How to fix Vundo Virus on your Computer

from Mike Nagy, IT Consultant at Computer Works of Toledo

Malware is a broad term that refers to software designed to infiltrate or damage a computer system without the owner's consent. Popular forms of malware include spyware, adware, fraudware, viruses, worms and trojans. These programs are responsible for a significant decrease in user productivity due to their impact on PC performance and time spent on attempted self-repair. More catastrophic results include unauthorized access to company information by outside hackers, deletion of critical information and even operating system corruption leading to complete system failure. The solution is to proactively scan for and remove malware programs on a regular basis by a qualified PC administrator using utilities designed for the task.

If your proactive efforts have not been successful at preventing infection, it is often very difficult to completely remove infections like the Vundo virus or one of the myriad of variants (now classified as “Fraud Ware”). If you have physical access to the computer, then performing a “Clean Scan” process is the most reliable method of removing the Vundo Virus; however, as we often find ourselves attacking these types of infections on remote computers. The instructions below provide a reliable method of virus removal, for at least 80% of affected computers. This process can take between 2 to 6 hours, depending on the level of infection, with the average computer taking about 3 ½ to 4 hours.

1. Establish the Remote session using GoToAssist (G2A), GoToAssist Express (G2A-x), Log-Me-In or a similar utility.
• Make sure to upgrade the remote session to “Run As A Service” or setup the “Unattended Support” option if available


2. Verify the computer has a valid Antivirus program installed, and that it has the latest virus Definitions.
• If no valid Antivirus program is installed, the current Antivirus product has been disabled, or the current Antivirus product is expired; then download a current Trial or Free Antivirus program such as: AVG 8.x Free or ClamWin, which are available from http://www.filehippo.com


3. Download, install and update the most recent version of the following programs:
• SpyBot Search and Destroy (Spybot) http://www.filehippo.com/download_spybot_search_destroy/
• MalwareBytes’ Anti-Malware (aka: MBAM) http://www.malwarebytes.org/mbam.php
• Super Antispyware. http://www.superantispyware.com/
• A reliable Registry Cleaning Utility. I recommend one or both of the following:
i. Crap Cleaner (CCleaner) - http://www.filehippo.com/download_ccleaner/
ii. EasyCleaner - http://personal.inet.fi/business/toniarts/ecleane.htm

4. Disable System Restore:
• Right Click on the “My Computer” Icon
• Select “Properties”
• Select the “System Restore” Tab
• Check the box “Turn Off System Restore”
• Approve the prompt message, and Click “OK” to close the Properties Window


5. Perform Registry and Application Cleanup (the instructions provided here are for CCleaner. You can also perform similar operations using EasyCleaner)
• Select the ”Cleaner” button (Left Margin Bar)
i. Select the “Analyze” button (at the bottom) to catalog Temp files, the browser cache, and cookies
ii. Select the “Run Cleaner” button (bottom right)
• Select the “Tools” Menu (Left Margin Bar)
• Select the “Uninstall” Menu Button
i. Uninstall ALL toolbars (i.e. Yahoo Toolbar, Google Toolbar, MSN Tools, etc.)
ii. Uninstall All “Browser Helper” applications (i.e. Yahoo Browser Protection, WebX, Dell Redirector, etc.)
iii. Uninstall ALL Messenger programs (i.e. AOL, MSN, Yahoo Messenger, etc.)
iv. Uninstall Google Desktop and Microsoft Desktop Search (Indexer)
v. Uninstall all “search tools” or “search assistant” applications
• Select the “Startup” Menu Button
i. Delete all “deactivated” startup items
ii. Disable any item that is suspect (i.e. XP_Antispyware_2008.exe, ZEDO.exe, etc.)
• Select the “Registry” Button (Left Margin Bar)
i. Select the “Scan for Issues” button (at the bottom)
ii. Select the “Fix Selected issues…” button (bottom right) – approve all prompts, but do not save the current registry values
iii. Repeat the above registry cleaning as needed until all invalid registry entries are removed – this may take 6 or more times


6. Restart the PC in Safe Mode (With Networking)
• Use the Remote Utility to “restart in safe mode” if it is available.
• If not, force the PC into Safe Mode at the next startup
i. Click “Start”
ii. Select “Run…”
iii. Type “msconfig” in the Run Command prompt and select “Ok” or press the [enter] key
iv. Select the “Start in Safe Mode with Networking” radio button
v. Click Apply
vi. Click “OK”, then select “Restart the Computer” when prompted


7. Once the computer is at the desktop in Safe Mode, run Malwarebytes’ Anti-Malware (MBAM) and perform a “quick scan” (this scan usually takes 20 to 25 minutes) *** This scan can be performed at the same time as the Antispyware scan below, if the computer has sufficient hardware resources

8. Open Super Antispyware and perform a “Quick Scan” (this scan usually takes 20 to 25 minutes) *** This scan can be performed at the same time as the MBAM scan above, if the computer has sufficient hardware resources

9. Open Spybot, and select the “Check For Problems” button (this scan may take up to 1 ½ hours) *** This scan can be performed at the same time as the Antivirus scan below, if the computer has sufficient hardware resources
• Select “Fix All Problems” then approve any prompts from this program

10. Setup Spybot to automatically run on the next PC startup
• Click on the “Mode” Toolbar Menu
• Select “Advanced Mode” and approve the prompt
• Select the “Settings” Menu button
• Highlight the “Settings” sub-menu
• Scroll down to the “Scan Priority” sub-menu
i. Select the “Highest” radio button
• Scroll down to the “Automation” sub-menu
i. Select the “Run Spybot on the Next System Startup” radio button
ii. Select the “Run Scan when program starts” check box
iii. Select the “Fix all problems” check box
• Select the “Spybot S&D” Menu Button
• Close Spybot

11. Open the Antivirus program and perform a “Full System Scan” (this is typically a “console mode” scanner in Safe Mode and may take up to 2 hours) *** This scan can be performed at the same time as the Spybot scan above, if the computer has sufficient hardware resources


12. Repeat Registry Cleanup (Step # 5 above using CCleaner or Easy Cleaner)


13. Restart the Computer in Normal Operation Mode (Reset the MSCONFIG boot option if this method was used to force a restart in Safe Mode)

14. Upon login, Spybot should automatically start to run and check for problems.
• If Spybot does not startup automatically, then immediately repeat/verify step 13 above.
• Once Spybot completes the scan, and fixes any problems, review the “fixed” items to insure there is no evidence of persistent virus activity then close Spybot

15. Run the Antivirus program. Once the Antivirus program completes, review the log to insure there is no persistent virus activity, then close the Antivirus program


16. Open Internet Explorer and verify the Home Page and security options, and that there are no installed Toolbars

17. Verify the clients Data is intact and programs are working normally.
• Re-install any programs which do not work normally

NOTES:
If no persistent virus activity is encountered:
• Perform a final registry cleanup for EACH user login on the computer (using CCleaner or Easy Cleaner)


If persistent virus activity is encountered:
• The computer cannot be “cleaned by normal means” and should have the Hard Disk Drive formatted and the Operating system reinstalled. If a format and OS reinstallation are still not an option, then a “Clean System Scan” must be performed, or the system should be removed from service or replaced.