2008 Posts: 1

Will this work on Vista Home Premium 32-bit?

Joined: 15 Dec 2008 Posts: 1

Worked first time, awesome Very Happy

Thanks guys!

Easy to use and understand, and problem solved when everything else didnt or was going to take time.

Brilliant!

Joined: 24 Dec 2008 Posts: 1

Greetings!

I recently downloaded the OSAM: Autorun Manager to try and fix a Virtumonde.sci, Virtumonde, and Virtumonde.generic trojans that were popping up on my spybot search and destroy scans.

I followed the instructions on the Vundo Trojan Removal site but a few things happened.

For starters, it didn't pick up any malicious files that were displayed as red. I knew from some previous scans with other software which files were flagged as trojans, but those files only came up as unknown files, even after multiple scans with OSAM.

So I continued following the instructions by unchecking the box next to each file and finished up as instructed.

However when I rescanned with Spybot, I got the same Virtumonde.sci, Virtumonde, and Virtumonde.generic files to pop up again on the scan. However, after another reboot and another scan after that one, the files no longer showed up.

I'm a bit of a paranoid type, so I'm not sure if it's really fixed or if something is trying to trick me. Is there anything else I should do to be 100% sure?

Joined: 12 Jan 2009 Posts: 1

I just finally got rid of that pesky virus and it only took me about 10 minutes using your great product. I had tried other VundoFix and with no luck could i get rid of this virus.

Thanks so much for the great step by step instuction on removing this awful thing. I hope others use your product for getting rid of the unwanted headache!!

Many Thanks!
Chappy62

Joined: 11 Jun 2010 Posts: 1

There is a trojan virus that keeps redirecting my page to a different site? I recently had a virus in my computer and I got rid of most of the virus. The only thing that is left now is that there is a trojan that keeps redirecting my google pages to different sites. Please, can anyone tell me how to get rid of this trojan because even through the AVG that I downloaded, it still doesn't find the trojan and my computer is running really slow. Thanks.
____________________
yahoo keyword tool ~ overture ~ traffic estimator ~ adwords traffic estimator

Joined: 09 Sep 2009 Posts: 49 Location: Serbia, Belgrade

alshidaa wrote:

There is a trojan virus that keeps redirecting my page to a different site? I recently had a virus in my computer and I got rid of most of the virus. The only thing that is left now is that there is a trojan that keeps redirecting my google pages to different sites. Please, can anyone tell me how to get rid of this trojan because even through the AVG that I downloaded, it still doesn't find the trojan and my computer is running really slow. Thanks.

Use OSHE to delete the leftovers of the virus. Wink