Virtumonde Removal Tools and Guide

What is Virtumonde Trojan

In the eyes of most PC users adware virtumonde is a common spyware that displays ads in a highly aggressive way. But this is only one side of the medal, the visible part of the malware. Inside, it's a demon.

Depending on security lab, Virtumonde trojan has been attributed high, elevated or critical levels of danger. This is not a common case in the world of IT security, so there must have been substantial reasons why this malware (alternatively known as Vundo) still received a good portion of attention on the part of anti-malware software makers.

Trojan Details

Virtu monde modifies the Windows Internet connection settings and displays various pop-up advertisements, such as those of fake antispyware programs (including, but not limited to Antispyware Master, Sysprotect, Storage Protector).

This parasite adheres itself to critical Windows system processes (Explorer and Winlogon) which makes it hard to fight the infection using conventional methods.

Virtumondo exploits vulnerabilities in Sun Java. Whenever computer restarts, the malicious files are recreated. There's no surprise that Internet Exlorer is affected by this virus; MS native browser has always been known for its vulnerabilities. Unfortunately, both Mozilla Firefox and Opera browsers (regarded as more secure than IE) are not virtumonde-resistant.

This malware is known under different names depending on security lab that classified it.

  • Downloader.Virtumonde.G
  • Spyware/Virtumonde
  • Trojan.Virtumod
  • Trojan:Win32/Vundo.A
  • Trojan.Downloader.Virmo-3
  • Trojan.Downloader.Virtumonde.F

The Trojan Virtumondo generates a random .DLL once executed, and then it's capable of stopping security programs, and also infects system processes (e.g. Winlogon). The trojan ensures its active presence in the infected system by adding registry keys to auto-start every time the computer is restarted.

Some variations of malware collect serial numbers of hard drives and report these data in encoded form to its servers. If the infected system is a Virtual Machine, then the virus behaves without any signs of its presence. But if the system is real, then its starts displaying adware, warning messages to scare the user into bying something that allegedly would repair the infection. Despite the months of malware activity passing by, innocent victims fall for the scam and pay for fake antispyware products. Of course none of them can remove it because those rogue security programs make part of the malware.

This malicious evil is hard to remove since it changes its files, and executes itself automatically with Windows reboot. There are not that many unremovable trojan horses like this one.

Signs of Infection

It's easy to tell when your PC has been infected with this type of malware - endless loop of pop-ups will tell you the adware is there.

Web browser will start showing unrelated ads claiming there's system deterioration detected and offering a fix for it.

Desktop backgroun (a.k.a. desktop wallpaper) will be changed to an image threatening with system infection. Screensaver will be changed to a blue screen. Attempts to change the wallpaper and screensaver will be unsuccessful because the malware changes Registry values to hide tabs of Desktop Properties window.

Virus can go further and disable both Task Manager and Registry Editor, thus preventing the user from removing its registry keys or stopping the malicious process.

Trojan can also disable the Windows Security Center control panel because it either replaces WSC with a fake imitation to promote some counterfeit security program, or simply blocks access to this essential part of  Windows security administration. In both cases, the trojan takes full control over Windows security applets.

Additionally, desktop icons and taskbar may disappear to make user experience still more frustrating.

In brief, this pesky parasite goes to great lengths to ensure it may resist almost all attempts to clean it out of the infected computer.

Hard drive may start spinning consistently because of Winlogon process accessing the disk.

Internet connection stability may be affected as well. Web browsers may be redirected to unwanted sites; on the contrary, certain websites my not load fully, or may freeze.

Trojan Hijacked Desktop Background
Trojan Hijacked Desktop Background

How to remove virtumonde

Before getting to the list of removers, it's important to describe why this malware is so hard to get rid of.

Some antiviruses successfully remove parts of the infection, but miss the hidden DLL file. Once the system is restarted, the hidden DLL recreates the virus.

The main malicious DLL file is missed because it runs side-by-side with Winlogon process, which is patronated by Windows itself. Antivirus software cannot fight with Windows.

This particular Malware creates files with random names to make its detection a tough task.

Vundo Fix
Vundo Fix

Free Virtumonde Remover

This Virtumonde fix is known to have removed the stubborn infection from over 1 million computers over the world.

Vundo fix usage:

  1. Download the file. If it's an archive, unpack it.
  2. Double-click the executable (.EXE) file.
  3. When the program opens, click the Scan button.
  4. Once the scan is finished, click Remove.
  5. The program will ask is you want to remove the detected files. Agree to the prompt.
  6. The desktop may go blank because the fix tool will begin removing the malware.
  7. At the end, the fix will as for reboot; choose "yes".

 

Symantec provides a free virtumonde remover that's capable of curing certain variants of the malware.

How to use Symantec Tool:

  1. Download the .EXE tool;
  2. Disconnect from the Internet;
  3. Turn OFF System Restore;
  4. Double-click the file you downloaded;
  5. Click Start to initiate the scan.
  6. When finished, restart and re-enable System Restore.

Note: this virtumonde fix does not cover all of the trojan variants, so it may be useless in some cases.

In case a supported malware is detected, the Symantec remover will delete the malicious files and associated registry entries.

A bit of statistics

Fact 1: Kaspersky Labs after analyzing its virus activity statistics informed viruslist.com that the family of trojans happened to be #1 most frequently reported case of malware infection in February, 2008.

Certainly no single malware can occupy the #1 spot of most widespread threat for a long period of time because new dangers appear every minute. But we definitely see the huge potential behind this pesky parasite.

Fact 2: Google Trends - a tool used to analyze search volume for any given query - shows that this malware doesn't get searched for less as time goes by.

Prevent Infection

Malware removers have beed created by volunteers or software companies to stop the spread of the malware.

However, it's always better to prevent infection, than bother getting rid of it. Unfortunately, the tools above only work for system clean up. They don't have any kind of real-time protection to stip the trojan at the Ethernet gates.

If you value your time or don't want to risk losing the data on the hard drive, consider setting a permanent anti-virtumondo shield.

One of such long-existing in the software world programs is SpyBot Search & Destroy. Our visitor Jerrico reported his positive experience with this antispyware, so here's a link to official Spybot Search and Destroy download website.

Useless Virtumonde Removal Programs

After reading lots of forum posts and blogs and Yahoo! Answers I came to conclusion that you should be careful what virtumonde removal software to use.

There are forums that blindly advise to cure sick PC's with PC Tools Spyware Doctor. While this program certainly helps in some cases, there are lots of people reporting no effect from the use of Spyware Doctor. Even its edition with antivirus may fail.

Another highly recommended program is SpyHunter. Unfortunately, it's nothing but a free scanner which doesn't remove detected malware. But even paid version might be unable to remove detected infections.

Ad-aware from Lavasoft has a free version with removal capability, but it only deals with a small number of trojan mutations. Thus chances are it will be unable to erase your particular infection.

One more often recommended program is SpyNoMore. I tried to download it myself, but... well, here's how it went.

1. SpyNoMore is distributed by Regnow. I supposed a company that big would take control of the files it hosts. Nope, apparently it doesn't. The .exe I downloaded from Regnow was 125 KB in size. As you might guess, it's too little for an antispyware program. Ok, I expected it to be a downloader only - and guessed that right. But checked the downloader for malware anyway.

2. I double-clicked the executable and it asked where the SpyNoMore setup should be saved. I pointed it to the folder.

3. The downloaded file was bigger - 2.9 MB in size, but still it looked kinda strange. Even before the setup was downloaded, avast! antivirus popped up a message warning about a trojan.

4. I tested the file with TrojanRemover as well. Infected!

Sadly, crap is distributed via trustworthy websites.

The screenshots to prove my experience are below.

SpyNoMore Suspicious Setup

SpyNoMore Downloader. 125 KB only... suspicious
SpyNoMore Downloader. 125 KB only... suspicious
SpyNoMore Setup: less than 3 megs in size. Wonder why so little?..
SpyNoMore Setup: less than 3 megs in size. Wonder why so little?..
avast! detected a trojan horse inside SpyNoMore setup
avast! detected a trojan horse inside SpyNoMore setup

Conclusion

SpyNoMore is a shady antispyware that gets distributed via credible network, but in the form of a small-size downloadable .exe instead of a full setup file. It contains a trojan horse inside, that's why it definitely makes sense to stay away from this program. DO NOT download or install SpyNoMore if you care about your PC safety.

NOTE: I'm closely monitoring the situation to be able to recommend only those software programs that are most suitable to fix this type of malware.

Update 1/7/2009: Visitors of this hub report about much success they have with Malwarebyte's. It seems to be a true Virtumonde killer. So if you're still having problems deleting Virtumonde after you've tried out all other remedies, I suggest that you get a copy of Malwarebyte's and finally answer the question "How to remove Virtumonde?" Tip: do a scan with Malwarebyte's at least twice.

Update 1/29/2009: It seems that Malwarebyte's anti-malware has become the Virtumonde enemy #1. Those who stand behind this virus go to great lengths to prevent Malwarebyte's from even installing onto infected system. More and more frustrated victims of Virtumonde report that they cannot download and/or install MBAM because the virus actively blocks such attempts.

Here's a good news: Malwarebyte's guys developed a trick that allows to beat the nasty parasite.

  1. Download Malwarebyte's anti-malware.
  2. Rename the setup file to something generic like virtumondekiller.exe or goodluck.exe - just keep the .exe file extension intact.
  3. Right-click on My Computer, select Properties. Go to Hardware, click on Device Manager.
  4. On the View menu click to show hidden devices.
  5. Navigate to Non-Plug and Play Drivers, and look for the one called TDSSserv.sys (other common filenames are: TDSSspax.sys, gaopdxserv.sys, UACmxegjtve.sys). Right-click on it and choose Disable.
  6. Restart Windows. 
  7. Install Malwarebyte's anti-malware. If you couldn't download the software earlier, try now.
  8. If the program does not start, or closes with errors, find mbam.exe located in C:\Program Files\Malwarebytes' Anti-Malware and rename the file (e.g. to file.exe). Double-click it, update anti-malware definitions and scan the system as many times as you want ;-)

If you have difficulty updating Malwarebyte's, here's a link to download the latest database of MBAM signatures:

Malwarebyte's anti-malware database.

(This is NOT the software installer, but only MBAM program database with latest anti-malware definitions. Double-click the downloaded mbam-rules.exe and follow the instructions to update your current installation of Malwarebyte's anti-malware).

Note: follow this procedure only if Malwarebyte's would not install. The driver TDSSserv.sys is part of the infection and should not be in your system.

The screenshots below show the steps.

How to force Malwarebyte's installation: Step 1

Right-click on My Computer icon, select Properties, go to Hardware --  Device Manager.
Right-click on My Computer icon, select Properties, go to Hardware -- Device Manager.

How to force Malwarebyte's installation: Step 2

On the View menu, select Show hidden devices.
On the View menu, select Show hidden devices.

How to force Malwarebyte's installation: Step 3

Scroll down to Non-Plug and Play Drivers.
Scroll down to Non-Plug and Play Drivers.

How to force Malwarebyte's installation: Step 4

Locate TDSSserv.sys (or something like that), right-click on it and choose Disable.
Locate TDSSserv.sys (or something like that), right-click on it and choose Disable.
a-squared anti-malware v5.0
a-squared anti-malware v5.0
Malwarebyte's Anti-malware v1.46
Malwarebyte's Anti-malware v1.46

IMPORTANT!

I'm receiving emails from PC owners who undergo Virtumonde infection the second and third time after complete removal.

This is why I have to stress the following:

Removing virtumonde does not mean it will never come back. In fact, another infection can re-occur the next moment. Unless you closed the hole through which it had slipped into your computer, nobody can guarantee you this nightmare won't repeat.

If your current security software configuration didn't block this virus, it's very much recommended to change something in your PC security approach.

More by this Author


Comments 161 comments

vince 3 years ago

I solved my vundo problem with the free edition of SuperAntiSpyware which found 12 items not discovered by Malwarebytes, Spybot SD,

or Vundofix. Three of these were adware vundo variants which had been a nuisance for some time. The software is available from Softpedia.


Jro 6 years ago

I think it's gone now. Although I'm a bit scared from those comments about it disappearing and coming back a couple of days later.


Neil Ashworth profile image

Neil Ashworth 6 years ago from Ireland

Like it!


ashakhan profile image

ashakhan 6 years ago from india

thanks


oldParasiteSingle 6 years ago

This is my first time against this trojan. While I was on a favorite file hosting site it cut through windows firewall like hot butter and immediately disabled malwarebyte's and spammed me with bogus popups. I tried to remove it twice with a spybot search and destroy reboot to no avail. Whoever is writing this one knows what he's doing. I'll keep trying outdated Virtumonde FAQs like this one until I get to the cleaners tonight.


Adam 6 years ago

This is TOTAL BULL****. I cannot install malwarebytes, i don't have the TSDD or whatever in the device manager, Cant rename the file, its bad.


Sriram 7 years ago

Malbytes' Anit-malware rocks !!... I have tried Spyware hunter , SpyDoctor, VundoFix etc... nothing happened! .. I struggled for 5 fives trying to get rid of VirtuMonde... and then I read about Malbytes' Anti-Malware ...I downloaded it ..and voila!.. virtuemonde is out of my laptop. The best part of MAM is it not only scans for viruses, it also cleans them free of charge.. the rest is history.. My sincere thanks to the makers of MAM.. my hats-off and gld bless you!... Yeah, I'm going to purchase a 6-month license today. Please note that I'm not associated with MAM or the company in any form. I'm just a happy customer.


Kesha B 7 years ago

thanks so much for taking the time to write this for us virtumondo victims! malwarebytes worked for me very well!


charlemont profile image

charlemont 7 years ago from Lithuania Author

jenny, try to turn off System Restore, then re-enable it.

1. Right-click on My Computer, choose Properties, go to Syste, Restore tab.

2. Check the box Turn off system resore.

3. Click OK and restart as suggested.

4. After restarting, remove the check box, and restart again.


jenny 7 years ago

Malwarebyte seems to have worked. Thanks for the recommendation! Now I still have one problem...I can't create a restore point or do a system restore (I tried doing both when I found out I had the virus). I tried doing it in safe mode and in safe mode with command prompt and still doesn't work. Any suggestions on what I can do? Or does this mean I still have Virtumonde?


charlemont profile image

charlemont 7 years ago from Lithuania Author

bronius, have you looked for the file TDSSServ.sys? It might be preventing MBAM installation.

Also, rename the installer. Check your current antivirus program for disabled permissions. Some software (e.g. McAfee VirusScan) can interfere with the installation routine so you need to explicitly instruct it what files to exclude from scanning/blocking.


bronius 7 years ago

Can't install Malwarebyte's - at the end of installation, message appears: RegCreateKeyEx failed; code 5. Access is denied.


Danish Syed 7 years ago

best software ever. i was almost hopeless n thinking to format my hard disk n re install windows. But malware saved the day :D


charlemont profile image

charlemont 7 years ago from Lithuania Author

DarkZero515, did you manage to update Malwarebyet's and run a scan? It's possible that you don't have TDSSserv.sys issue.


DarkZero515 7 years ago

I downloaded the Malwarebytes install and went to my computer all the way up to where you disable the TDSSserv.sys but I cannot find it in the Non-Plug and Play Drivers (It's not showing up) any advice?


Kal-EL 7 years ago

To Becca:

Darn... that sucks...

Anyway AVG and Spyware Doctor are my good soldiers... but they don't protect (they detect but do not fully erase) me completely from malware but they do their job at getting rid of some of it and protecting me dailey from threats on sites etc...

See what I did was since the Malwarebytes scan did not work very well and kept stopping while the malware just respawned I looked up on AVG virus database what the registry entrances were and what was changed/edited etc.

After finding out that AVG/Spyware wasn't finding 1 of the 5 entries I looked it up and actually found something identical in the registry and changed the values etc to 0 or NO. After restarting it seemed to do little and soon after my PC did not startup much at all due to missing DLL/registry files.

So anyway finally I chose to "go back to the last configuration that worked" via com startup and it used the registry to go back to the settings what worked and luckily Virtuemonde was no longer in effect and everything was working fine and even more stable! The only thing was the DDL files were missing but they were the DLL files that respawned the malware virus and worked with windows login as a demon in the shadows, hence it had been exorcised!

I pat myself on the back, said a few prayers to thank thee Lord and continued playing FO3 which is a cool game also...

Hope this helps everyone else...


Cha 7 years ago

MALWAREBYTES WORKED TO GET THIS ROTTEN BASTARD OFF OF MY PC!!

THANKS MALWAREBYTES!!!!!!


AndyBaker profile image

AndyBaker 7 years ago from UK

You've got some great hubs on virus removal.

Great stuff, and keep it up!


wee hau 7 years ago

i have tried so many options... but this is the RIGHT one to solve all my problems.

Thumbs up! kudos.


Becca 7 years ago

To Kal-EL:

No, I purchased at Best Buy, not online. Even went through 247fixes.com to ensure I was completely clean. After I installed it again, MBAM flagged a vundo on my computer. I now use Returnil that way I have no worries.


    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working