I thought I'd start a new thread rather than tack this onto any of the other threads, many of them very helpful.

However. none of the offered solutions on their own worked - but my compound solution did work and I offer this to all frustrated individuals as I'm sure there are many. About 6 hours work, I'm afraid. Windows XP is assumed.

The software assists you will need to repeat my method are

  • VundoFix.Exe from Atribute

  • AVG Anti-Spyware
  • Note that HijackThis is

NOT required (thankfully). Read this through once before embarking on a step-by-step approach, so that you'll get the full picture of interdependencies.

Remove the hard disk(s) (HDD) concerned and place it in an external enclosure connected to an uninfected PC by USB. I'll assume it becomes drive F:.

On the external HDD with Windows Explorer go to windows\system32 sorted by date order. You will also need to look into windows\temp and F:\

Look for clumps of files created with the same date and time (within a second or two of each other). Files of interest are of type DLL, INI, SYS, DAT. Make a note of the dates/times for use elsewhere.

Particularly if these clumps have files with strange names such as MLLJH.DLL or TUVVstr.DLL and the DLL is around 261K (or I've seen 282K) size, then suspect these files. When you pass the cursor over any of these files, you are unlikely to see the name of any publisher (like Microsoft); this is another clue as the clump being dodgy.

If you've had a previous crack at Vundo with anti-spyware, you'll recognise the clumps as being around the time when you re-booted after your previous attempt. The trojan has reestablished itself and we're going to have to prevent this from occurring (see later - step 12).

Once you are reasonably satisfied that these clumps are dodgy, rename them - perhaps with a .junk extension added. Or, delete them (but that's at your risk if you've wrongly identified this clump as dodgy!). I deleted them. If a file refuses to be deleted from Windows Explorer with the Access Denied message, use the CMD command line to reach the file and rename or delete it. That's windows\system32 dealt with.

Now go to windows\temp and sort by date order. Look for files (usually /tmp) created at the same date and time as what you recorded in windows\system32. Apply the same approach as at steps (5) and (6) above.

Similarly F:\documents and settings\{username}\Local Settings\Temp. The files of interest here are WINxx.tmp. There may be a couple of thousand of them, including some at the date and times you noted, but at other times also. I suspected these only because there were some that met the date/time criteria, were unsigned, and, crucially, were not present on the uninfected PC.

You may be barred with Access Denied. In that case, the CMD method won't work either and you will have to deal with this directory back in the original PC/Laptop as I explain later.

Go to the root of the F: drive (C: on your PC). There will be at least one EXE file showing one (or more) of your date/time noted occasions. Make a judgement on this file using previously stated criteria and rename or delete it if you reach the appropriate conclusion. This file is what keeps the trojan going. In my case it was called Message.EXE. In a clean XP system there should be no .EXE files in the root of of your boot disk.

Hunt around Program Files and Windows directories for anything suspicious as per the above and deal accordingly.

Download the VundoFix.exe and AVG Anti-Virus software onto the F: drive for subsequent installation if not already installed.

Replace the HDD into your original PC and boot into SAFE MODE without networking. Go straight to C:\documents and settings\{username}\Local Settings\Temp and perform as at step (8).

Check into the directories first mentioned above and have a quick look for suspect files. I didn't find any (but they were there!) - but it's worth a look because if they're obviously there, you've been less successful than I was at this stage and what follows may not work unless you go back to step 1.

This is because there might be a memory resident trojan still running in your system and you simply can't get rid of it from the host (original) PC.

Assuming that all looks reasonable, install (as necessary) VundoFix.exe and AVG Anti-Virus. In SAFE MODE run VundoFix.exe; in all likelihood it will report a number of infected files, including VUNDO. Have VundoFix delete whatever it finds. Reboot your PC to normal Windows.

But you're not done yet - it isn't over.

On boot-up, immediately run AVG Anti-Spyware and let it remove whatever it finds (and it probably will).

If you run VundoFix.exe again, it'll probaby report MLLJH.DLL or similar as present in windows\system32. All I can say is that I couldn't see it there and I think it's just a cue to remind you to make a donation to Atribute for his continued good work!

Reboot normally and immediately run AVG Anti-Spyware. It should report CLEAN. If not, repeat from step 1.

This was the only way I could get rid of this awful trojan.

Hope it helps and thanks to all others who have provided advice that enabled me to put together the above combination (which I couldn't find described in this way).

9 Years
Discussion Span
Last Post by Suspishio

I should add that I wasn't concerned with the Registry because there was nothing of the malware to be found. I can/did clean that up later with appropriate software and I still have no idea whether the Registry carried anything in relation to Vundo!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.