What is Trojan.Vundo?
- Type: Virus
- Category: Trojans and viruses
- Discovered: 24 October 2008
- Removal tools: Malwarebytes' Anti-Malware, Spyware Doctor
1. Introduction
It is a Trojan infecting computers through Java exploits in older versions of Java. Trojan.Vundo is also known as VirtuMonde, VirtuMondo or Vundo. After PC has been occupied by this trojan, a huge overflow of rogue related anti-spyware software (like WinAntiVirus Pro, Winfixer, SysProtect) pop-up windows is noticed. It is not recommended to download or install any of these rogue computer security programs, because of cheating on user. Fake anti-spyware programs will alert user that the computer system is infected, thus persuading him to buy full program version in order to remove found computer threats. Do not buy any of those programs!
VirtuMonde can also appear as an original Windows balloon notice in the taskbar area, popping up every few minutes and making user really frustrating. These balloon warnings will tell user that his PC is in danger and rogue virus/spyware scanner will be offered to make sure that the system is seemingly infected.
Trojan.Vundo creates many hidden files on computer system, as well as files with random names. Vundo virus may be hiding under different file names on each computer, that is why it's so complicated to delete Vundo infection manually.
VirtuMonde virus can be bundled with insecure applications, suspicious executable files or even screensavers.
VirtuMonde can also appear as an original Windows balloon notice in the taskbar area, popping up every few minutes and making user really frustrating. These balloon warnings will tell user that his PC is in danger and rogue virus/spyware scanner will be offered to make sure that the system is seemingly infected.
Trojan.Vundo creates many hidden files on computer system, as well as files with random names. Vundo virus may be hiding under different file names on each computer, that is why it's so complicated to delete Vundo infection manually.
VirtuMonde virus can be bundled with insecure applications, suspicious executable files or even screensavers.
2. Trojan.Vundo removal tools:
- Malwarebytes' Anti-Malware (for the installation guide click here)
- Spyware Doctor (for the installation guide click here)
3. Hijackthis entries:
O2 Entries:*
O2 - BHO: (no name) - {10b50180-1dd2-11b2-8c6a-f7825a53f0e2} - C:\WINDOWS\fohsbwtk.dll
O2 - BHO: (no name) - {FD03C949-1F23-41EA-B53A-C31EE0154454} - C:\WINDOWS\system32\fccdefg.dll
O2 - BHO: CATLEvents Object - {CA5DDFAC-93D0-46B0-973E-D25832A0D119} - C:\DOCUME~1\[username]\LOCALS~1\Temp\cg.dat
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp**.tmp.dll
O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\system32\okmuh.dll
O2 - BHO: PsapiAnalyzer Object - {320F26E1-8F10-4143-B433-B2DB14896D1F} - c:\WINDOWS\system\cmdnet.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\tusqo.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\vturq.dll
O2 - BHO: WTLHelper Object - {BD6CD737-34E1-4864-8697-83EC081F1989} - C:\WINDOWS\system32\ddaby.dll
O2 - BHO: ADOUsefulNet Object - {80611854-49D7-47B4-9E5B-D8E56D77C6AB} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINDOWS\system32\rqono.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\mlljg.dll
O3 Entries:*
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hbalvvkt.dll
O20 Entries:*
O20 - Winlogon Notify: rqrqool - C:\WINDOWS\system32\rqrqool.dll
* These are examples of a Hijackthis entries related to Vundo virus. File names and CLSIDs may be different for particular instance.
O2 - BHO: (no name) - {10b50180-1dd2-11b2-8c6a-f7825a53f0e2} - C:\WINDOWS\fohsbwtk.dll
O2 - BHO: (no name) - {FD03C949-1F23-41EA-B53A-C31EE0154454} - C:\WINDOWS\system32\fccdefg.dll
O2 - BHO: CATLEvents Object - {CA5DDFAC-93D0-46B0-973E-D25832A0D119} - C:\DOCUME~1\[username]\LOCALS~1\Temp\cg.dat
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp**.tmp.dll
O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\system32\okmuh.dll
O2 - BHO: PsapiAnalyzer Object - {320F26E1-8F10-4143-B433-B2DB14896D1F} - c:\WINDOWS\system\cmdnet.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\tusqo.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\vturq.dll
O2 - BHO: WTLHelper Object - {BD6CD737-34E1-4864-8697-83EC081F1989} - C:\WINDOWS\system32\ddaby.dll
O2 - BHO: ADOUsefulNet Object - {80611854-49D7-47B4-9E5B-D8E56D77C6AB} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINDOWS\system32\rqono.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\mlljg.dll
O3 Entries:*
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hbalvvkt.dll
O20 Entries:*
O20 - Winlogon Notify: rqrqool - C:\WINDOWS\system32\rqrqool.dll
* These are examples of a Hijackthis entries related to Vundo virus. File names and CLSIDs may be different for particular instance.