Removing xxxxxxxx.dll Files Generated by Vundo

<< Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

<< Windows Tutorials - Herong's Tutorial Examples

This section provides a tutorial example of how to remove DLL files generated by trojan Vundo.

Of course, my friend called me a couple of weeks after I helped him on analyzing his adware infected Windows system. If you read previous sections of this chapter, you know that I was only able to identify that the infection was a Trojan Vundo. I was able to remove only some DLL files named with 8 random letters. His infection was not fully removed.

So I visited his Windows system again. After spending a couple of hours, I believe I did a full removal of a Trojan Vundo from his Windows system. Here are my notes that may help you if your Windows system gets a similar infection.

Symptom: My friend told me that the same behavior was still happening. Once a while, Internet Explorer will start a new window. That new window will run something for a few seconds causing CPU usage to go near 100%, then close itself.

HijackThis Findings: Running HijackThis and comparing the report with the report from my last visit, I saw new "O2 - BHO" line like this:

O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B}
   - C:\WINDOWS\system32\gidijvia.dll

File System Checking: Using File Explorer, I saw two suspicious DLL files:

>dir C:\WINDOWS\system32\*.dll
10/29/2006  09:34 PM            60,436 swcskmxu.dll
10/31/2006  09:59 PM            60,436 gidijvia.dll

IE Addon Checking: Looking at IE > Internet Options > Programs > Manage Addon, I found the gidijvia.dll entry.

Analysis: Trojan Vundo is hiding somewhere on the system. It keeps creating new DLL files. But these DLL files are having different file sizes, comparing to those I captured from my last visit:

10/02/2006  10:42 PM            86,068 fcissfvg.dll
10/03/2006  10:31 PM            86,036 lyssmlnb.dll
10/12/2006  09:52 PM            98,324 yjsallam.dll

My guess is that this Trajon Vundo is periodically going back to its base Website to get updates and produce different versions of DLL files.

Action: I repeated my partial removal process to remove these DLL files:

1. Zipped all 2 suspicious files into a zip file, bho_200611.zip, and tried to delete them:

>del C:\WINDOWS\system32\swcskmxu.dll
   (deleted)

>del C:\WINDOWS\system32\gidijvia.dll
   (not deleted because it is in use)

2. Closed all Internet Explorer windows and File Explorer windows, and ran HijackThis:

Find and check the gidijvia.dll in the log
Click the "Fix checked" button

3. Ran HijackThis again:

Go to Config >> Misc Tools >> Delete a file on reboot
Select file: C:\WINDOWS\system32\gidijvia.dll
Click Yes to reboot the system

4. Verified the following places:

HijackThis report: clean
C:\WINDOWS\system32 directory: clean
Internet Explorer add-on list: clean

Sections in This Chapter

What Is Trojan Vundo?

Partial Removal of Trojan Vundo

Detecting Trojan Vundo with McAfee VirusScan

McAfee VirusScan and

Instructions on Full Removal of Trojan Vundo

Removing xxxxxxxx.dll Files Generated by Vundo

What Is Vundo Related vtsts.dll?

Finding and Removing vtsts.dll Manually

Removing Trojan Vundo with FixVundo.exe from Symantec

Removing Trojan Vundo with VundoFix.exe from Atribune.org