Virtumonde/Vundo/Winfixer/MSEvents/ATLDistrib/WTLHelper Infection Removal

TroganTrogan London, UK
edited November 2005 in Spyware & Virus Removal
This post will show you how to identify and remove the Virtumonde Infection.

Before we continue with this guide, you must have HijackThis installed. If you already have HijackThis, skip this bit and carry on. If you do not have HijackThis, follow the instructions below to download and install it.

Click here to download HJTsetup.exe. Save the file to your Desktop!
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the "Do a system scan only" button and HijackThis will scan your computer.
  • Once completed, leave HijackThis open.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


IMPORTANT
Lately, the Vundo infection has been hiding itself from HijackThis. You will know when Vundo is hiding because there will be NO O2 entries present (and possibly no O20 entry) in your HijackThis log. If this is the case, then you need to rename HijackThis.exe to Scanner.exe and run another HijackThis scan. You will now see the O2 and O20 entries appear.

If you need help with this step, please create a new thread in the Spyware & Virus Removal forum.

Please carry on with the rest of the instructions.

IDENTIFICATION AND REMOVAL


With each O2 entry, there will be a corresponding O20 entry. Both O2 and O20 entry will have the same file name. This is give away to know that you have the Vundo infection.

Entries to look for in the HJT log that will identify the infection.

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\rqrqo.dll
O20 - Winlogon Notify: rqrqo - C:\WINDOWS\system32\rqrqo.dll

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\mljjh.dll
O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll

You may see several entries with (no name). This doesn't indicate the Vundo trojan, but if you see a 5 character DLL, like below then suspect the infection.

O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\awtqq.dll.
O20 - Winlogon Notify: awtqq - C:\WINDOWS\SYSTEM32\awtqq.dll
==============================================================

If you have identified the infection, then proceed with the fix:

The Fix

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Important note -- It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

==============================================================


If you require assistance with removing this infection, then please do not hesitate to start your own thread in the Spyware & Virus Removal forum. Post your HijackThis log and VunfoFix.txt report (if you ran VundoFix) and someone will help you out as soon as possible.
This discussion has been closed.