VirtuMonde (Vundo) fix and its variants

Alias of VirtualMonde (VirtuMundo,) by Antivirus Software's Editor

• Vundo [McAfee]
• Generic Downloader.s [McAfee]
• Trojan.Vundo [Symantec]
• Downloader [Symantec]
• TROJ_DROPPER.KOZ [Trend Micro]
• TROJ_MEREDROP.DY [Trend Micro]
• TROJ_VUNDO [Trend Micro]
• TROJ_DLOADER.LIJ [Trend Micro]
• Trojan.DL.Small.ADIB [PCTools]

Vundo is a trojan which displays advertisements and popups and Closes antivirus or spyware. It enters your system from a site or in an email spam. It creates the most common DLL files in your system or files. Exe as install.exe, crack.exe, patch.exe and puts most often in explorer.exe Winlogon.exe or to be loaded at every startup system.

The virus puts dll files in your system directory

• <System>\awturom.dll
  
• <System>\cbxyxxu.dll
  
• <System>\ljJDSIaY.dll
  
• <System>\serial.exe
  
• <System>\ljJDSIaY.dll
  
• <System>\hgggdda.dll
  
• <System>\cbxwvsq.dll
  
• <System>\mljhebb.dll
• <System>\readme.bat
  
• <System>\serial.exe
  
• <System>\jkkljjj.dll
  
• <System>\install.exe
  
• <System>\opnnopn.dll
  
• <System>\RUNME.bat
  
• <System>\winwim32.dll
  
• <System>\efcabaa.dll
  
• <System>\cbxwvsq.dll
  
• <System>\yayvsqn.dll
  
• <System>\fccyaya.dll
  
• <System>\2231.bat
  
• <System>\awtrRLBt.dll
  
• <System>\ljJYOhGv.dll
  
• <System>\MSINET.oca
  
• <System>\readme.bat
• <System>\crack.exe
  
• <System>\serial.exe
  
• <System>\keygen.exe
  
• <System>\jkkljjj.dll
  
• <System>\patch.exe
  
• <System>\install.exe
• <System>\vturr.dll
• <System>\yayyaaw.dll
• <System>\pmtqkmd.dll
• <System>\hgggdda.dll
• <System>\nnnljih.dll
• <System>\nnnllih.dll
• <System>\iifefec.dll
• <System>\jkklj.dll
• <System>\pmnmjhe.dll
• <Temp>*.bat

Other files in your root directory

• autorun.inf
• svchost.exe

Creates the registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B52C7EC-D1A3-4054-923C-DD12567F28B1}
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B52C7EC-D1A3-4054-923C-DD12567F28B1}\InprocServer32
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ficher (où fichier est le nom du fichier dll sans l'extension)
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861

Creates values:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B52C7EC-D1A3-4054-923C-DD12567F28B1}\InprocServer32]
  (Default) = "%System%\awturom.dll"
  ThreadingModel = "Both"
  
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings]
  Time = 90 97 C9 1F 83 51 C8 01 00 00 00 00
  
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  {0B52C7EC-D1A3-4054-923C-DD12567F28B1} = ""
  
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awturom]
  Asynchronous = 0x00000001
  DllName = "fichier.dll"
  Où fichier.dll est l'un des fichiers cités plus haut, de cette manière, fichier.dll est associé à Winlogon et démarre avec Windows.
  Impersonate = 0x00000000
  Logon = "o"
  Logoff = "f"

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]
  (Default) = "A1D522CFF6884ACC9AB61DE9E145D52B&"
  [HKEY_CURRENT_USER\Software\Microsoft\Installer]
  (Default) = 38 4E 24 20 83 51 C8 01

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WR]
  cmd = ""
  version = "66"
  nextupdate = 0x4782B328
  
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  runner1 = "%Windir%\fichier.exe "

It is preferable to download this patch and to decompress on the desktop, reboot your PC in Safe Mode and run the patch, again in Safe Mode.
Take care too if you visit some crack's site that request you to download a patch file or an install file before downloading the crack.

How to restart your PC in safe mode?