Windows Tutorials - Herong's Tutorial Examples - v5.62, by Dr. Herong Yang
Partial Removal of Trojan Vundo
This section provides a tutorial example of detecting and removing trojan Vundo. The process described here only partially removes the trojan Vundo.
Based on what my friend told me, once a while, Internet Explorer will starts a new window. That new window will run something for a few seconds causing CPU usage to go near 100%, then close itself.
When I ran HijackThis, it reported this line:
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\yjsallam.dll
Starting from HijackThis report, I did the following to try to remove this Internet add-on program.
1. Looked at C:\WINDOWS\system32, and found the following suspicious files:
>dir C:\WINDOWS\system32 10/02/2006 10:42 PM 86,068 fcissfvg.dll 10/03/2006 10:31 PM 86,036 lyssmlnb.dll 10/12/2006 09:52 PM 98,324 yjsallam.dll
2. Looked at IE > Internet Options > Programs > Manage Addon, found the yjsallam.dll entry, and disabled it.
3. Zipped all 3 suspicious files into a zip file, bho_200610.zip, and tried to delete them:
>del C:\WINDOWS\system32\fcissfvg.dll (deleted) >del C:\WINDOWS\system32\lyssmlnb.dll (deleted) >del C:\WINDOWS\system32\yjsallam.dll (not deleted because it is in use)
4. Closed all Internet Explorer windows and File Explorer windows, and ran HijackThis:
Find and check the yjsallam.dll in the log Click the "Fix checked" button
5. Ran HijackThis again:
Go to Config >> Misc Tools >> Delete a file on reboot Select file: C:\WINDOWS\system32\yjsallam.dll Click Yes to reboot the system
6. Verified the following places:
HijackThis report: clean C:\WINDOWS\system32 directory: clean Internet Explorer add-on list: clean
The result seemed to be ok. But I knew that this was just a partial removal. The virus was still on my friend's computer. It is hidden somewhere and will create another trojan DLL file named with 8 random letters some time later on. Since I don't have any software tool to find and remove the root of the virus, I told my friend to check C:\WINDOWS\system32 directory regularly. If there are any new DLL files, dated after today, with 8-letter names, just call me for help.
Read other sections in this chapter on how to do a full removal of trojan Vundo.
Table of Contents
Introduction to Microsoft Windows
Introduction to Windows Explorer
Introduction to Internet Explorer
"Paint" Program and Computer Graphics
GIMP - GNU Image Manipulation Program
JPEG Image File Format Quality and Size
GIF Image File Format and Transparent Background
"WinZip" - ZIP File Compression Tool
"WinRAR" - RAR and ZIP File Compression Tool
FTP Server, Client and Commands
"FileZilla" - Free FTP Client and Server
Web Server Log Files and Analysis Tool - "Analog"
Spyware Adware Detection and Removal
IE Addon Program Listing and Removal
►Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
►Partial Removal of Trojan Vundo
Detecting Trojan Vundo with McAfee VirusScan
Instructions on Full Removal of Trojan Vundo
Removing xxxxxxxx.dll Files Generated by Vundo
What Is Vundo Related vtsts.dll
Finding and Removing vtsts.dll Manually
Removing Trojan Vundo with FixVundo.exe from Symantec
Removing Trojan Vundo with VundoFix.exe from Atribune.org
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
Spybot - Spyware Blocker, Detection and Removal
Setting Up and Using Crossover Cable Network
Home Network Gateway - DSL Modem/Wireless Router
Windows Task Manager - The System Performance Tool
"tasklist" Command Line Tool to List Process Information
"msconfig" - System Configuration Tool
Configuring and Managing System Services
Windows Registry Key and Value Management Tools