Trojan.Vundo.H

Trojan.Vundo.H is detection for harmful threat that was made to spread other kind of malware. Trojan Downloaders are small programs that can conceal itself with other software like freeware, shareware, key generators, and other executable files. Once Trojan.Vundo.H is run on the PC, it will make changes on the system especially on Windows registry.

Security programs like anti-virus and firewall can be rendered useless by Trojan.Vundo.H. It also disables any running processes which it thinks are relevant to security tools. With this capability, Trojan.Vundo.H can conceal itself on the computer and users may not notice that PC is already compromised.

As a downloader, this threat was designed to contact distant computer to download other malware. Trojan.Vundo.H also executes the file without taking permission from the user. If not additional threat, Trojan.Vundo.H communicates to a remote server to download an upgrade for itself.

There are plenty of ways on how you can safeguard the PC against this type of threat. Keeping away from unknown programs, cracked software, key generators, and other malicious files will prevent your PC from having Trojan.Vundo.H infection.

Characteristics:

Trojan.Vundo.H was made to deploy threats. It attacks the computer via security exploits it may find on operating system, Internet browser, or any programs that are installed. Then, Trojan.Vundo.H will open a connection so that it can download other threats from the remote computer.

This threat is considered as one of the most hazardous malware. Attackers behind Trojan.Vundo.H may drop malware on the compromised PC that can render it unstable or worst, unusable.

Symptoms:

Alerts from efficient anti-virus program is one visible sign that Trojan.Vundo.H is present on the computer. Most of the time, this Trojan operates discreetly in the background.

How to Remove Trojan.Vundo.H

1. Download Malwarebytes' Anti-Malware from this link and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as default only.

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the Show Results button.
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.

Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

7 Comments

  1. Mike Howard

    I just downloaded and ran Malwarebytes to get rid of a client’s spywareguard 2008. It worked great on that. However, another client has trojan.vundo.h which Malwarebytes found but cannot get rid of. I tried to get rid of it manually, but the permissions are all locked up and I haven’t been able to get past it yet. I was able to delete the file in C:Windowssystem32 davclnt.dll, a vundo virus, but it comes back because I haven’t been able to also delete the lines in the registry because the permissions are also locked up.

  2. Terry Young

    Hi,

    Just had this trouble with a client computer, what a pain this thing is.

    These things usually ‘self heal’ and replicate, so, for example, if you kill off a file, a registry value or parallel running file recreates it from another location, and vice versa.

    If you find something that is locked, and you can’t get rid even in safe mode, I have found the easiest trick is to play it at it’s own game:

    1. Create empty text file(s) with the same name(s) as the affected file(s). Make read only, and put somewhere you remember ( I usually just put in c: ).

    2. Boot to either ‘recovery console’ (if NTFS HD) using XP Disk, or (if FAT32) to DOS using 98 Floppy.

    ( If FAT32 and you don’t have a 98 floppy – http://boot.oldos.net/boot98.exe )

    3. Navigate to, and delete the infected file.

    Finally copy the locked file with the same name into that location.

    You may need to do this a couple of times, but it has helped me out of a few permissions issues. Because you have locked the empty file, the bad stuff can’t recreate it.

    Once the cycle has been broken, things like Malwarebytes (excellent program) should be able to clean up.

    Hope that helps.

  3. ElstonOBG

    The way I found to clean out the trojan.vundo.H issue was to boot into safe mode and run malwarebytes.

  4. Jeff Schrembs

    Good first comments but this Trojan.Vundo.H LOCKS and prevents itself from being REMOVED/DELETED. Malware picks it up, then removes it, and after it restarts it is BACK AGAIN.
    This is a NASTY Virus and to those who get it…it will DESTROY your system. I am working on a solution and will check back for others as well. Going into “safe mode” does NOT help by the way.

  5. Randy

    Terry – you’re a genius. Why this didn’t dawn 5 years ago is beyond me. I’ve been working on a laptop infected with Vundu.h for several days. Most persistant malware I’ve seen. After reading your post, I used Malwarebytes to ID the .dll’s, then removed the hard drive and connected it up as an external device. As you suggesed, I used Notepad to create identical dll’s, then made them read-only and replaced the infected files with my fake dll’s. Workded like a charm.

  6. Malibu Murray

    I unfortunately have this Trojan Vundo.H virus and it is giving me all kinds of trouble, as indicated in the previous respones from others, Malware locates it, but I am unable to delete any of the files, and they just keep replicating. And since I am a layperson, I am not understanding how exactly to create the fake dll’s I am using windows xp which came installed so not sure where the disk is. Can someone help me, this is my log:

    Malwarebytes’ Anti-Malware 1.36
    Database version: 2161
    Windows 5.1.2600 Service Pack 3

    5/20/2009 10:56:01 PM
    mbam-log-2009-05-20 (22-55-53).txt

    Scan type: Quick Scan
    Objects scanned: 7737
    Time elapsed: 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:WINDOWSsystem32wgipdzm.dll (Trojan.Vundo.H) -> No action taken.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{f55da0ea-1432-4c11-a6d3-90037ded077c} (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyrlntlxeh (Trojan.Vundo.H) -> No action taken.
    HKEY_CLASSES_ROOTCLSID{f55da0ea-1432-4c11-a6d3-90037ded077c} (Trojan.Vundo.H) -> No action taken.
    HKEY_CLASSES_ROOTCLSID{75emf55da0e8a-1432-4c11-a6d3-90037ded077cc} (Trojan.Vundo.H) -> No action taken.
    HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{f55da0ea-1432-4c11-a6d3-90037ded077c} (Trojan.Vundo.H) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:windowssystem32wgipdzm.dll (Trojan.Vundo.H) -> No action taken.

  7. Mark

    I tried Terry Young’s technique of creating a locked, empty dll, but after reboot, found that the file still contained all the binary data, even though it showed as 0 bytes in Windows. After a bit of searching, I found another dll with identical binary, so I used the same technique on it. After reboot, both are empty.

    Malwarebytes still finds the offending registry keys, then schedules them for deletion upon reboot. Unfortunately, they won’t go away. I’ve tried deleting them manually from within Regedit, but it won’t let me delete them either.

    Any ideas? I don’t think the vundo thing is still running, since both dll files have nothing in them, but it would be nice to get rid of the registry keys and file pointer too.

Comments are closed.