Delete Virtumonde

Virtumonde is a high risk, Adware infection and that has a huge impact on system performance. It affects thousands across the globe and is found on the following systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP, Windows Vista and Windows 7. Read this how-to to get rid of it, today!

Basic information

Virtumonde: is a high risk adware infection which exploits backdoor flaws in the Windows Operating System, primarily Windows XP. Adware: VirtuMonde is an adware program that downloads and displays popup advertisements for commercial gains. It is created illegally by software companies as an illegitimate method of marketing. It usually blocks access to the Windows Update, changes the structure of Windows Explorer and modifies registry files, causing harm to your computer system and its ability to function efficiently. It can be executed on your machine by means of installing software with a secret adware infection. Also, typical symptoms usually involve additional icons on your desktop when no software was installed, changed homepages and backgrounds.

Steps

  1. Before next steps make system recovery point with System Restore (Start Menu>Programs>Accessories>System Tools>System Restore). This can help you, if the following steps destroy your Windows installation. [Be aware that spyware/viruses "do" use restore points to re-install themselves after the next reboot. So maybe it can be best to turn off system restore and take a chance of destroying Windows. You can also make a restore point and copy the information from c:\system volume information/restore/rpxxx and turn off system restore after that. If your Windows does get damaged, you can simply put the RP back on disk and restore safely.]
  2. To get rid of it, download the latest anti-spyware, adware or virus protection software, preferably: Avast! Home Edition, Spybot S&D, Prevx CSI. ZoneAlarm Free Edition (firewall) may be helpful also. Malware Bytes Anti-malware works good as well. Scan your whole computer and quarantine any malicious files found.
  3. Disconnect your PC from the internet and refrain from using Internet Explorer.
  4. Delete files which are shown by the anti-spyware scan (i.e. Prevx CSI, etc).
  5. Restart your computer.
  6. Go to website Windows Live OneCare and scan your computer. After it completes, restart your computer again.
  7. Run Windows Update and check the latest updates for your system.
  8. Scan your computer once again with all programs from step 1 and Windows Live OneCare to be sure that Virtumonde is deleted from computer.

If infection is serious

Do this steps, if the previous steps did not help.

  1. If the effects are continuous, then download VundoFix, then get Trojan.Vundo Removal Tool by Symantec. Remember that before scanning ComboFix [ComboFix not previously explained] always download the latest version! (Do not run Combofix if you are unfamiliar with it. It can mess up your machine and cause you to roll back your computer to a previously stored version to get it running again.)
  2. Get Offline - pull the cable network, turn off wireless card, turn off your modem. It's very important.
  3. Make recovery system point.
  4. Restart computer and run Windows in Safe Mode - before you see Windows logo start tapping F8 and choose Safe Mode.
  5. Your antivirus and anti-adware programs can show warning - better is to turn off that program before next steps.
  6. At the beginning - VundoFix. Run the application. Click on the Scan for Vundo. Scanning will begin, which can take a long time, depending on how many files are on your computer. In the white box will display the names of infected files. After the scan is complete click Remove Vundo, removal will begin. Confirm by clicking Yes. The application should ask for permission to restart your computer - click Yes. In the C: \ VundoFixBackups there is a report from the scanning and deleting infected files. When restarting, run Windows in Safe Mode.
  7. Secondly Trojan.Vundo Removal Tool, Symantec. Click Start, and then follow according to the instructions. It should be noted that this application can deal only with older mutations Vundo (Virtumonde).
  8. Run VirtumondoBeGone. Click Continue and wait for the report.
  9. Run ComboFix. Extract the application files will begin. Then, in the two windows that appear click Yes, and start scanning and removal of any Vundo (Virtumonde) infection. During this operation, you are not allowed to move the mouse or perform other actions. After the scan is complete, program will show a text file - a report from the program's action.
  10. Restart computer and run Windows normally.
  11. Scan your computer once again with all programs from basic solution and Windows Live OneCare to be sure that Virtumonde is deleted from computer.
  12. If not, send ComboFix report to geeks forum.
  13. Also see the instructions of manual Vundo removal using the OSAM Autorun Manager: http://www.online-solutions.ru/en/how_to_remove_vundo_trojan_virtumonde.php

Advanced Instructions for Windows XP

The above steps may not work for everyone, because Virtumonde is very difficult to eradicate. But, it also may be a last resort to avoid having to reload the computer and lose all your programs and data.

  1. Download the Google Pack with PC Tools Spyware Doctor (free edition)
  2. Install and run Spyware Doctor [or other virus program] - it should detect Virtumonde
  3. If it detects Virtumonde, try "Fix" - it will partially but not completely remove the infection
  4. Physically disconnect from the internet (disconnect the ethernet cable, and if you have Wi-Fi, turn off or disable the radio), and reboot
  5. Run PC Tools Spyware Doctor [or alternate virus program] again.
  6. If still infected, note the Registry key locations that are infected. Write down the names of any *.dll file associated with the infected registry keys.
  7. Run regedit (Start / Run / regedit), and search for the infected keys. Write down the names of any .dll files associated with all the infected keys (they should include some of the dll files found in the above step). The infected dll's will often be indicated by "rundll filename.dll, s". The infected dll files will have 8-character random names, and will be in the Windows\system32 directory.
  8. After deleting the infected keys, Exit to save the new registry entries.
  9. Unfortunately, at least one or two of the infected .dll's will still be running and generating more infected dll files and registry keys. You can browse to \Windows\System32 (be sure to enable displaying Hidden and System files in Explorer). You can try deleting or renaming the infected dll files, but you won't be able to delete the ones that are actively running.
  10. To delete all the infected dll's, you will need to Reboot using a Windows XP Install CD disk. (You can't use normal Windows nor Safe Mode to delete the infected files because the you will get "Access denied" when you try to delete a running .dll file).
  11. Select the option for Repair/Rebuild using Command line
  12. Select the infected boot disk (e.g. C:\WINDOWS) and enter the computer's original admin password
  13. Enter "cd C:\WINDOWS\System32".
  14. Use the "dir filename.dll" command to show the suspected infected dll files. Most dll's will be old, but infected files will have a date of the infection. They will be hidden systems files.
  15. Delete each infected file ("del filename.dll") or rename them if in doubt ("rename filename.dll newname1.dll"). I personally deleted the infected files without any bad effects, but if you delete a file that is actually one needed by the OS, it could cause your system not to operate properly.
  16. Enter "dir *.dll" to review ALL dll files in the system32 directory. Write down any suspicious files - those with the date of the infection that are 8 random characters. You may well find a few more that you were unaware of in previous steps.
  17. Delete or rename the suspicious files as described above.
  18. Reboot normally and repeat steps 5-17 as necessary. It may take a couple of attempts, because Virtumonde constantly generates new infected files with random names and places them in the registry and in the System32 directory.
  19. If successful, you will be able to run your virus program (e.g. Spyware Doctor) several times in a row after rebooting without it reporting a new infection. Re-connect the internet and celebrate!

Tips

  • Virtumonde is hard to get rid of. If you really can't find a way to kill it, then you can restore your system to a previous restore point when there was no record of adware infection. You can access the restore utility by going to Start > Run > "Restore" (quotations not included).
  • It is wise to stay safe all the time. It is necessary that you buy firewall software and anti-virus software to protect you from harmful files. Panda Software, Symantec's Norton Anti-virus and AVG Free (free security suite) are some of the many options.

Warnings

  • Be careful what and where you download software! Unknown companies or freeware sites are huge targets for Adware. It is vital you download software from secure sources.
  • You need to be comfortable with editing the registry and using the command line - and this process can result in damage to your system if done incorrectly.
  • Be extremely careful with combofix. It can sometimes damage a computer and prevent it from starting.

Related Articles

Retrieved from "https://kipkis.com/index.php?title=Delete_Virtumonde&oldid=287051"