Vundo - Part 2

Remember that I've written about my laptop been infected with trojan(s)? Well, I've clean the trojan from my laptop.

After several attempts using HijackThis and several other security tools failed, I finally wanted to give up. Until someone proposed to me to use Avira Antivirus. So, I thought, why not since I've tried using most of my security toolkits without any success.

The nice thing about Avira compared to Avast is that, Avira can detect virus, trojans, worms and etc in .dll files while Avast can't (maybe Avast Pro can). But since Avira does not has scan during rebooting facility like Avast, so, it can't remove the trojans although it can stop the trojans from taking over my laptop.

Anyway, that's fine to me. Then I reconfigure my IE not to accept ActiveX add-ons without my permission. Although it can't stop the current trojans but at least I know the bad 'things' will be hard to get into my laptop for a while.

Why I can't remove Vundo? It is simple. It stuck to Winlogon.exe like parasite plant stuck to the tree. Everytime Winlogon.exe is launched (which mean every single time you login into your Windows XP whether in normal bootup or in safe mode), Vundo will also be launched. The creator of Vundo is smart I think because it keep changing the filename of Vundo each time it try to make contact to the outside world. The firewall built into the Windows will not care about this program since it using the HTTP port to make a connection. As you know, most firewall will not block HTTP port unless you explicitly asked it to.

Then I encounter with RegistryBooster version 2 program. It is a trial version. But it can detect unused registry key including registry key use by Vundo. But trial version only can remove 15 'bad' entries from your registry. I side-stepped the limitation by patching the software. But it can't totally stop Vundo. But I can live with it since Avira, RegistryBooster, Spybot S&D, Ad-Aware and HijackThis will make sure the trojans will be confined in my laptop.

But still when I'm doing something important, suddenly the Vundo's message popup. Its disgusting and not to mention it popup during unsuitable time (like when I'm teaching security class. Can you imagine it, the security 'expert' has trojan in his laptop). Suddenly my friend advised me to use Trojan Remover. At first it didn't remove the Vundo because I'm not stopping IE and Explorer processes. So, I tried for the second time. Miraculously its work.

Now my laptop does not has any Vundo anymore. The software fix my Winlogon.exe. Maybe I will consider to buy the application as my appreciation in cleaning my laptop.

So, the final score is me 2 and Vundo 1. Bye bye Vundo. See you later.

No comments: