Virtumonde Removal Tools and Guide

In the eyes of most PC users adware virtumonde is a common spyware that displays ads in a highly aggressive way. But this is only one side of the medal, the visible part of the malware. Inside, it's a demon.

Depending on security lab, Virtumonde trojan has been attributed high, elevated or critical levels of danger. This is not a common case in the world of IT security, so there must have been substantial reasons why this malware (alternatively known as Vundo) still received a good portion of attention on the part of anti-malware software makers.

Virtu monde modifies the Windows Internet connection settings and displays various pop-up advertisements, such as those of fake antispyware programs (including, but not limited to Antispyware Master, Sysprotect, Storage Protector).

This parasite adheres itself to critical Windows system processes (Explorer and Winlogon) which makes it hard to fight the infection using conventional methods.

Virtumondo exploits vulnerabilities in Sun Java. Whenever computer restarts, the malicious files are recreated. There's no surprise that Internet Exlorer is affected by this virus; MS native browser has always been known for its vulnerabilities. Unfortunately, both Mozilla Firefox and Opera browsers (regarded as more secure than IE) are not virtumonde-resistant.

This malware is known under different names depending on security lab that classified it.

• Downloader.Virtumonde.G
• Spyware/Virtumonde
• Trojan.Virtumod
• Trojan:Win32/Vundo.A
• Trojan.Downloader.Virmo-3
• Trojan.Downloader.Virtumonde.F

The Trojan Virtumondo generates a random .DLL once executed, and then it's capable of stopping security programs, and also infects system processes (e.g. Winlogon). The trojan ensures its active presence in the infected system by adding registry keys to auto-start every time the computer is restarted.

Some variations of malware collect serial numbers of hard drives and report these data in encoded form to its servers. If the infected system is a Virtual Machine, then the virus behaves without any signs of its presence. But if the system is real, then its starts displaying adware, warning messages to scare the user into bying something that allegedly would repair the infection. Despite the months of malware activity passing by, innocent victims fall for the scam and pay for fake antispyware products. Of course none of them can remove it because those rogue security programs make part of the malware.

This malicious evil is hard to remove since it changes its files, and executes itself automatically with Windows reboot. There are not that many unremovable trojan horses like this one.

It's easy to tell when your PC has been infected with this type of malware - endless loop of pop-ups will tell you the adware is there.

Web browser will start showing unrelated ads claiming there's system deterioration detected and offering a fix for it.

Desktop backgroun (a.k.a. desktop wallpaper) will be changed to an image threatening with system infection. Screensaver will be changed to a blue screen. Attempts to change the wallpaper and screensaver will be unsuccessful because the malware changes Registry values to hide tabs of Desktop Properties window.

Virus can go further and disable both Task Manager and Registry Editor, thus preventing the user from removing its registry keys or stopping the malicious process.

Trojan can also disable the Windows Security Center control panel because it either replaces WSC with a fake imitation to promote some counterfeit security program, or simply blocks access to this essential part of  Windows security administration. In both cases, the trojan takes full control over Windows security applets.

Additionally, desktop icons and taskbar may disappear to make user experience still more frustrating.

In brief, this pesky parasite goes to great lengths to ensure it may resist almost all attempts to clean it out of the infected computer.

Hard drive may start spinning consistently because of Winlogon process accessing the disk.

Internet connection stability may be affected as well. Web browsers may be redirected to unwanted sites; on the contrary, certain websites my not load fully, or may freeze.

Before getting to the list of removers, it's important to describe why this malware is so hard to get rid of.

Some antiviruses successfully remove parts of the infection, but miss the hidden DLL file. Once the system is restarted, the hidden DLL recreates the virus.

The main malicious DLL file is missed because it runs side-by-side with Winlogon process, which is patronated by Windows itself. Antivirus software cannot fight with Windows.

This particular Malware creates files with random names to make its detection a tough task.

This Virtumonde fix is known to have removed the stubborn infection from over 1 million computers over the world.

Vundo fix usage:

1. Download the file. If it's an archive, unpack it.
2. Double-click the executable (.EXE) file.
3. When the program opens, click the Scan button.
4. Once the scan is finished, click Remove.
5. The program will ask is you want to remove the detected files. Agree to the prompt.
6. The desktop may go blank because the fix tool will begin removing the malware.
7. At the end, the fix will as for reboot; choose "yes".

Symantec provides a free virtumonde remover that's capable of curing certain variants of the malware.

How to use Symantec Tool:

1. Download the .EXE tool;
2. Disconnect from the Internet;
3. Turn OFF System Restore;
4. Double-click the file you downloaded;
5. Click Start to initiate the scan.
6. When finished, restart and re-enable System Restore.

Note: this virtumonde fix does not cover all of the trojan variants, so it may be useless in some cases.

In case a supported malware is detected, the Symantec remover will delete the malicious files and associated registry entries.

Fact 1: Kaspersky Labs after analyzing its virus activity statistics informed viruslist.com that the family of trojans happened to be #1 most frequently reported case of malware infection in February, 2008.

Certainly no single malware can occupy the #1 spot of most widespread threat for a long period of time because new dangers appear every minute. But we definitely see the huge potential behind this pesky parasite.

Fact 2: Google Trends - a tool used to analyze search volume for any given query - shows that this malware doesn't get searched for less as time goes by.

Malware removers have beed created by volunteers or software companies to stop the spread of the malware.

However, it's always better to prevent infection, than bother getting rid of it. Unfortunately, the tools above only work for system clean up. They don't have any kind of real-time protection to stip the trojan at the Ethernet gates.

If you value your time or don't want to risk losing the data on the hard drive, consider setting a permanent anti-virtumondo shield.

One of such long-existing in the software world programs is SpyBot Search & Destroy. Our visitor Jerrico reported his positive experience with this antispyware, so here's a link to official Spybot Search and Destroy download website.

After reading lots of forum posts and blogs and Yahoo! Answers I came to conclusion that you should be careful what virtumonde removal software to use.

There are forums that blindly advise to cure sick PC's with PC Tools Spyware Doctor. While this program certainly helps in some cases, there are lots of people reporting no effect from the use of Spyware Doctor. Even its edition with antivirus may fail.

Another highly recommended program is SpyHunter. Unfortunately, it's nothing but a free scanner which doesn't remove detected malware. But even paid version might be unable to remove detected infections.

Ad-aware from Lavasoft has a free version with removal capability, but it only deals with a small number of trojan mutations. Thus chances are it will be unable to erase your particular infection.

One more often recommended program is SpyNoMore. I tried to download it myself, but... well, here's how it went.

1. SpyNoMore is distributed by Regnow. I supposed a company that big would take control of the files it hosts. Nope, apparently it doesn't. The .exe I downloaded from Regnow was 125 KB in size. As you might guess, it's too little for an antispyware program. Ok, I expected it to be a downloader only - and guessed that right. But checked the downloader for malware anyway.

2. I double-clicked the executable and it asked where the SpyNoMore setup should be saved. I pointed it to the folder.

3. The downloaded file was bigger - 2.9 MB in size, but still it looked kinda strange. Even before the setup was downloaded, avast! antivirus popped up a message warning about a trojan.

4. I tested the file with TrojanRemover as well. Infected!

Sadly, crap is distributed via trustworthy websites.

The screenshots to prove my experience are below.

SpyNoMore is a shady antispyware that gets distributed via credible network, but in the form of a small-size downloadable .exe instead of a full setup file. It contains a trojan horse inside, that's why it definitely makes sense to stay away from this program. DO NOT download or install SpyNoMore if you care about your PC safety.

NOTE: I'm closely monitoring the situation to be able to recommend only those software programs that are most suitable to fix this type of malware.

Update 1/7/2009: Visitors of this hub report about much success they have with Malwarebyte's. It seems to be a true Virtumonde killer. So if you're still having problems deleting Virtumonde after you've tried out all other remedies, I suggest that you get a copy of Malwarebyte's and finally answer the question "How to remove Virtumonde?" Tip: do a scan with Malwarebyte's at least twice.

Update 1/29/2009: It seems that Malwarebyte's anti-malware has become the Virtumonde enemy #1. Those who stand behind this virus go to great lengths to prevent Malwarebyte's from even installing onto infected system. More and more frustrated victims of Virtumonde report that they cannot download and/or install MBAM because the virus actively blocks such attempts.

Here's a good news: Malwarebyte's guys developed a trick that allows to beat the nasty parasite.

1. Download Malwarebyte's anti-malware.
2. Rename the setup file to something generic like virtumondekiller.exe or goodluck.exe - just keep the .exe file extension intact.
3. Right-click on My Computer, select Properties. Go to Hardware, click on Device Manager.
4. On the View menu click to show hidden devices.
5. Navigate to Non-Plug and Play Drivers, and look for the one called TDSSserv.sys (other common filenames are: TDSSspax.sys, gaopdxserv.sys, UACmxegjtve.sys). Right-click on it and choose Disable.
6. Restart Windows. 
7. Install Malwarebyte's anti-malware. If you couldn't download the software earlier, try now.
8. If the program does not start, or closes with errors, find mbam.exe located in C:\Program Files\Malwarebytes' Anti-Malware and rename the file (e.g. to file.exe). Double-click it, update anti-malware definitions and scan the system as many times as you want ;-)

If you have difficulty updating Malwarebyte's, here's a link to download the latest database of MBAM signatures:

Malwarebyte's anti-malware database.

(This is NOT the software installer, but only MBAM program database with latest anti-malware definitions. Double-click the downloaded mbam-rules.exe and follow the instructions to update your current installation of Malwarebyte's anti-malware).

Note: follow this procedure only if Malwarebyte's would not install. The driver TDSSserv.sys is part of the infection and should not be in your system.

The screenshots below show the steps.

I'm receiving emails from PC owners who undergo Virtumonde infection the second and third time after complete removal.

This is why I have to stress the following:

Removing virtumonde does not mean it will never come back. In fact, another infection can re-occur the next moment. Unless you closed the hole through which it had slipped into your computer, nobody can guarantee you this nightmare won't repeat.

If your current security software configuration didn't block this virus, it's very much recommended to change something in your PC security approach.