Новости компании

Vundo trojan removal

How to remove the Vundo Trojan (also known as Virtumonde, Virtumondo, Virtumundo, Monder, Monderb, MS Juan) in 3 minutes using the OSAM Autorun Manager (Переносимая версия, 3.63mb or Установочный пакет, 8.84mb) [FREEWARE].
Comments and discussion are here.

Please note! These steps are only for the Windows XP / 2003 / 2000 users.

1. First you should click on the “Settings” button in the top menu:

OSAM Menu - Settings

And then change the value for “Disable objects using the driver” option to “Always“, as it is shown below:

OSAM Settings - Driver Mode: Always

2. Now look through the list of the objects and find the randomly-named .DLL files under the following registry keys:

  Internet Explorer section:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    Winlogon section:
        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    Explorer section:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Randomly-named .DLL files means something like that: nnnkLcCU.dll, opNdccDV.dll, hgGxyXQH.dll, yfcfqtfd.dll, cbxvttsR.dll, pmnkLCSk.dll. And these files should be located in the WINDOWS\system32 directory.

Use the OSAM Online Malware Scanner function, if you have problems with finding the right ones (if the file is unknown - just rescan it in some minutes):

OSAM: Scan using Online Malware Scanner

Some versions of the trojan could be also located under the following registry keys:

    AppInit DLLs section:
        HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows

    Logon section:
        HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    LSA Providers section:
        HKLM\SYSTEM\CurrentControlSet\Control\Lsa

    Explorer section:
        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

    Common section:
        %SystemRoot%\Tasks (.job-files with random name, like: utbvmvde.job, ehjhbzqf.job, dnwzjlks.job)

3. Disable the trojan entries by removing the checkmarks in the checkboxes next to these randomly-named .DLL files. You should disable all of the malware entries before the next step. If something will be left behind, it could restore all the rest entries after the system reboot.

4. Once you have finished with the disabling the items, press the “Apply” button:

OSAM: Apply Button

You will see the list of the disabling items (press the “Close” button) and then the following message will be displayed:

OSAM: Reboot now

Press the “Reboot now” button.

Once your computer will be rebooted, the Vundo Trojan will be disinfected.

1. Start the OSAM again - you will see the report about deleted entries.
2. Press the “Settings” button to change the value for “Disable objects using the driver” option back to “For undeletable objects only“.
3. Also you can use the “Jump to file” function to delete the inactive trojan files:

OSAM: Jump to file

4. And then use the “Delete from storage” function to delete the disabled items from the list of the objects:

OSAM: Delete from storage

If you still need help or have any questions - you are welcome to our forum. To register on forum please follow this instruction.
Comments and discussion are here.

Step-by-step Vundo removal video instruction:


Comments and discussion are here