We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

BullGuard Ondersteuning

We zijn hier om u te helpen 24/7


E-mail ons ondersteuning team en we komen binnen 24 uur bij u terug


 

 

How to remove Trojan.Vundo.DMA



THREAT NAME

Trojan.Vundo.DMA

 

 

CLEAN INSTRUCTIONS

1. Go to Start, Run type regedit and press OK.


2. Go to Edit > Find and type: {8A61098D-612B-4EF2-943D-64E920684061}, then press OK.


3. You should encounter a key like this:


HKEY_CLASSES_ROOT\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}


Go to InProcServer32 and copy down the value. It should be something like this:


C:\Windows\System32\yayvwxu.dll


4. Open Notepad and write:


del C:\Windows\System32\yayvwxu.dll

 

(replace this with the name of the file that you have written down earlier)

Go to File > Save, and for the File type select All files. Save it in the root of the C:\ drive with the name remove.bat.


5. Open regedit, navigate to the key:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Double-click on System and write the value C:\remove.bat.


6. Now restart the computer.


When Windows starts, open Windows Explorer and see if the file was deleted.


If it was, open regedit, go to Edit > Find and run a search for the key:


{8A61098D-612B-4EF2-943D-64E920684061}


Delete any entry that is found.


7. Delete the file:


C:\Documents and Settings\User\Local settings\Temp\removalfile.bat


8. Run a full system scan with BullGuard.


SYMPTOMS

1. Presence of the file removalfile.bat in the current user temporary folder:


C:\Documents and Settings\User\Local settings\Temp\


2. Increased network activity.


3. Unknown processes may appear in the Task Manager.



DESCRIPTION

1. Drops a .dll file with a random name in the system folder (e.q: C:\Windows\System32\yayvwxu.dll).


2. It injects itself in the running processes.


3. Creates a .bat file in the current user temp folder in order to delete itself.


C:\Documents and Settings\User\Local settings\Temp\removalfile.bat


4. Adds several registry keys that are pointing to:


HKEY_CLASSES_ROOT\CLSID\{8A61098D-612B-4EF2-943D-64E920684061


5. It tries to establish a connection to download and execute a file from 65.243.103.80.



Author:
The BullGuard Team