Bo Bayles Annex‎ > ‎

Firefox cannot load certain web sites (Vundo trojan)

A variant of the Vundo Trojan (Wikipedia) is known to cause Firefox to have problems loading certain web sites. Symptoms of this infection include:
  • Problems loading certain high-traffic sites, including Google, Yahoo, MySpace, Facebook, and more.
  • Affected sites load contiuously, never displaying content.
  • Affected sites stop loading, display Done in the Status bar, and never display content.
Other web browser may or may not have this problem.

These symptoms are similar to other common problems, which may be resolved by using the instructions Basic troubleshooting (Support.Mozilla.com) and Error loading web sites (Support.Mozilla.com) articles.

Most malware scanners do not automatically detect or fix this infection, so to confirm its presence and remove it, you will need to follow the instructions in this article to detect and remove it manually.

This problem typically affects Windows XP. For Windows Vista, the following instructions might need to be modified slightly.

Preparation

First, download and prepare ListDlls (Technet.Microsoft.com):

  1. Download ListDlls.zip from Sysinternals (Microsoft Technet).
  2. Extract the contents of ListDLLS.zip to C:\Temp\ListDLLS. If you have a program you use to unzip files, use that. If not, use the Windows utility:
    1. Find the file you downloaded (ListDlls.zip) in Windows Explorer or on the Desktop, right-click on it, and select Extract All... from the context menu. The Extraction Wizard will open.
    2. In the Extraction Wizard, click in the Files will be extracted to this directory: field, and type C:\Temp\ListDLLs. Then click Next.

    3. Make sure there is a check mark next to Show extracted files. Click Finish to close the Extraction Wizard. The C:\Temp\ListDLLs folder will appear in Windows Explorer - leave it open.

Next, make a system restore point in case things go badly:

List system files

Next, run ListDlls to get a list of what files are being used by the system. Make sure Firefox is open for this step.

  1. Open the Windows Run window by clicking the Windows Start button and clicking Run... in the Start menu.
    See Restore the Run command in Vista (intelliadmin.com) to access the Run menu on Windows Vista.
  2. In the Run window's Open: field, type cmd and press OK. The Command Prompt will open.
  3. In the Command Prompt, type cd C:\Temp\ListDlls and press Enter.
  4. In the Command Prompt, type ListDlls > output.txt and press Enter. The program will run.

Search for the infection

With the list of files being used by the system, you can now search for the Vundo trojan. The trojan typically is usually installed in C:\Windows\System32\ and usually has no version information associated with it. We'll use this to detect it:

  1. Back in the C:\Temp\ListDLLs folder in Windows Explorer, there should now be a file called output.txt. Double-click to open it in Windows Notepad.
    On Vista, you may need to open Wordpad as administrator and then open output.txt.
  2. Scroll through output.txt. Look for entries with an empty third column (Version) and C:\Windows\System32\ in the fourth column (Path).


    • It should be fairly obvious which entries match this criteria - most entries have version information, and almost all entries in C:\Windows\System32\ have version information.
    • Make a note of the file names name and paths (e.g C:\WINDOWS\system32\qoMdBqqq.dll) - you can copy each matching line into another text file.

You should now have a list of files that are loaded from C:\Windows\System32\ with no version information. Now we need to determine which files are part of the Vundo infection:

  • Many (but not all) variants start at memory address 0x10000000. The memory address is the first column in output.txt.
  • The file names usually have 8 characters before the .dll.
  • The file names are a string of random letters, so they will typically not mean anything. In the example screenshot below, SynCOM.dll is not installed by the trojan.
    • A good way to determine whether the file is legitimate is to type the file name into a Google search to see if it is associated with a legitimate program. If Google reports Your search did not match any documents, it's a good bet that the file is installed by the trojan.

In the example screnshot below, wntoqwdk.dll, lotlgcef.dll, and qoMdBqqq.dll, are installed by the trojan, and the rest are legitimate.


If you didn't find anything, you may not have this specific trojan infection. Run the scans suggested below in Clean up, and see Error loading web sites (Support.Mozilla.com) for more suggestions.

Remove the infection

Once you've determined which files are installed by the trojan, you can attempt to remove them:

  1. Close all your open programs.
  2. Open the Windows Run window by clicking the Windows Start button and clicking Run... in the Start menu.
  3. In the Run window's Open: field, type C:\Windows\System32\ and press OK. The C:\Windows\System32\ folder will open in Windows Explorer.
    • If you see a message that These files are hidden, click on Show the contents of this folder.
  4. Find one of the files you determined to be installed by the trojan in the list of files. Right-click on it and select Rename from the context menu.

  5. Type a new name, such as EVIL.1 or EVIL.2 and press Enter. The file will be renamed.
    • If you are not able to rename the file, see below.
  6. Repeat steps 5 and 6 for each file you found to be installed by the trojan.
  7. When all the files are renamed, click the Windows Start button, select Turn Off Computer, and click the Restart button. Your computer will restart.

Clean up

After your computer restarts, open C:\Windows\System32\ in Windows Explorer as above, find each of the files you re-named (EVIL.x), right-click on them, and select Delete from the context menu.

If the files wouldn't rename or delete

If you couldn't rename the files you found above, you can use MoveFile (Micosoft TechNet) to schedule them to be deleted on the next system restart.

  1. Download PendMoves.zip from Sysinternals (Microsoft Technet).
  2. Extract the contents of PendMoves.zip to C:\Temp\PendMoves. If you have a program you use to unzip files, use that. If not, use the Windows utility:
    1. Find the file you downloaded (PendMoves.zip) in Windows Explorer or on the Desktop, right-click on it, and select Extract All... from the context menu. The Extraction Wizard will open.
    2. In the Extraction Wizard, click in the Files will be extracted to this directory: field, and type C:\Temp\PendMoves. Then click Next.
    3. Click Finish to close the Extraction Wizard.

After unzipping PendMoves:

  1. Open the Windows Run window by clicking the Windows Start button and clicking Run... in the Start menu.
  2. In the Run window's Open: field, type cmd and press OK. The Command Prompt will open.
  3. In the Command Prompt, type cd C:\Temp\PendMoves and press Enter.
  4. In the Command Prompt, type movefile "C:\Windows\System32\<FILENAME>.dll" "" and press Enter:
    • Make sure you get the quotes in the right place - the path and file name should be surrounded by quotes, then there should be a space, then two sets of quotes.
    • Make sure your replace <FILENAME> with the name of a file you noted above.
  5. Repeat step 4 for each file you noted above.
  6. When all the files are have been processed, click the Windows Start button, select Turn Off Computer, and click the Restart button. Your computer will restart.

The files should be after gone your computer restarts.

Search for additional malware

Once the files are deleted, you need to follow up by scanning your system. Most malware infections are not isolated incidents, and many have serious consequences for your system and personal information.

More help

If you still have problems, visit the Firefox Support forum (Support.Mozilla.com). For quick help, post the list you made of suspect files above.

There are also specialized forums for malware removal, where you might be able to get more help:

You can undo any changes you made with How to restore the operating system to a previous state in Windows XP (Microsoft Support).

Comments