Recovering from vundo

Redford

<div class="IPBDescription">UPDATE YOUR JAVA</div>So, I just spent the last three days recovering from some of the most brutal spyware known to mankind. Vundo is known for creating and distributing files with .dll extensions and then creating files with a mirrored name that then creating random popups and re-creating random parts of itself. In effect, it is hell. I would like to thank the fine people at the spybot forum for helping remove this bug. Oh, and I have a stomach flu.

What is the moral of all this?

UPDATE YOUR JAVA. SERIOUSLY. YOU DO NOT WANT TO GO THROUGH WHAT I DID.

DO IT YOU *******S.

Abra

Link me. Tired...

Renegade.

Weird, I just got the same thing yesterday. Spent the entire morning in DOS finding all and deleting all the files it created in my system folder. I was shocked because, from what I remember, I've only been using Firefox the last couple of weeks. Also, I've been running jre1.6 for a while now... so exactly what version is the problem.. and how? (Java is pretty secure as is.)

[WHO]Them

<a href="http://www.java.com/en/download/" target="_blank">http://www.java.com/en/download/</a>

douchebagatron

i might have this problem, im not sure. for the past week or 2 ive had popups and occasional viruses randomly on my computer. i only use firefox, spybot and adaware dont detect anything and my virusscan always comes up clean when scanning, but occasionally popsup with an infection. and i have the most up to date java.

cshank4

This is why we don't run java. Ever.

Redford

Since it seems in demand...


-- HOW DO I KNOW IF I HAVE VUNDO? --

Vundo is spyware distributed by a company that makes a privacy checking program. They distribute it in order to "force" users to hide or "remove" private data from the internet like your location and IP, which are easily seen if you know how to do it. They freqently deal in deals with other vendors who also distrbute ineffective and malware-ridden antivirus programs - which also do not remove vundo. It's worth noting they also have deals with more begin hosts, even yahoo.

You will know if you have vundo if your computer keeps trying to open IE or firefox windows (it seems to choose at random what browser it uses if you have more then one). These websites are sometimes begin, but typically download viral files, more spyware, and cookies and bookmarks to your computer. Vundo itself though hard to remove, is actually harmless. What is more dangerous are the popups that vundo opens - which can infect your computer with viruses and spyware that can completely destroy it if you do not have a virus defense.

The easiest way, however, is to simply run spybot search and destroy. Vundo will be shown as a "smitfraud toolbar".


-- WHAT DOES VUNDO DO? --

Vundo propagates by creating randomly named .dll files in your system32 folder, and files which have a mirror name of those .dll files, but random extensions. It will screw with all antispyware programs, including hijackthis and spybot in an attempt to make it more difficult to remove. If any part of vundo is not removed, it can regenerate other files, and the popups will continue. Sometimes deleting parts of vundo will also cause other parts (resident on your computer, but hiding) to show up and start doing their job as well. The random extension files serve to regenerate the .dll files, and the .dll files do the dirty work. Since they are running processes, they are all highly resistant to removal since they run on startup, but this means the most important components of Vundo are visible on a hijackthis scan. The spyware itself disguises itself from hijackthis for this reason - by searching for it's name and then causing the program to emit false scans and disabling the creation of log files.


-- HOW DO I STOP VUNDO? --

This is by no means a comprehensive guide. <!--sizeo:6--><span style="font-size:24pt;line-height:100%"><!--/sizeo-->DO NOT ATTEMPT ANYTHING HERE WITHOUT CONSULTING A SPYWARE REMOVAL EXPERT. <!--sizec--></span><!--/sizec-->] If you believe you have Vundo on your computer, please go to the website of spybot and go to the <a href="http://forums.spybot.info/forumdisplay.php?f=22" target="_blank">malwear removal forum</a>. They will be able to diagnose your problem and then walk through a solution in a step-by-step fashion.

In a general sense, the components of Vundo will be 1. Randomly named .dll files. 2. Random extension files which will be a mirror of the .dll file's name. These will allways be in the system32 folder, hiding out with your normal files. Sometimes it generates files with completely different names which look like help files, for example, in order to hide better. If you run hijackthis, all the random .dll files will be revealed. There will also be a hook from one file to windows update in order to hijack it and attempt some last line of defense. There are also utilities (notably, vundofix) which can be used to hunt down and delete vundo files. If you know the names of the files, you may also delete them using this even if it doesn't directly detect them. You can also learn the file names and then delete them in DOS, where vundo has no power at all.


It is important that vundo is eventually removed. If it opens a popup with a virus which you have no protection from, it could destroy your system.

Gwahir

Incredible. Anyone know what kind of legislative tools have been made against companies like this?

lolfighter

Legislation? What, to help the little man? When we can give the rich a tax break instead?

douchebagatron

i just used <a href="http://www.atribune.org/content/view/24/2/" target="_blank">vundofix</a> and that took right care of it in a few minutes.

Liku

I almost got Vundo today... I encountered a pop-up in IE(Which I never use); but because of this topic I read the Wikipedia entry on it:

<a href="http://en.wikipedia.org/wiki/Vundo" target="_blank">http://en.wikipedia.org/wiki/Vundo</a>

I unplugged and ALT+F4'd IE, now I'm scanning like a mad-man with Spybot and Ad-Aware.

That_Annoying_Kid

java == updated

good looking out commieford