Partial Removal of Trojan Vundo

This section provides a tutorial example of detecting and removing trojan Vundo. The process described here only partially removes the trojan Vundo.

Based on what my friend told me, once a while, Internet Explorer will starts a new window. That new window will run something for a few seconds causing CPU usage to go near 100%, then close itself.

When I ran HijackThis, it reported this line:

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} 
   - C:\WINDOWS\system32\yjsallam.dll

Starting from HijackThis report, I did the following to try to remove this Internet add-on program.

1. Looked at C:\WINDOWS\system32, and found the following suspicious files:

>dir C:\WINDOWS\system32
10/02/2006  10:42 PM            86,068 fcissfvg.dll
10/03/2006  10:31 PM            86,036 lyssmlnb.dll
10/12/2006  09:52 PM            98,324 yjsallam.dll

2. Looked at IE > Internet Options > Programs > Manage Addon, found the yjsallam.dll entry, and disabled it.

3. Zipped all 3 suspicious files into a zip file, bho_200610.zip, and tried to delete them:

>del C:\WINDOWS\system32\fcissfvg.dll
   (deleted)

>del C:\WINDOWS\system32\lyssmlnb.dll
   (deleted)

>del C:\WINDOWS\system32\yjsallam.dll
   (not deleted because it is in use)

4. Closed all Internet Explorer windows and File Explorer windows, and ran HijackThis:

Find and check the yjsallam.dll in the log
Click the "Fix checked" button

5. Ran HijackThis again:

Go to Config >> Misc Tools >> Delete a file on reboot
Select file: C:\WINDOWS\system32\yjsallam.dll
Click Yes to reboot the system

6. Verified the following places:

HijackThis report: clean
C:\WINDOWS\system32 directory: clean
Internet Explorer add-on list: clean

The result seemed to be ok. But I knew that this was just a partial removal. The virus was still on my friend's computer. It is hidden somewhere and will create another trojan DLL file named with 8 random letters some time later on. Since I don't have any software tool to find and remove the root of the virus, I told my friend to check C:\WINDOWS\system32 directory regularly. If there are any new DLL files, dated after today, with 8-letter names, just call me for help.

Read other sections in this chapter on how to do a full removal of trojan Vundo.

Table of Contents

 About This Book

 Introduction to Microsoft Windows

 Introduction to Windows Explorer

 Introduction to Internet Explorer

 "Paint" Program and Computer Graphics

 GIMP - GNU Image Manipulation Program

 JPEG Image File Format Quality and Size

 GIF Image File Format and Transparent Background

 "WinZip" - ZIP File Compression Tool

 "WinRAR" - RAR and ZIP File Compression Tool

 FTP Server, Client and Commands

 "FileZilla" - Free FTP Client and Server

 Web Server Log Files and Analysis Tool - "Analog"

 Spyware Adware Detection and Removal

 IE Addon Program Listing and Removal

Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 What Is Trojan Vundo?

Partial Removal of Trojan Vundo

 Detecting Trojan Vundo with McAfee VirusScan

 McAfee VirusScan and

 Instructions on Full Removal of Trojan Vundo

 Removing xxxxxxxx.dll Files Generated by Vundo

 What Is Vundo Related vtsts.dll?

 Finding and Removing vtsts.dll Manually

 Removing Trojan Vundo with FixVundo.exe from Symantec

 Removing Trojan Vundo with VundoFix.exe from Atribune.org

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

 Spybot - Spyware Blocker, Detection and Removal

 Setting Up and Using Crossover Cable Network

 Home Network Gateway - DSL Modem/Wireless Router

 Windows Task Manager - The System Performance Tool

 "tasklist" Command Line Tool to List Process Information

 "msconfig" - System Configuration Tool

 Configuring and Managing System Services

 Windows Registry Key and Value Management Tools

 Startup Programs Removal for Better System Performance

 Winsock - Windows Sockets API

 Java on Windows

 Glossary of Terms

 Outdated Tutorials

 References

 PDF Printing Version