vundoHow to fix it, how to avoid it.

Vundo, Tojan.Vundo, Virtumonde, Virtumondo, MS Juan:  These are the common names of  a Trojan (spyware or malware) that is known to cause popups and advertising for rogue antispyware programs, and even performance degradation and denial of service with some websites including Google and Facebook.

This annoying infection has been perplexing the security forums since January 2009.  Answers seem to be scarce.  Most detection software is not yet able to remove it.  However, you can remove it manually, and luckily for you, I have found where this Trojan lives and will tell you exactly how to kill it.  It isn’t hard. I will give you the steps.  Nothing here will cost you anything.  (The best malware programs are free anyway.)

Symptoms:
You are clicking on your search results and instead of going to the intended target, you are going everywhere else: Yahoo Hotjobs, Fake Anti-Virus sites, Second rate search sites, or you are getting Error 404 Page not found. You may also be seeing popups though popups are blocked.  You may also find Internet Explorer (iexplore.exe) running in your Task Manager as a backgound process, even though you have not opened it.

The bad news:
Chances are you have a virus and a Trojan, or several.  These are exploiting a vulnerability in Java in order to write a small script into the Firefox folder which constantly redirects your search results to infected servers which may be constantly loading more and more crap onto your drives.  Annoying for you, but profitable for the “black hat” script author who is likely recieving affiliate marketing revenue from the traffic he is diverting to these advertising websites.

The good news:
Most of these redirect scripts are not likely to do harm to your data or to steal your personal info.  This latest round just simply hijacks your search results making your life on the web miserable.

The short fix:
You will find this one living in the extensions folder of Firefox.  What you need to do is find the offending file, delete or encrypt it, then replace it with a blank dummy file.
Here are the steps:

  1. Navigate to: C:\Program Files\Mozilla Firefox\extensions\, look for a folder that is a string of letters, created around the time you began having the problem.  Something like “{BCB94CDD-5542-403F-9FB3-07D3DB1E9951}”
  2. Open the folder, and then open the folder called “chrome”, then “content”, and look for a file inside called overlay.xul (variants may have different names).
  3. Verify that it is the virus: does it have code similar to this: click to see code
  4. If you have found the culprit, delete the file  (or encrypt with Axcrypt which is reversible).
  5. Replace it with a blank text file with the same name and extension.
  6. Repeat the process – you may have multiple copies in multiple folders.
  7. Test: Go back to Google, try your search results again.
  8. If no redirects: Sing Hallelujah.

The better fix:
What you will do here is the short fix listed above, plus you will also run several Malware programs, remove all old versions of Java and download the new Java.  If that doesn’t cure your problem you may need to run some more serious software. Here are the steps:

  1. Do the “short fix” listed above.
  2. Remove old versions of Java by downloading  JavaRa and unziping it to your desktop.
  3. Double-click on JavaRa.exe to start the program and Click on Remove Older Versions.
  4. Download and install the latest version of Java (Most likely the first download you see here).
  5. Install Malwarebytes and SuperAntiSpyware
  6. Update them, run them, and delete all bad stuff.
  7. Shutdown, restart, run them again.
  8. If you are clean then test for redirects in Google.
  9. If no redirects: Sing Hallelujah.

If none of the above worked then you may need some expert guidance.  Fortunately you can get this for free:  Register on a Malware forum at one of the locations listed at the bottom of this post.  All of these forums have rules for posting, read them and follow them!  Do not follow advice given to others on any forums you may read.  All advice is given based on detailed analysis of every individual system.  Wait for an expert to evaluate your situation and provide you with specific advice.  All of these forums will ask for a HJT Log.  You can download HJT for free and watch a video about how to use it by clicking here.

Try these forums:

Sindri