Ok, I found something I wouldn’t wish on my worst enemy…

In an earlier blog, I had posted about inadvertently getting some kind of trojan that was spamming me with irrelevant pop-ups and affecting my laptop performance.  I had run Spybot over and over again and it kept finding a trojan called VUNDO.
Let me tell you guys, this thing is a pain in the neck!!!  It’s surprising to see how many people get this stupid thing and posted in desperation asking how to remove VUNDO.  It was really aggravating to see companies reply to their posts, trying to peddle their malware detectors and offer no helpful suggestions.
It really does help me put my job as a software engineer in perspective.

“Help the customer first…”

So here’s help for those who may get this trojan on their system.

First of all, with this variation that I got, no spyware removal software could delete it.  This little baby will create a random named .dll file in your system32 folder; but to add more frustration it runs under the explorer.exe process.   If you try to manually delete the .dll file, it will say it is in use. So any software that says it removed the trojan is only half right. The software will delete the registry key, but after it is deleted, the .dll will just put it back in again.  So if you want to do anything right, just do it yourself.

Here’s 2 applications that I found that are just wonderful to remove this trojan.

Process Explorer:

This application is great! It basically told me which files are being used by which processes. It helped me figure out that this .dll file was truly locked by explorer.exe. But not only that, it allowed me to suspend the explorer.exe process, without crashing my Windows session so that I could do the next step:

Autoruns:

This beauty of an application allowed me to browse all the startup registry keys, it’s like msconfig on sterioids. This was extremely handy because I could see all the keys that were using that .dll file as a source and I just deleted them. So now that the keys were deleted, all I had to do was reboot my laptop and go into the system32 folder and delete that .dll file, which was no longer being used by the explorer.exe process.

So now I have no problems and no VUNDO…booyah.

 

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related

Leave a Reply