Trojan:W32/Vundo.HD, trojan.win32.agent.bbko, trojan.win32.zhelatin.ain, Fakeinit (Microsoft), dx trojan (McAfee)


Vundo.HD is a trojan that displays pop-up advertisements. The adware connects to a server and queries for advertisements to display.


Disinfection of the Vundo.HD trojan should be performed as follows:

  • Update to the latest virus definitions.
  • Perform a "Quick spyware scan".
  • Restart all disinfected computers.
  • Delete the following files:
    • \Documents and Settings\%username%\Local Settings\Temp\ntdll64.dll
    • %windir%\system32\dllcache\userinit.exe
  • Restore the file %windir%\system32\userinit.exe from a trusted backup source.
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The first time a system is infected, the trojan creates the following files:

  • \Documents and Settings\%username%\Local Settings\Temp\mousehook.dll
  • \Documents and Settings\%username%\Local Settings\Temp\ntdll64.dll
  • %windir%\system32\win32hlp.cnf
  • %windir%\system32\dllcache\userinit.exe

Note: %username% represents the user profile folder under "c:\Documents and Settings\" and %windir% represents what is typically "C:\WINDOWS\".The file ntdll64.dll is an LSP hijack component that works by inserting itself into the LSP stack and hijacking all winsock2 traffic going to and out of a machine.The files %windir%\system32\userinit.exe and %windir%\system32\dllcache\userinit.exe are known Windows files. They are both overwritten by the trojan.In addition, the trojan modifies the following file:

  • %windir%\system32\userinit.exe

The trojan uses several techniques to actively prevent the user from removing its files from the system. Even if the user does successfully remove the files in question, the trojan can restore them by using a Windows mechanism called the Windows File Protection (WFP). More information on this mechanism is available from Microsoft at


If the user attempts to remove the file ntdll64.dll without restoring the LSP stack, the action will break all network connectivity from within the machine. Users are advised not to manually delete this file; instead, use F-Secure products to perform this operation.

Date Created: -

Date Last Modified: -