一个有效、快速去处Trojan.Vundo病毒的方法 紫晶2005-10-12 16:33:01

最近我的电脑被winfix缠上了，无奈只好买了一个norton杀毒。结果：
Norton 测出中了Trojan.Vundo,却杀不了，去norton的网站下了专门杀这个病毒的工具fixvundo.exe， 可是居然连找都找不到中了这个毒。
感谢GGU提供了以下的网址，让我找到了有效的方法，很快的消灭了Trojan.Vundo，

http://www.computing.net/security/wwwboard/forum/16663.html
http://forums.techguy.org/t406005.html

现在将这个方法贴上来，供有同样问题的朋友参考：
我综合了两个网友的方法，其中网友nancyjo步骤讲得很清楚（参考number48），我严格按照执行，再加上computerpunk的帖子（参考number114），结果成功了。

现在偶的心情这是非常好，愿意和大家分享这个经验，预祝大家成功！！


Number 48
Name: nancyjo
Date: October 08, 2005 at 06:02:38 Pacific
Subject: Trojan.Vundo Virus Unable Repair

Reply:
I fixed it on 2 computers last night.
1. Write down the name of the file. On one system it was mljjg.dll; the other was pmkjj.dll. My files were in the c:\windows\system32 folder; both XP systems
2. Download and save to the desktop the VundoFix.exe program. Get it from http://www.atribune.org/downloads/VundoFix.exe. Double-click VundoFix.exe to extract the files. This will create a VundoFix folder on your desktop.
3. Reboot your computer into Safe Mode. Do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
4. Show all hidden files. Do this by: Right-click on start button, left-click Explore. Click Tools, then Folder Options. Click the tab labeled View. Scroll down to Hidden Files and Folder. Click the radio button that says Show Hidden Files and Folders; also, click to uncheck Hide Extensions for known file types.
5. UNREGISTER THE MALIGNANT FILE SO IT CAN BE DELETED. To do this click Start, Run. Type "command" or "cmd" in the box and click OK to open a DOS window. Change directories to c:\windows\system32. Do this by typing "cd c:\windows\system32" without the quotes. Then unregister the file. Do this by typing "regsvr32 {name of malignant file} /u". My entry was "regsvr32 mljjg.dll /u". Note: there is a space betw the end of the filename and the /u. You should see a window confirming it was successfully unregistered. If it says it can't find the file, make sure you have unhidden files.
6. Delete the malignant file using VundoFix. Double click to open the VundoFix folder and doubleclick on KillVundo.bat.
You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!): "C:\WINDOWS\System32\{malignant file.dll}" Mine was C:\WINDOWS\System32\mljjg.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\{reversename of the malignant file.*} Mine was C:\WINDOWS\System32\gjjlm.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\mljjg.dll
O20 - Winlogon Notify: mljjg - C:\WINDOWS\System32\mljjg.dll

After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

7. Turn system restore off and back on. To this by clicking Start, Control Panel. Double click System. Click System Restore tab. Click to turn off System Restore on all drives. Restart your system. Re-enter Control Panel and click to uncheck the box to restart System Restore.

8. Once your machine reboots run a virus scan to remove any detected remnants.

NOTE: one of the two systems wasn't able to find HijackThis. I had used the program on that system before so I manually ran it and deleted out the two entries recommended above. If you need it, it can be downloaded from here: http://www.download.com/3000-8022-10227353.html













Number 114
Name: computerpunk
Date: October 10, 2005 at 02:46:38 Pacific
Subject: Trojan.Vundo Virus Unable Repair

Reply:
Hi , just to add what I know, I did managed to remove one instance by doing the following :
1 ) Download VundoFix. URL as below:
http://www.atribune.org/downloads/VundoFix.exe.
2 ) Boot into Windows Safe Mode.
3 ) Run VundoFix and unzip to another folder.
4 ) Run that KillVundo.bat
You'll be prompted 2 paths.
the first path is the path of the infected file.
2nd path is the path of the infected file (with the name reversed.)
e.g. infected file is C:\Winnt\System32\byxxv.dll
1st path will be C:\Winnt\System32\byxxv.dll
2nd path will be C:\Winnt\System32\vxxyb.dll
Thanks to the people who contributed especially NancyJo. :)