Vundo.HD is a trojan that displays pop-up advertisements. The adware connects to a server and queries for advertisements to display.
Disinfection of the Vundo.HD trojan should be performed as follows:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The first time a system is infected, the trojan creates the following files:
Note: %username% represents the user profile folder under "c:\Documents and Settings\" and %windir% represents what is typically "C:\WINDOWS\".The file ntdll64.dll is an LSP hijack component that works by inserting itself into the LSP stack and hijacking all winsock2 traffic going to and out of a machine.The files %windir%\system32\userinit.exe and %windir%\system32\dllcache\userinit.exe are known Windows files. They are both overwritten by the trojan.In addition, the trojan modifies the following file:
The trojan uses several techniques to actively prevent the user from removing its files from the system. Even if the user does successfully remove the files in question, the trojan can restore them by using a Windows mechanism called the Windows File Protection (WFP). More information on this mechanism is available from Microsoft at http://support.microsoft.com/kb/236995.
If the user attempts to remove the file ntdll64.dll without restoring the LSP stack, the action will break all network connectivity from within the machine. Users are advised not to manually delete this file; instead, use F-Secure products to perform this operation.