This section provides a tutorial example of detecting and removing trojan Vundo. The process described here only partially removes the trojan Vundo.
Based on what my friend told me, once a while, Internet Explorer will starts
a new window. That new window will run something for a few seconds causing CPU usage
to go near 100%, then close itself.
When I ran HijackThis, it reported this line:
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA}
- C:\WINDOWS\system32\yjsallam.dll
Starting from HijackThis report, I did the following to try to remove this Internet add-on program.
1. Looked at C:\WINDOWS\system32, and found the following suspicious files:
2. Looked at IE > Internet Options > Programs > Manage Addon, found the yjsallam.dll entry, and disabled it.
3. Zipped all 3 suspicious files into a zip file, bho_200610.zip, and tried to delete them:
>del C:\WINDOWS\system32\fcissfvg.dll
(deleted)
>del C:\WINDOWS\system32\lyssmlnb.dll
(deleted)
>del C:\WINDOWS\system32\yjsallam.dll
(not deleted because it is in use)
4. Closed all Internet Explorer windows and File Explorer windows, and ran HijackThis:
Find and check the yjsallam.dll in the log
Click the "Fix checked" button
5. Ran HijackThis again:
Go to Config >> Misc Tools >> Delete a file on reboot
Select file: C:\WINDOWS\system32\yjsallam.dll
Click Yes to reboot the system
6. Verified the following places:
HijackThis report: clean
C:\WINDOWS\system32 directory: clean
Internet Explorer add-on list: clean
The result seemed to be ok. But I knew that this was just a partial removal.
The virus was still on my friend's computer. It is hidden somewhere
and will create another trojan DLL file named with 8 random letters some time later on. Since I don't have any
software tool to find and remove the root of the virus, I told my friend to check C:\WINDOWS\system32 directory
regularly. If there are any new DLL files, dated after today, with 8-letter names, just call me for help.
Read other sections in this chapter on how to do a full removal of trojan Vundo.
