From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computing / Software (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Software (marked as Low-importance).
WikiProject Computer Security / Computing  (Rated Start-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing (marked as Low-importance).

Who is responsible[edit]

What I don't see contained in the article is who is responsible for vundo. Whose life is at risk for creating this disease. That's all I want to know. I've found nothing (including vundofix) that will take this off my machine. NOTHING attacks the source. This virus has killed my computer and is killing the internet along with it. That's the real story that's not being told.-- (talk) 19:42, 10 January 2009 (UTC)

Have you tried getting help from sites like BleepingComputer, GeeksToGo, SpywareInfoForum and on and on. As for who made this abomination who knows. We all know WHY they made it, MONEY!!!PedroDaGr8 (talk) 03:52, 23 January 2009 (UTC)

It's true. The problem is that there are so many different versions of the trojan, and the newer ones seem to be immune to vundofix, and virus scanners as well. I've tried windows defender, nod32, and avg. All of them recognize that vundo is there, says it's been removed, I reboot, and it tells me the exact same thing. It appears that the only way to remove the newer vundo strains is to format. I too would like to know who wrote this, so I can use my tax refund check to fly to whereever this person is and castrate them myself. (talk) 18:13, 26 January 2009 (UTC)surge

I too came here looking for information about the person or company responsible for Vundo. Anyone have any ideas? (talk) 14:58, 30 March 2009 (UTC)


I've started correcting this article. Vundo is a trojan that drops programs like SysProtect/WinFixer but they are not the same. Some of the advice such as disconnecting from the internet or closing the browser through Alt+Ctrl+Delete is not correct. This trojan infects through an exploit in Java, not by users clicking on a popup window. The messages shown in the article occur only after the user is already infected. 05:42, 3 August 2006 (UTC)

25.06.08 what about just deleting hard drive and reloading windows would that not kill off infection? I know its drastic! PLEASE LET ME KNOW BEFORE I PUSH THE BUTTON! —Preceding unsigned comment added by Nc14990 (talkcontribs) 13:40, 25 June 2008 (UTC) Yes, reinstalling your Windows XP cd works, but make sure you backup everything you want. Make sure you have all your drivers on cd too, otherwise hardware may not work. —Preceding unsigned comment added by Amdrag568 (talkcontribs) 20:29, 7 July 2008 (UTC)

24 Aug 2010 I'd like to add the view that whoever thinks that the list of possible symptoms should be in prose format is incorrect. In my view, FWIW, this would be incomprehensible and neo-worthless in such a format. —Preceding unsigned comment added by (talk) 09:08, 24 August 2010 (UTC)


WinSoftware have today told me that it is the Smitfraud trojan that is responsible? 16:24, 20 August 2006 (UTC)

That's incorrect, Smitfraud is a different infection which also advertises anti-spyware products. 03:54, 21 August 2006 (UTC)


Wikipedia is an encyclopedia, not a tutorial. This is not the place to write your opinions on whether someone should or should not use HijackThis or what they should remove with it. 03:54, 21 August 2006 (UTC)

Bear with me in civility. Please define your terms? What is "an encyclopedia" (warning: I'm a librarian and the term "encyclopedia" is something with which I have more than passing familiarity) and why is a "tutorial" not relevant? Is it an opinion to rightfully inform someone of a problem and how they might fix it?

I suspect anyone defending obscuring information about removing malware. I ALSO suspect those who give advice (since they could be promoting installation of malware under the guise of being helpful).

I agree that promoting a certain version of any software can be seen as a POV violation. But I'm conflicted when I realize that the suggestion might be a valid one. You might want to suggest to the promoter of HijackThis to a) disclaim any affiliation with the producers, and b) explain in more objective detail why one might want to use HijackThis. I'm still investigating HijackThis and am leaning towards approving its use. -- Quartermaster 19:19, 6 September 2006 (UTC)

That doesn't matter. There are plenty of virus-removing programs out there. It does seem POV to explicitly mention one. Mo-Al 00:43, 7 September 2006 (UTC)
I can accept your point (explicit mention of a single program). Find it more useful to hash this out in TALK rather than getting in an edit/revert war anyhow. -- Quartermaster 18:11, 7 September 2006 (UTC)
Firstly, a tutorial is not relevent because Wikipedia's rules very clearly say that tutorials are not to be included in Wikipedia articles. Secondly, it's factually inaccurate to label HijackThis as a Vundo removal tool since HijackThis is not capable of removing Vundo. HijackThis can detect certain symptoms of certain variants of Vundo, but if you attempt to fix the entries in HijackThis, they will come back as soon as you restart your computer. 01:17, 1 October 2006 (UTC)

This last I'd describe as 'laughably untrue'... given that virus removal is my job, I run into Vundo every day, and use HijackThis all the time to get rid of it. Of course, you do need to use it properly to do so (ie: set the relevant dlls to be deleted on reboot, as files in use cannot otherwise be deleted by HijackThis), but other then that, a proper deployment of HijackThis kills Vundo dead. Endovior (talk) 07:42, 11 May 2008 (UTC)
For the record, there is a very clear policy at WP:NOT#HOWTO. (talk) 19:57, 10 January 2008 (UTC)

There's no mention in this article about Vundo slows down system performance!!! Shouldn't this be put in? Dbottino 23:31, 26 March 2007 (UTC)

Could we not just have multiple/all known removal tools listed? Is it not relevant and factual information to possibly include sites that are against it? Anything that can help get rid of malware I am for. That may be a point of view, but there is an agenda in everything on this website if only the agenda to spread knowledge. Readers can choose to use that information however they wish. -- 09:40, 22 May 2007 (UTC)

Claims that this or that tool can be used to remove Vundo would have to be properly cited according to the Wikipedia:Verifiability policy. -- (talk) 19:23, 17 May 2008 (UTC)

I have Vundo infecting my computer right now as I'm typing this. However, I have "disabled" it from causing popups. Just like Dbottino above, I am experiencing symptoms of system slowdown from it. paros (talk) 02:02, 10 December 2008 (UTC)

More symptoms of Vundo[edit]

I'm not sure if this is only a problem with my computer or all Vundo variants cause it, but I was infected by it. At random times it would start casuing floating point errors in various programs. It also did not allow me to install various programs such as NoAdware and Spybot (Although I'm not sure if this was caused by the floating-point problem). If anyone knows if this is a common Vundo symptom and can find a source for it elsewhere, can it be added? 20:43, 12 October 2007 (UTC)

I too have seen these floating point messages on my mother's computer, when it was infected. I think it also killed McAfee's antivirus which was installed at the time. It was removed with Microsoft (trial version of) OneCare, so I'd recommend it. --Nathanael Bar-Aur L. 21:44, 14 October 2007 (UTC)

Spynomore plug[edit]

From what I've seen of Spynomore it's a piece of crap. Under the removal section however a line says that Spynomore is the best option? As far as I know, Vundofix is that option. What's with the plug for spynomore? (As well as the lack of mentioning Vundofix in that section?) (talk) 19:33, 10 February 2008 (UTC)

Dealing with Vundo[edit]

I noticed there was no section for this in the Article, and I realise it cannot be for being a "Guide" and am thus putting in the TALK page to be done with as people please. This is a simple tiny guide that would make it so your computer is seemingly unaffected even when infected with Vundo. This is a temporary solution until you have enough money/the ability/parental permission/etc to remove Vundo. And yes, this is how I dealt with it while I was short the cash to get Norton 360:

It is quite simple really. Reboot with specific settings. Those of which being to not load any kind of java and anything that would open your internet explorer/firefox/etc upon reboot. Henceforth all you have to do is make sure not to ever use Internet Explorer(Or any such application) ever again. Any slowing down of your computer/popups/explorer.exe crashing/etc will not be present(Except by things that caused such before you became infected with Vundo). You simply cannot use Internet Explorer/etc on the infected computer ever again unless you want those problems to reappear until you reboot. (talk) 09:33, 13 May 2008 (UTC)HeartCard

Vundo injects itself into winlogin.exe and explorer.exe. Winlogin.exe is essential and runs even in Safe Mode. Don't know what your talking about. And once Vundo got on my system, it was excruciating slow; that is why I ran a Clamwin scan in the first place. —Preceding unsigned comment added by TechOutsider (talkcontribs) 00:53, 23 December 2008 (UTC)


For anyone that is thinking of adding removal instructions to the article, please see WP:NOTHOWTO. Wikipedia does not exist as a self-help manual. Bulbous (talk) 03:53, 2 September 2008 (UTC)

Then the whole article should be deleted... Remember many stumbles across it needing help and as such it should at the VERY least contain a link to HOW to remove it. So I say, that should be added. (talk) 13:35, 6 November 2008 (UTC)

No kidding. What a ridiculous rule to disallow removal instructions. So what next; should I go to the wikipedia page about arsenic and remove all references to poison control and what to do in an emergency? Get with it wikipedia. (talk) 05:10, 13 November 2008 (UTC)
Not only is the removal section against policy, the removal "guide" is complete nonsense. If you could provide a legitimate publication that described removal instructions, maybe you would have an argument. But so far, this is just someone's unverified opinion. We don't publish the opinions of some guy who thinks he removed the infection once. Bulbous (talk) 05:11, 21 December 2008 (UTC)
An article about a virus on wikipedia should probably include the following (Name, Creator, FirstAppearance, VirusMethod, Symptoms, RemovalHelp/links to help on removal). If the virus is worthy enough to be on wikipedia, then it's probably powerful enough to be a serious threat. Links to legitimate removal programs should definately present, and at least an overview of removal should be present, such as "vundo is a difficult virus to remove on account of it changing its name, and editing parts of the registry"
I also have serious doubts about the moral alignment of anyone who seriously believes that information on how to remove a virus should not be present on a site telling you everything else about said virus. TwigsterX (talk) 20:29, 22 January 2009 (UTC)

Java Exploit[edit]

Why does the article say it's a java exploit? It is a trojan, and infects systems by exploiting a number of different things. It originally was spread by exploiting the Internet Explorer IFRAME Remote Buffer Overflow, as mentioned here (link is already on the page). You can certainly be infected with newer versions of java which do not have the referenced buffer overflow; it's simply not Java specific, and a reference to a page that says java once had a problem is sort of vague as well. The link above (on symantec's site) is certainly a much better citation. -- (talk) 17:37, 9 December 2008 (UTC)

Agreed. I am not aware of any evidence this is a Java issue. The Symantec Vundo article points to a completely different CVE entry. I vote for removal of "Java related" information. --BSD Daemon (talk) 22:25, 6 January 2009 (UTC)

More technical detail[edit]

Being an encyclopedia, this article should describe precisely (using highly technical language) how the Vundo trojan infects a computer and then how it loads and renames DLLs. Perhaps someone should contact atribune, the author of VundoFix, and have him describe how this malware "attaches" itself to LSASS and WINLOGIN and does other things like set permissions in Internet Explorer. We could add his words to this article.

However, I agree with everyone above that Wikipedia should not contain fixes for malware. An encyclopedia is a technical document, it is not a helpdesk, and it is not a repository of computer tutorials. paros (talk) 02:54, 10 December 2008 (UTC)

The Vundos I've seen (dozens so far): 1. Have names like guvebosa.dll, etc. always 4 consonants alternating with 4 wovels. 2. Their creation date is faked, or, lately, completely missing. 3. VirusTotal, the web service where uploaded files are virus checked by dozens of major virus scanners, usually has only a few of the scanners identify them; there are just too many variants and scanners are way behind, even heuristic detection. 4. One possible removal: use System Restore and roll back the PC to its pre-infection state.


Where is the proof it DDOS's all my previous infections I never noticed it was excessively trying to DDOS *ANY* webiste. The edit that it attacks 4chan, which was added today, I seriously question. I think many of these portions need to be edited out. Dewdude (talk) 16:23, 11 May 2009 (UTC)

I'ts been a problem for 4chan the past week or so [1]. Probably not notable enough to belong in the article though (talk) 21:06, 11 May 2009 (UTC)

DDoS means "Distributed Denial of Service" or in this case DoS (Denial of Service) so what it'll do is not let you into the site, this doesn't mean that the virus will bring down a site, it just won't work for you... and the 4chan thing was something else... --3lt3ponz3r (talk) 02:54, 2 July 2009 (UTC)

Wikipedia is an Encyclopedia[edit]

Wikipedia is an Encyclopedia; not a self-help tool, or removal guide. I'll be doing some editing soon..Screen317 (talk) 23:46, 9 July 2009 (UTC)

Is a healing help on and a mention of it in article acceptable? (I understand the rules, but they are being blatantly violated in other articles, so I don't really understand the extreme prejudice here, especially if it is information useful to reader) --Xerces8 (talk) 12:44, 25 January 2010 (UTC))

Merge VundoFix into here[edit]

I'm proposing that the article VundoFix be merged into this one. Frankly, I don't think VundoFix has any notability independent of Vundo itself. Certainly, the content currently there belongs in this article. —/Mendaliv//Δ's/ 21:32, 17 November 2010 (UTC)

Yes, please merge. --Pnm (talk) 02:20, 25 December 2010 (UTC)

I would merge it so that people have a resource to fix their Vundo's. I've used VundoFix to save my computer. — Preceding unsigned comment added by (talk) 19:28, 10 July 2011 (UTC)

Pro --Arno Matthias (talk) 14:31, 16 April 2011 (UTC)
Against The VundoFix article does not add any value to this article and should be considered for deletion instead. --Hm2k (talk) 08:42, 11 July 2011 (UTC)