Note: use at your own risk. I make no guarantees.
Vundofix requires some manual entries in order to work. It also has to be used properly. Just running it probably won’t clean vundo (and I’m not sure if it’s even designed to detect it – just clean it).
To see if it’s vundo, look for the O20 entries in the hijackthis log. It should have something like this:
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll
The name of the file and the location will be random, but it will consist of five characters and a .dll extension. The file will also show up in your O2 items.
Write down the name and path given for the entry. Also, write down the path and reverse the letters in the file. Use a star extension. In this example, then it’d be:
C:\WINDOWS\system32\ilkkj.*
Now, go to http://www.atribune.org/downloads/VundoFix.exe and download the file. Save it to your desktop and click on it. A new folder will appear on your desktop.
Restart the computer in Safe Mode. Open the vundofix folder and click on KillVundo.bat.
At the first prompt, put the path to the file you found on Hijackthis O20 entry.
At the second prompt, type the path to the reverse-named file with the *.
Vundofix will remove the file. It will then run hijackthis. Put a check by the O20 and O2 entries that have the name of the file (not reversed).
Next, turn off your computer by pressing the power button and holding it in (do not shutdown normally). Restart and run hijackthis. The vundo entries will probably still be there, but they should have “(file missing)” beside them. Use Hijackthis to remove these and you should be fine.