Trojan.Vundo

April 7, 2006
aka: WinFixer virus

Trojan.Vundo is a component of the Adware.VirtuMonde adware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email. This trojan has been found on several computers at Virginia Tech.

Symptoms

Infected computers also contain the WinFixer software which pops up a message on your computer. This message details the presence of many viruses and security risks on your computer, soliciting payment from your to clean them up.

Removal

  1. Download VundoFix.exe and save it to your desktop.
  2. Double-click VundoFix.exe to run it.
  3. Place a check in the checkbox labeled Run VundoFix as a task. You will receive a message stating that VundoFix will close and re-open in a minute or less. Click OK.
  4. When VundoFix reopens, click the Scan for Vundo button.
  5. Once it's done scanning, click the Remove Vundo button.
  6. You will receive a prompt asking if you want to remove the files, click the YES button.
  7. Once you click yes, your desktop will go blank as it starts removing Vundo.
  8. When completed, it will prompt that it will shutdown your computer, click the OK button.
  9. When the computer has shutdown, turn your computer back on.
The Winfixer/Vundo infection should now be cleaned from your computer. If you are still having a problem then please proceed to the next tool. This next tool should only be used if the instructions in Step 2 did not remove the infection.
  1. Download VirtumundoBeGone and save it to your desktop.
  2. Reboot your computer in Safe Mode with Networking.
  3. Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.
  4. Exit when it has finished.

Symantec has released further information and removal instructions for this worm:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html.