Line 23: | Line 23: | ||
There are many hidden files that appear with the Vundo virus. Sometimes, some virus removal programs will remove some of these hidden files but not the actual [[Dynamic-link library|dll file]] (<s>normally gebyx.dll or pmnlj.dll</s> the files have random names), which will cause you to be stuck during Windows having a "System File Missing" yellow bubble popup (on Windows XP) that appears almost in randomly set intervals of 1-8 seconds. and some error messages when loading Windows saying the exact same thing. Some Vundo infectees have also had [[BSOD]]s and Stop errors on Windows while running certain games and applications that connect to the internet. The Stops link from kernel system files loaded by Windows. |
There are many hidden files that appear with the Vundo virus. Sometimes, some virus removal programs will remove some of these hidden files but not the actual [[Dynamic-link library|dll file]] (<s>normally gebyx.dll or pmnlj.dll</s> the files have random names), which will cause you to be stuck during Windows having a "System File Missing" yellow bubble popup (on Windows XP) that appears almost in randomly set intervals of 1-8 seconds. and some error messages when loading Windows saying the exact same thing. Some Vundo infectees have also had [[BSOD]]s and Stop errors on Windows while running certain games and applications that connect to the internet. The Stops link from kernel system files loaded by Windows. |
||
There are some cases in which Vundo has altered Administrative rights of machine Owners, and prevent them from downloading potentially effective anti-spyware programs. |
|||
==Removal== |
==Removal== |
Revision as of 12:41, 30 August 2007
The Vundo Trojan is a trojan horse that may cause popups advertising rogue antispyware programs. It infects victims' computers by exploiting a vulnerability in Sun Java 1.4 and earlier versions. Many of the popups advertise a program called Sysprotect.
Typical dialog
Below is an image of the dialog box that appears upon infection.
The English language version of the message reads:
"NOTICE: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss.
Would you like to install SysProtect for free? (Recommended)"
On Windows system other than English, user may see a "localised" message in their native language.
Removing outdated versions of Sun Java prevents this infection. A tool called VundoFix is commonly used for removing this infection.
Symptoms
While having the Vundo virus, infectees will notice a slight or large amount of memory being used at set times and/or randomly throughout the day. Pop-ups will tell you that your system is infected and that your performance is deteriorating, and that you must download a program (usually WinAntiVirusPro or SysProtect) to fix this. ULWindowSeek or ULWindowURL pop-ups are also a symptom of this virus. In addition, the program itself is a virus. The pop-ups will normally occur through Internet Explorer, but will also seek through to your Default Browser if it is open. The process is a hidden service that is started when the operating system is loaded.
There are many hidden files that appear with the Vundo virus. Sometimes, some virus removal programs will remove some of these hidden files but not the actual dll file (normally gebyx.dll or pmnlj.dll the files have random names), which will cause you to be stuck during Windows having a "System File Missing" yellow bubble popup (on Windows XP) that appears almost in randomly set intervals of 1-8 seconds. and some error messages when loading Windows saying the exact same thing. Some Vundo infectees have also had BSODs and Stop errors on Windows while running certain games and applications that connect to the internet. The Stops link from kernel system files loaded by Windows.
There are some cases in which Vundo has altered Administrative rights of machine Owners, and prevent them from downloading potentially effective anti-spyware programs.
Removal
Many tools and programs have been written to remove Vundo, although the trojan's authors often release new versions which render these removal programs ineffective. Vundo creates a DLL file in the Windows system directory and writes registry entries, causing Windows to inject the file into winlogon.exe. One tool that could temporarily remove Vundo is a new program from Symantec called Symantec Trojan, although it does't always detect it. Vundo Removal Tool [1]. The only relatively reliable solution is to clear Prefetch folder and run AVG in Safe Mode.
See also
- Spy Sweeper - Powerful program by Webroot with a knack for assassinating Vundo and Vundo variants
- CyberDefender - Provides free removal of Vundo and its variants
- HijackThis - Can detect some Vundo variants
- VundoFix - Tool for removing Vundo infections
- SysProtectRemover - Tool for removing SysProtect specifically by the maker of Vundofix