Hey DJCheI recently found an article which states the actual way to remove Vundo... It helped me remove Vundo from the system in my Office... Hopefully it will help you too... I warn you, its a Loooong Step...
Step One: Turn off System Restore. (DO NOT SKIP)
The latest variant of Vundo loves to put an entry into the Restore folder.
In XP:
1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, put the check in Turn off System Restore.
4. Click Yes, then OK.
In ME:
1. Click Start > Settings > Control Panel.
2. Double-click the System icon. (If the System icon is not visible, click View all Control Panel options on the left to display it).
3. On the Performance tab, click File System.
4. On the Troubleshooting tab check Disable System Restore.
5. Click OK. Then Yes to restart the computer.
Step Two: Look for Winfix in Add/Remove Programs and Program Files
1. Click Start, Control Panel. (In 98 and ME, Start, Setting Control Panel).
2. Double-click Add/Remove Programs icon.
3. Look for Winfix. If there, click remove, or change/remove, depending on the OS.
4. Once deleted, or if it is unable to delete it, navigate to the C:\Program Files directory and delete the Winfix Folder, if there.
Do not reboot.
Step Three: Download the necessary tools
NOTE: if you cannot get online in Normal mode in XP, go to Safe mode with Networking. XP Only.
First we need the removal tool from Symantec. It is located here:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
Then we need the Process Explorer tool. It is located here:
http://www.sysinternals.com/Utilities/ProcessExplorer.html
It is at the bottom of the page. Save both of them to the Desktop.
Step Four: Boot to Safe Mode
Restart the computer. Tap F8 at the Dell screen. Choose Safe Mode from the menu. DO NOT choose Safe Mode with Networking, unless you cannot get to Normal mode to download the tools as stated in step three.
Step Five: Removal process
1. Open the Symantec Vundo Removal Tool. DO NOT click Start! Move the window to the upper left corner of the screen so it is not blocked by the next tool.
2. Open the Process Explorer tool. Right-click the following processes and choose Suspend.
Explorer.exe
Winlogon.exe
rundll32.exe (may not be listed)
3. Once Explorer is suspended, you will not be able to open any programs because Explorer is required to do so. This is why we already opened the Vundo Removal tool.
4. Click the Start button on the Vundo removal tool. The tool should detect and remove the main Vundo components.
Step Six: Clean up
Run an Antivirus scan again. If any files are discovered, try to manually delete the found files. If you get Access Denied error, follow this process:
1. Write down the file name and the directory it lives in.
2. Boot to the Recovery Console.
NOTE: If 98, boot to Command prompt only by tapping F8 and choosing that. If ME, boot to the ME cd and choose Start computer without CDROM support.
3. Once at the prompt, type cd\ and press <enter>. This should put us to a C:\ prompt.
4. Navigate to the directory of the file that cannot be deleted. For example, if the file is in the system32 folder, type cd windows\system32 and press <enter>.
5. Once in the directory, we will need to remove the attributes on the file. We will use awvvs.dll as an example.
EXAMPLE: To remove all attributes on awvvs.dll, at the prompt we will type attrib -r -a -s -h awvvs.dll and press <enter>
6. Next we will rename the file. We will use awvvs.dll as an example again.
EXAMPLE: To rename awvvs.dll, at the prompt we will type ren awvss.dll awvss.old and press <enter>
7. Once we have renamed it, we simply type del awvss.old and press <enter> 8. At the next prompt, type exit. Take out the CD and let the system reboot. NOTE: If 98 or ME, press CRTL+ALT+DEL. Take out the CD.
Step Seven: Turn on System Restore and create a fresh restore point.
Just follow the reverse of Step One in this article to turn on System Restore. Once back on, click Start, Programs, Accessories, System Tools, System Restore. Put the dot in Create a Restore Point. Click Next.
Let us know if this helped DJ
Take Care and Good Luck,
Nick
Windows is not a Virus. Viruses actually DO something, where as Windows Do Nothing.
