ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Internet & the Web

Virtumonde Removal Tools and Guide

Updated on July 23, 2010

What is Virtumonde Trojan

In the eyes of most PC users adware virtumonde is a common spyware that displays ads in a highly aggressive way. But this is only one side of the medal, the visible part of the malware. Inside, it's a demon.

Depending on security lab, Virtumonde trojan has been attributed high, elevated or critical levels of danger. This is not a common case in the world of IT security, so there must have been substantial reasons why this malware (alternatively known as Vundo) still received a good portion of attention on the part of anti-malware software makers.

Trojan Details

Virtu monde modifies the Windows Internet connection settings and displays various pop-up advertisements, such as those of fake antispyware programs (including, but not limited to Antispyware Master, Sysprotect, Storage Protector).

This parasite adheres itself to critical Windows system processes (Explorer and Winlogon) which makes it hard to fight the infection using conventional methods.

Virtumondo exploits vulnerabilities in Sun Java. Whenever computer restarts, the malicious files are recreated. There's no surprise that Internet Exlorer is affected by this virus; MS native browser has always been known for its vulnerabilities. Unfortunately, both Mozilla Firefox and Opera browsers (regarded as more secure than IE) are not virtumonde-resistant.

This malware is known under different names depending on security lab that classified it.

  • Downloader.Virtumonde.G
  • Spyware/Virtumonde
  • Trojan.Virtumod
  • Trojan:Win32/Vundo.A
  • Trojan.Downloader.Virmo-3
  • Trojan.Downloader.Virtumonde.F

The Trojan Virtumondo generates a random .DLL once executed, and then it's capable of stopping security programs, and also infects system processes (e.g. Winlogon). The trojan ensures its active presence in the infected system by adding registry keys to auto-start every time the computer is restarted.

Some variations of malware collect serial numbers of hard drives and report these data in encoded form to its servers. If the infected system is a Virtual Machine, then the virus behaves without any signs of its presence. But if the system is real, then its starts displaying adware, warning messages to scare the user into bying something that allegedly would repair the infection. Despite the months of malware activity passing by, innocent victims fall for the scam and pay for fake antispyware products. Of course none of them can remove it because those rogue security programs make part of the malware.

This malicious evil is hard to remove since it changes its files, and executes itself automatically with Windows reboot. There are not that many unremovable trojan horses like this one.

Signs of Infection

It's easy to tell when your PC has been infected with this type of malware - endless loop of pop-ups will tell you the adware is there.

Web browser will start showing unrelated ads claiming there's system deterioration detected and offering a fix for it.

Desktop backgroun (a.k.a. desktop wallpaper) will be changed to an image threatening with system infection. Screensaver will be changed to a blue screen. Attempts to change the wallpaper and screensaver will be unsuccessful because the malware changes Registry values to hide tabs of Desktop Properties window.

Virus can go further and disable both Task Manager and Registry Editor, thus preventing the user from removing its registry keys or stopping the malicious process.

Trojan can also disable the Windows Security Center control panel because it either replaces WSC with a fake imitation to promote some counterfeit security program, or simply blocks access to this essential part of  Windows security administration. In both cases, the trojan takes full control over Windows security applets.

Additionally, desktop icons and taskbar may disappear to make user experience still more frustrating.

In brief, this pesky parasite goes to great lengths to ensure it may resist almost all attempts to clean it out of the infected computer.

Hard drive may start spinning consistently because of Winlogon process accessing the disk.

Internet connection stability may be affected as well. Web browsers may be redirected to unwanted sites; on the contrary, certain websites my not load fully, or may freeze.

Trojan Hijacked Desktop Background
Trojan Hijacked Desktop Background

How to remove virtumonde

Before getting to the list of removers, it's important to describe why this malware is so hard to get rid of.

Some antiviruses successfully remove parts of the infection, but miss the hidden DLL file. Once the system is restarted, the hidden DLL recreates the virus.

The main malicious DLL file is missed because it runs side-by-side with Winlogon process, which is patronated by Windows itself. Antivirus software cannot fight with Windows.

This particular Malware creates files with random names to make its detection a tough task.

Vundo Fix
Vundo Fix

Free Virtumonde Remover

This Virtumonde fix is known to have removed the stubborn infection from over 1 million computers over the world.

Vundo fix usage:

  1. Download the file. If it's an archive, unpack it.
  2. Double-click the executable (.EXE) file.
  3. When the program opens, click the Scan button.
  4. Once the scan is finished, click Remove.
  5. The program will ask is you want to remove the detected files. Agree to the prompt.
  6. The desktop may go blank because the fix tool will begin removing the malware.
  7. At the end, the fix will as for reboot; choose "yes".

 

Symantec provides a free virtumonde remover that's capable of curing certain variants of the malware.

How to use Symantec Tool:

  1. Download the .EXE tool;
  2. Disconnect from the Internet;
  3. Turn OFF System Restore;
  4. Double-click the file you downloaded;
  5. Click Start to initiate the scan.
  6. When finished, restart and re-enable System Restore.

Note: this virtumonde fix does not cover all of the trojan variants, so it may be useless in some cases.

In case a supported malware is detected, the Symantec remover will delete the malicious files and associated registry entries.

A bit of statistics

Fact 1: Kaspersky Labs after analyzing its virus activity statistics informed viruslist.com that the family of trojans happened to be #1 most frequently reported case of malware infection in February, 2008.

Certainly no single malware can occupy the #1 spot of most widespread threat for a long period of time because new dangers appear every minute. But we definitely see the huge potential behind this pesky parasite.

Fact 2: Google Trends - a tool used to analyze search volume for any given query - shows that this malware doesn't get searched for less as time goes by.

Prevent Infection

Malware removers have beed created by volunteers or software companies to stop the spread of the malware.

However, it's always better to prevent infection, than bother getting rid of it. Unfortunately, the tools above only work for system clean up. They don't have any kind of real-time protection to stip the trojan at the Ethernet gates.

If you value your time or don't want to risk losing the data on the hard drive, consider setting a permanent anti-virtumondo shield.

One of such long-existing in the software world programs is SpyBot Search & Destroy. Our visitor Jerrico reported his positive experience with this antispyware, so here's a link to official Spybot Search and Destroy download website.

Useless Virtumonde Removal Programs

After reading lots of forum posts and blogs and Yahoo! Answers I came to conclusion that you should be careful what virtumonde removal software to use.

There are forums that blindly advise to cure sick PC's with PC Tools Spyware Doctor. While this program certainly helps in some cases, there are lots of people reporting no effect from the use of Spyware Doctor. Even its edition with antivirus may fail.

Another highly recommended program is SpyHunter. Unfortunately, it's nothing but a free scanner which doesn't remove detected malware. But even paid version might be unable to remove detected infections.

Ad-aware from Lavasoft has a free version with removal capability, but it only deals with a small number of trojan mutations. Thus chances are it will be unable to erase your particular infection.

One more often recommended program is SpyNoMore. I tried to download it myself, but... well, here's how it went.

1. SpyNoMore is distributed by Regnow. I supposed a company that big would take control of the files it hosts. Nope, apparently it doesn't. The .exe I downloaded from Regnow was 125 KB in size. As you might guess, it's too little for an antispyware program. Ok, I expected it to be a downloader only - and guessed that right. But checked the downloader for malware anyway.

2. I double-clicked the executable and it asked where the SpyNoMore setup should be saved. I pointed it to the folder.

3. The downloaded file was bigger - 2.9 MB in size, but still it looked kinda strange. Even before the setup was downloaded, avast! antivirus popped up a message warning about a trojan.

4. I tested the file with TrojanRemover as well. Infected!

Sadly, crap is distributed via trustworthy websites.

The screenshots to prove my experience are below.

SpyNoMore Suspicious Setup

SpyNoMore Downloader. 125 KB only... suspicious
SpyNoMore Downloader. 125 KB only... suspicious
SpyNoMore Setup: less than 3 megs in size. Wonder why so little?..
SpyNoMore Setup: less than 3 megs in size. Wonder why so little?..
avast! detected a trojan horse inside SpyNoMore setup
avast! detected a trojan horse inside SpyNoMore setup

Conclusion

SpyNoMore is a shady antispyware that gets distributed via credible network, but in the form of a small-size downloadable .exe instead of a full setup file. It contains a trojan horse inside, that's why it definitely makes sense to stay away from this program. DO NOT download or install SpyNoMore if you care about your PC safety.

NOTE: I'm closely monitoring the situation to be able to recommend only those software programs that are most suitable to fix this type of malware.

Update 1/7/2009: Visitors of this hub report about much success they have with Malwarebyte's. It seems to be a true Virtumonde killer. So if you're still having problems deleting Virtumonde after you've tried out all other remedies, I suggest that you get a copy of Malwarebyte's and finally answer the question "How to remove Virtumonde?" Tip: do a scan with Malwarebyte's at least twice.

Update 1/29/2009: It seems that Malwarebyte's anti-malware has become the Virtumonde enemy #1. Those who stand behind this virus go to great lengths to prevent Malwarebyte's from even installing onto infected system. More and more frustrated victims of Virtumonde report that they cannot download and/or install MBAM because the virus actively blocks such attempts.

Here's a good news: Malwarebyte's guys developed a trick that allows to beat the nasty parasite.

  1. Download Malwarebyte's anti-malware.
  2. Rename the setup file to something generic like virtumondekiller.exe or goodluck.exe - just keep the .exe file extension intact.
  3. Right-click on My Computer, select Properties. Go to Hardware, click on Device Manager.
  4. On the View menu click to show hidden devices.
  5. Navigate to Non-Plug and Play Drivers, and look for the one called TDSSserv.sys (other common filenames are: TDSSspax.sys, gaopdxserv.sys, UACmxegjtve.sys). Right-click on it and choose Disable.
  6. Restart Windows. 
  7. Install Malwarebyte's anti-malware. If you couldn't download the software earlier, try now.
  8. If the program does not start, or closes with errors, find mbam.exe located in C:\Program Files\Malwarebytes' Anti-Malware and rename the file (e.g. to file.exe). Double-click it, update anti-malware definitions and scan the system as many times as you want ;-)

If you have difficulty updating Malwarebyte's, here's a link to download the latest database of MBAM signatures:

Malwarebyte's anti-malware database.

(This is NOT the software installer, but only MBAM program database with latest anti-malware definitions. Double-click the downloaded mbam-rules.exe and follow the instructions to update your current installation of Malwarebyte's anti-malware).

Note: follow this procedure only if Malwarebyte's would not install. The driver TDSSserv.sys is part of the infection and should not be in your system.

The screenshots below show the steps.

How to force Malwarebyte's installation: Step 1

Right-click on My Computer icon, select Properties, go to Hardware --  Device Manager.
Right-click on My Computer icon, select Properties, go to Hardware -- Device Manager.

How to force Malwarebyte's installation: Step 2

On the View menu, select Show hidden devices.
On the View menu, select Show hidden devices.

How to force Malwarebyte's installation: Step 3

Scroll down to Non-Plug and Play Drivers.
Scroll down to Non-Plug and Play Drivers.

How to force Malwarebyte's installation: Step 4

Locate TDSSserv.sys (or something like that), right-click on it and choose Disable.
Locate TDSSserv.sys (or something like that), right-click on it and choose Disable.
a-squared anti-malware v5.0
a-squared anti-malware v5.0
Malwarebyte's Anti-malware v1.46
Malwarebyte's Anti-malware v1.46

IMPORTANT!

I'm receiving emails from PC owners who undergo Virtumonde infection the second and third time after complete removal.

This is why I have to stress the following:

Removing virtumonde does not mean it will never come back. In fact, another infection can re-occur the next moment. Unless you closed the hole through which it had slipped into your computer, nobody can guarantee you this nightmare won't repeat.

If your current security software configuration didn't block this virus, it's very much recommended to change something in your PC security approach.

Comments

    0 of 8192 characters used
    Post Comment

    • profile image

      vince 4 years ago

      I solved my vundo problem with the free edition of SuperAntiSpyware which found 12 items not discovered by Malwarebytes, Spybot SD,

      or Vundofix. Three of these were adware vundo variants which had been a nuisance for some time. The software is available from Softpedia.

    • profile image

      Jro 7 years ago

      I think it's gone now. Although I'm a bit scared from those comments about it disappearing and coming back a couple of days later.

    • Neil Ashworth profile image

      George Poe 7 years ago from United Kingdom

      Like it!

    • ashakhan profile image

      ashakhan 7 years ago from india

      thanks

    • profile image

      oldParasiteSingle 7 years ago

      This is my first time against this trojan. While I was on a favorite file hosting site it cut through windows firewall like hot butter and immediately disabled malwarebyte's and spammed me with bogus popups. I tried to remove it twice with a spybot search and destroy reboot to no avail. Whoever is writing this one knows what he's doing. I'll keep trying outdated Virtumonde FAQs like this one until I get to the cleaners tonight.

    • profile image

      Adam 7 years ago

      This is TOTAL BULL****. I cannot install malwarebytes, i don't have the TSDD or whatever in the device manager, Cant rename the file, its bad.

    • profile image

      Sriram 8 years ago

      Malbytes' Anit-malware rocks !!... I have tried Spyware hunter , SpyDoctor, VundoFix etc... nothing happened! .. I struggled for 5 fives trying to get rid of VirtuMonde... and then I read about Malbytes' Anti-Malware ...I downloaded it ..and voila!.. virtuemonde is out of my laptop. The best part of MAM is it not only scans for viruses, it also cleans them free of charge.. the rest is history.. My sincere thanks to the makers of MAM.. my hats-off and gld bless you!... Yeah, I'm going to purchase a 6-month license today. Please note that I'm not associated with MAM or the company in any form. I'm just a happy customer.

    • profile image

      Kesha B 8 years ago

      thanks so much for taking the time to write this for us virtumondo victims! malwarebytes worked for me very well!

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      jenny, try to turn off System Restore, then re-enable it.

      1. Right-click on My Computer, choose Properties, go to Syste, Restore tab.

      2. Check the box Turn off system resore.

      3. Click OK and restart as suggested.

      4. After restarting, remove the check box, and restart again.

    • profile image

      jenny 8 years ago

      Malwarebyte seems to have worked. Thanks for the recommendation! Now I still have one problem...I can't create a restore point or do a system restore (I tried doing both when I found out I had the virus). I tried doing it in safe mode and in safe mode with command prompt and still doesn't work. Any suggestions on what I can do? Or does this mean I still have Virtumonde?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      bronius, have you looked for the file TDSSServ.sys? It might be preventing MBAM installation.

      Also, rename the installer. Check your current antivirus program for disabled permissions. Some software (e.g. McAfee VirusScan) can interfere with the installation routine so you need to explicitly instruct it what files to exclude from scanning/blocking.

    • profile image

      bronius 8 years ago

      Can't install Malwarebyte's - at the end of installation, message appears: RegCreateKeyEx failed; code 5. Access is denied.

    • profile image

      Danish Syed 8 years ago

      best software ever. i was almost hopeless n thinking to format my hard disk n re install windows. But malware saved the day :D

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      DarkZero515, did you manage to update Malwarebyet's and run a scan? It's possible that you don't have TDSSserv.sys issue.

    • profile image

      DarkZero515 8 years ago

      I downloaded the Malwarebytes install and went to my computer all the way up to where you disable the TDSSserv.sys but I cannot find it in the Non-Plug and Play Drivers (It's not showing up) any advice?

    • profile image

      Kal-EL 8 years ago

      To Becca:

      Darn... that sucks...

      Anyway AVG and Spyware Doctor are my good soldiers... but they don't protect (they detect but do not fully erase) me completely from malware but they do their job at getting rid of some of it and protecting me dailey from threats on sites etc...

      See what I did was since the Malwarebytes scan did not work very well and kept stopping while the malware just respawned I looked up on AVG virus database what the registry entrances were and what was changed/edited etc.

      After finding out that AVG/Spyware wasn't finding 1 of the 5 entries I looked it up and actually found something identical in the registry and changed the values etc to 0 or NO. After restarting it seemed to do little and soon after my PC did not startup much at all due to missing DLL/registry files.

      So anyway finally I chose to "go back to the last configuration that worked" via com startup and it used the registry to go back to the settings what worked and luckily Virtuemonde was no longer in effect and everything was working fine and even more stable! The only thing was the DDL files were missing but they were the DLL files that respawned the malware virus and worked with windows login as a demon in the shadows, hence it had been exorcised!

      I pat myself on the back, said a few prayers to thank thee Lord and continued playing FO3 which is a cool game also...

      Hope this helps everyone else...

    • profile image

      Cha 8 years ago

      MALWAREBYTES WORKED TO GET THIS ROTTEN BASTARD OFF OF MY PC!!

      THANKS MALWAREBYTES!!!!!!

    • AndyBaker profile image

      AndyBaker 8 years ago from UK

      You've got some great hubs on virus removal.

      Great stuff, and keep it up!

    • profile image

      wee hau 8 years ago

      i have tried so many options... but this is the RIGHT one to solve all my problems.

      Thumbs up! kudos.

    • profile image

      Becca 8 years ago

      To Kal-EL:

      No, I purchased at Best Buy, not online. Even went through 247fixes.com to ensure I was completely clean. After I installed it again, MBAM flagged a vundo on my computer. I now use Returnil that way I have no worries.

    • profile image

      Chosen1 8 years ago

      Ok. So far so good. Pretty much all of my stuff is back, except Limewire of course. But even some of the things that I downloaded, that did not come with my PC were on there. Now if I just just try connecting to the internet.

    • profile image

      Chosen1 8 years ago

      Ok. I had just gotten rid of a trojan virus back in December. I Mcafee and PCTools. I also used HijackThis to fix. I unplugged my PC because I moved and hadn't touched it up until last night. Now all of a sudden, I can't log on to the internet. So I was fooling around with the network connections. I decided to run a scan on my PC with PCTools and my PC found 1 virus, 20 infections. The Virtumonde Virus. So I allowed PC Tools to repair/delete it. After I did this, I ran HijackThis, to ensure that everything dealing with the virus was gone. Then I turned off my PC and went to bed.

      Well, why did I turn off my PC. This morning I go to turn it on and it has the old Windows dialog box that asks for a password to log on as Administrator. I bypassed that. But after Windows started all I got was the default Windows XP blue sreen. My desktop has no icons and no system tray. Is the same screen as the "blue screen of death" that people talk about when dealing w/ Hijack This after being infected with Virtumonde??

      Anyhow, I am in the process of doing a system recovery. If I was to use the restore point feature, it would point me back to the spot before I removed the virus. Wish me luck trying to start over.

    • profile image

      wafland 8 years ago

      Just a big THANK YOU for this excellent work on Virtumonde, particularly the Malwarebytes recommendation. My laptop came down with a vicious case of Virtumonde, including rootkit symptoms, several days ago... popup ads every few seconds, and the system slowing to a crawl. Spybot identified the malware but didn't fix it. Based on another site, I tried Spyware Doctor (free version from Google); it found additional instances but again didn't fix it. System Resore failed; and running in Safe Mode made no difference. Finally, after finding this site, I tried Malawarebytes. It worked like a charm: quick scan found even more instances, fixed most of them, and asked for a restart to fix the rest. My laptop is now like a new machine. As others have reported, I couldn't initially run malwarebytes from the desktop icon; it got those fake runtime errors. I simply reinstalled it with the "run after installation" option checked, and it ran fine.

    • duxrluvly profile image

      duxrluvly 8 years ago from Fort Stewart, GA

      Hey, we started getting a bunch of pop-ups on our computer yesterday. I downloaded Spybot S&D because I had used the program in the past. Sure enough, it detected the Virtumonde Trojan. Of course it wouldn't rid my computer of it. I started searching for answers, and I came across your page. It was loads of help. Thanks so much. I used the VundoFix, and it did not find the vulnerability. I then used the Malwarebytes Program. SUCCESS. I ran the scan again after restarting my computer, and no threat was detected. Hopefully, I am trojan free now for good. Thanks for the hub. Was a lot of help.

    • profile image

      Kal-EL 8 years ago

      To Becca:

      Sure that you did not get the virus on downloading Spyware Doctor? I have used it for about a year now and its done a great job before Virtumonde showed up, SD did find the virus but did not however remove the DLL file to stop it reviving on restart and AVG also picked up nothing.

      Luckily I also have Malwarebytes now for protection vs Spyware/Malware. The 3 alltogether should make a strong shield vs those nasty demons!

      P.S. PC is still held up well and no sign of the Virtumonde virus, what I did to remove most of it was run Malwarebytes and edit the resgistry myself which seemed to stop it regenerating even though traces of it are still left unclean but then again if the virus thinks its already infected the comptuer then that makes a seeminlgy "sick" machine immune to the eyes of the infectious beast =S

      =D

    • profile image

      Becca 8 years ago

      I had the same problem with Virtumonde, thought I was going to have to reinstall. I agree with you about Spyware Dr. I was dumb enough to go out and purchase it because my AV software had flagged Vundo and couldnt get rid of it. However I had no symptoms of infection. Until I installed Spyware Dr anyhow. It released it into my computer, and my battle began. I finally got rid of it with MBAM, SuperAntiSpyware and Spybot S&D. Once I was cleared via online help from BleepingComputer, I let a month or so go by with no problems. On a whim I decided to reinstall Spyware Dr., funny how my next scan with MBAM found Vundo/Virtumonde again. That software is $29.99 worth of crap. In this case, free is better.

    • profile image

      Cujothemadog 8 years ago

      I had a go with virtumonde and here is some good advice ')

      Malware Removal: When to Flatten and Reinstall Windows

      http://aumha.net/viewtopic.php?t=28580

      format that sooker :)

    • profile image

      Kevin 8 years ago

      Finally gone! Malwarebytes wasn't very helpful to be honest.. it was WindowsLive OneCare that did it for me. Very useful program and you get a 90 day free trial. It solved the problems for me (or so it seems) - highly reccomend this program!

    • profile image

      Greg 8 years ago

      Hey Kal-eL if you want try stop-zilla to get rid of all traces of virtumonde. Its free trial for 15 days cant hurt. I -m going to use both Malwarebytes and stop-zilla buying both cant hurt. An ounce of prevention.

    • profile image

      Nick 8 years ago

      Thank you thank you thank you...I was finally able to get rid off this.

    • profile image

      Kal-EL 8 years ago

      Hey there

      It seems I have become troubled by this Virtumonde malware virus also but it seems to be a mutated version.

      I have used Malwarebytes which seemed to do something but its kinda confusing since the PC has gone back to normal and Spyware Doctor cant seme to find any ifnections from the demon Virtumonde anymore and my automatic updates stays on now.

      Besides the problems above and pop-ups (which I do not get anymore) I think Virtuemonde has died down and become unactive even after computer restart it still stays this way.

      It seems this blog may have done the trick so many thanks to Charlemont and her good spirit to make this info open to all troubled eyes.

      Conclusion: Spyware Docotor found traces of Virtumonde and removed it, however the virus regenerated itself anyway on restart.

      Malwarebytes seems to have done the trick well but I am not sure it exorcised Virtumonde 100% yet but the pop-ups and computer are back to normal... for now... even after restart.

      To reduce the risk of this malware returning at full strength or any other virus/spyware/malware I suggest you navigate to your control panel and switch off any software you never use and make sure it has limited/no internet access. Also make sure to do the same with your IE addons.

      Cya all!

    • profile image

      Greg 8 years ago

      Happy days deleted entire spybot and destroy software Virtumonde is now gone. Apparently spybot created a backup file. You,ll have to do a search and delete ALL tracea of spybot then reload it. Thanks Malwarebytes finally virtumonde is gone.

    • profile image

      Greg McCoy 8 years ago

      Loaded and ran malwarebytes 3 times fond 7 files on the first run clean the last 2. Thought it was gone then ran spybot search and destroy it says its still there I,m going crazt trying to remove Virtumonde HELP

    • profile image

      Thankful 8 years ago

      Thank you for this page!! Clean at last!

    • profile image

      Derek 8 years ago

      Thankyou!

      Worked like a charm!

    • profile image

      Som & Reema 8 years ago

      Thanks a lot for being such a big help. You can't even imagine the way you have helped us to get rid of Virtumonde by MalewareBytes.. We were in a total loss. Now everything seems to be okay.. Thank you once again..

    • profile image

      really annoyed 8 years ago

      I have PeerGuardien which seems to really inhibit this thing from running. I ran malwarebytes several times and virtumonde kept coming back. im down to the last resort - just format the drive unless someone can come up with another option

    • profile image

      Jonathan 8 years ago

      I'd like to express my thanks and appreciation for you and this resource you maintain. Every tool I utilized missed at least one file this trojan infected. Malwarebytes Anti-Malware and your helpful instructions are at present the only comprehensive source for the removal of this infection.

      Sincere regards,

      Jonathan

    • profile image

      Laura 8 years ago

      I just wanted to say that this was the ONLY resource that really helped me clear the virus out of my computer! I had consulted several other forums regarding this problem and like many before me, none of the reccommended programs worked: VundoFix, FixVundo, VirtumundoBeGone, etc, etc. After my computer was really starting to worry me by disabling Internet, Task Manager, and other scary things, I got Malwarebytes and sure enough it wasn't opening. I followed your instructions on renaming the file and it worked! Ad-Aware only found 10 files whereas Malawarebytes found 57!!!! Everything right now seems to be back in working order, hopefully I won't get infected again! THANKS SO MUCH!!!!

    • profile image

      Zoltan  8 years ago

      Charlemont, I apprecieate your offer and your opinion. I finally decided to pay $89 to have the malware removed. I signed up for this on OnlineComputerRepair.org. The tech worked about 4hrs on my PC remotely. After he was done my PC was still very slow. I started uninstalling the programs and it seems that "OSAM Autorun Manager" caused the slowness, but I am not 100% sure. I read abou OSAM here: http://www.wikihow.com/Delete-Virtumonde. I wouldn't suggest downloading it. SO, most likely I already got rid of the malware myself, but OSAM was still slowing the computer down.

      Anyway, thank you again for this great blog and your kindness and willingness to help people.

      I wish you all the best!

      Zoltan

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Zoltan,

      because you have so many applications installed which have autostart feature, your computer is getting slow. It's normal.

      I'm not really a fan of spyware doctor. It used to be good before became too commercialized. Well, this is just my opinion.

      Contact me via email so that we can investigate your case of virtumonde infection.

    • profile image

      Zoltan 8 years ago

      Great blog and posting! I have been struguling with Virtumonde for 4 days now. It seemed that I got rid of it two days ago but it is back again. I have McAfee and Spyware Doctor running. I have tried at least a half of dozen of software including Mailwarebytes, Spyware Doctor (purchased it), FixVundo, VundoFix, VirtuMundoBeGone SmithFraudFix, SpyBoot S&D and Microsoft's OneCare. It seemed that Microsoft's OneCare got rid of the Trojans (it was others than Virtumunod as well), but something is still active. Now, in safe mode, None of these tools can find anything, but when I log into norlmal mode, the computer is really slow. Opening Firefox takes about 5 minutes and McAfee is disabled by the trojan, and can't re-enable it. Becuase the computer is so slow in normal mode I can't really run Mailwarebytes anymore. Any ideas what I could do?

      Thanks, I really appriciate any help!

    • profile image

      Stu 8 years ago

      Maconmac & rk,

      When downloading Malwarebytes, make SURE to rename both the program and the file since this nasty Virtumonde Trojan prevents the creation of the Malwarebytes program & file without the runtime errors. I named it "kill" (without the quotes) and FINALLY got it to run!

    • profile image

      frustrated no longer 8 years ago

      After following the easy instructions in this hub I am now virtumonde free. Thank You Very Very much.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Jason and AM, contact me via email.

    • profile image

      Jason 8 years ago

      Seems I have Virtumonde pretty bad. I get run errors right at the end of the install for Malwarebytes, it seems to have completed the install though. But whenever I try to start it I get runtime errors.

      When I try to go to the device manager or into system hardware I get an error, "Run a DLL as an App has encountered a problem and needs to close.". Which is then followed by a whole ton of DrWatson errors.

      Nothing is found when I do searches for any of the Virtumonde files.

      I can't go into safe mode. When I try I get a screen full of file listings then it just sits there.

      I've used Avast, AVG, Ccleaner and Spybot. None have had enough success to really be worth mentioning.

      I've yet to be able to go to any Microsoft support pages, they just won't load. Same story for most anti-malware sites.

      I could use some help here.

    • profile image

      xpvictim 8 years ago

      well tried the malwarebytes tool a couple of times and got rid of the infection entirely, had been trying all day, removed a few bad dlls then renamed the virtumonde apps so that they could not run and every restart they would be back

      ran the tool once got rid of over 30 files i overlooked then a second time and got rid of the remaining 2 files and after the restart ran another scan with malwarebytes and nod 32 and infected files are 100% gone thanks for the info on this application.

    • profile image

      AM 8 years ago

      Is there anything I can do if I don't have the TDSSserv.sys file while trying to install malwarebytes?

    • profile image

      Wodahs 8 years ago

      Thanks you! The Malware did its job and Got rid of it!

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Need help!, before running Malwarebyte's anti-malware, make sure it is updated. Then disconnect from the Internet. Do it via Control Panel, or by right-clicking on Network icon, or simply unplug the ethernet cable.

      If after doing this the troubles are not gone, then I assume there's something more in your box than just Virtumonde. Send me an email and I will advise you on some steps.

    • profile image

      Need help! 8 years ago

      I've run Malwarebytes about 3 times so far and it keeps finding new viruses. It seems that Virtumonde keeps on re-spawning on my computer. I've also used Adaware, Spybot Search and Destroy, and Vundofix.

      I no longer have problems with popups, but now my web browser runs slow (i.e. when I try to scroll down the page it does it very slowly in waves) and also, the "hibernation" feature on my laptop is now gone.

      Does anyone know what I can do?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      rk, that's good news! Don't let virtumonde ever come back! ;-)

    • profile image

      rk 8 years ago

      OK, back again...for the last time!!!!!

      Dear Charlemont.

      Only because of this great blog of yours AND you're willingness to REALLY help out, i have been able to finally get Malwarebyte's installed and run those precious scans, I woke up this morning, checked te PC for the completed scan, erased aal of the 40 something infected files that Malwarebyte's found aaaaaand POEF!! GONE!!!

      VIRTUMONDE HAS BEEN OFFICIALLY BEATEN THANKS TO CHARLEMONT AND THIS GREAT BLOG!!

      Now i will do my part and spread the word as much as i can. Anyone should visit this blog and get informed PROPERLY on how to get and stay protected.

      Thank you so so so so so much!

      rk

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      rk, so you have that TDSSserv.sys file listed in device manager? Could you send me an email to charlemont[at]elitemail.org (replace [at] with @) and I will try to help you personally.

    • profile image

      rk 8 years ago

      Thx for the very quick responce, however, i don't have the option availeble to disable, an i also just try uninstall? will that even work or will i damage anything?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      rk, please look for my update 1/29/2009 and try to follow the steps. Screenshots should help you to finally get rid of Virtumonde virus.

    • profile image

      rk 8 years ago

      OK, Anyone please help out! Maconmac clearly gave up because he couldn't open anti malware programmes like malwarebyte's!! I can't either!! Does this mean i also have to spend 90 bucks to finally get rid of virtumonde?? PLEASE tell me there's a way to get malwarebyte's installed! I mean, you're supposed to be able to install an anti malware program even though you're infected right? Isn't a malware program supposed to work especially when a computer is infected? I know Virtumonde is specialized in blocking these programmes but malwarebytes seems to be working for everyone!! PLEASE HELP!!

    • profile image

      maconmac 8 years ago

      Just a final-I hope-update. I could not open several antispyware programs (Spybot, Malwarebytes) and others that opened (Symantec, AdAware, McAfee) found the virus but did not remove it. I recently purchased a new laptop that included a Webroots security disc with Spysweeper. I loaded this disc and the program wouldn't open.

      I finally gave up and contacted "onlinecomputerrepair.org" After establishing an account and signing in, the service took over my computer from a remote site and did many things that I didn't understand. They ran programs that I couldn't open such as webroots and malwarebytes and also ran combofix. It was weird watching my computer run itself, including reboots and opening programs, without my touching it. However, you have to be present to re-establish a connection in case the service loses contact (they phone you to give you instructions). In any case, after 2.5 hours, my computer was clean and ran fine, and has continued to do so. The name of my technician was Brian O. He must have known what he was doing, because he corrected the problem. The cost was $89.99 and it was well worth it after 2 months fighting this thing. All the anntispyware now runs fine, and I hope to keep ahead of this problem in the future.

    • profile image

      bgstrong 8 years ago

      After reading this forum, I used Malwarebytes 133 to remove Virtumonde. It worked perfectly the first time. Absolutely incredible. I then purchased Malwarebytes immediately although it is also a free program and it was the free program that removed Virtumonde.. Great program. Neither Housecall, AVG or Spybot was able to remove Virtumonde.

    • profile image

      ljones32 8 years ago

      I Tried Spybot/search and destroy and it would NOT remove this Virtumonde. It would pull up the infections and say it removed them but the .dll file would cause it to just pop back up again. Just an FYI. This is the first encounter I have had with any spyware that spybot could not remove.

    • profile image

      chi-town 8 years ago

      thank you so much for this blog. i used the malwarebyte program, and it cleaned it up.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Hi benz,

      looks you're having some real struggle with this pest.

      Try preventing reboots by issuing this command.

      Go to Start-->Run, type in "shutdown -a" without quotes and click Ok. Note there's a space after "shutdown" and before "-a".

      No go again to Run box and type in MSCONFIG then click OK. A System Configuration utility will start. Navigate to Services tab, check the box down labeled "Hide All Microsoft Services". Then uncheck all the remaining services. Click Apply. Navigate to Startup tab and uncheck ALL boxes. Apply and OK.

      Do a cold reset (press the button instead of using start/shutdown) and try running all the antivirus/antispyware scanners you have. To make things a little bit easier for you, do targeted scans instead of system-wide. That is, right-click on C:\Program Files folder and choose Scan with whatever security program you have. Repeat same for C:\Windows folder. Then proceed to a custom scan which checks memory and registry. This is gonna take quite some time, though.

    • profile image

      benz 8 years ago

      hiI have this virus however this command prompt s not working or me this one advanced.I downloaded something it said it was a key, but When I tried to open got an anti virus a red icon in the task bar.I tried to run a virus scan or a spyware scan my computer will reboot and restart itself automatically without warning. Out of about several attempts of running both scans its only managed about 3 virus scans and about 3 spyware scans, nothing gets to open it keeps flashing on and off.The virus scan has detected MRI in adware, but spybot keeps sticking half way requesting a restart.I cannot get online nothing opens they all shut down as soon as it opens, I cannot even ope folders, the system flashes back and forward and changes before you can open any program of folder.I cannot run a hijack this log. Cannot start in safe mode or work in safe mode, keeps giving a pop up saying if I wish to work in safe mode, click yes, when I do it goes back to it again.Ive also tried symantec's online virus scanner, and spybot but it also triggers a reboot when its scanning. Could a virus/spyware or damaged files be causing the reboots ? apart from formatting the hard drive i'm all out of ideas of what to do. any ideas??I managed to run the cleaners once I click on them before the system flashesthey keep detecting something called Virtumonde.I used the vundo fix which also found the same name with a whole lot of letters after it.but what I noticed was it attached itself to the run file and opened the cmd and typed an exe code. Then it closed Firefox and reopened it and now I cannot even get the system to stabilize for 1 minuteplease beware of this Trojan if you see something bring up the cmd /mscofig screen from your run of your computerdo not download cancel it.It is just not responding to this command prompt!STILL FLASHING AND UNSTABLE THIS IS A TERRIBLE TROJAN PLEASE BEWARE!Any help will be greatly appreciatedcheers guys

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      If Windows works OK after removing Virtumonde, there's no need to reinstall it.

    • profile image

      8 years ago

      after i kill the virtumonde, do i have to reinstall the whole window?

    • profile image

      Virtumonde 8 years ago

      If your still having issues then you may want to consider using combofix.exe. this is a very powerfull tool that is easy to use. Be for warned however that it can cause systems to crash so you should have a back up first. As a last resort it may be worth the 89 bucks to have an expert remove this threat for you. As highlighted in the article there are plenty of online computer repair companies out there. I also see this site recommends Malwarebytes. The free edition offers no up front protection but neither does most free software. It's a great little program that should really help you out

    • profile image

      Rhae 8 years ago

      I used a combination of 8 programs to remove Virtumonde from my computer, Malwarebyte Anti-Malware being the last one that got rid of the last of it. Maybe it would've gotten rid of all of it from the beginning, idk, but it was the most extensive scanner (4.5 hrs) and found the most crap and deleted them all. This website was most helpful, and actually listed a few of the programs that I used- as I said before i used 8 programs: Spybot Search & Destroy, Ad-Aware, Stinger, CCleaner, Symantec's Fix Vundo, Vundo Fixer/VirtumondoBeGone, and Malwarebytes Anti-Malware. I did all of this over the course of three days. Hope this helps, esp if you don't have a CD to reformat your comp.

    • profile image

      Teri 8 years ago

      My computer is infected with virtumonde. I downloaded malewarebytes and did the first scan. It took a bunch of the virtumonde stuff off. I went to do a second scan like you suggested and it found 3 more, but while scanning my computer rebooted itself. When it came back there was an error report stating that window suffered a serious error. Help. Oh I don't have the windows xp discs to reformat.

    • profile image

      Jawad UK 8 years ago

      Really thakful for such great information. It will really help me to protect my P.

    • profile image

      maconmac 8 years ago

      Malwarebytes appears to be present both on the C Drive and on an outboard drive, but it won't open from either place either in safe mode or regular mode. I may have the original XP disc so I can try your suggestion.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      maconmac,

      if I got it right you can't install Malwarebyte's? Then probably it's Virtumonde fault. It's might be corruption of Windows.

      If you have original Windows XP CD with SP of same version as installed, try running this command: sfc /scannow

      Type it into Run box and click OK. This is not a cure for any infection, but might help to restore damaged Windows files.

    • profile image

      maconmac 8 years ago

      Another update. I tried running Malwarebytes in Safe Mode with Networking and it would not open. I also got a copy of Malwarebytes downloaded to an outboard drive from an uninfected computer. It wouldn't open either from the outboard drive or when I moved it to the C drive. I tried both safe mode with networking and regular mode without success. I'm at my wits end and don't know what else to try.

      Meanwhile, the computer often seems to run fairly well. The main symptoms I'm having are slowness opening programs and loading webpages, unexplained lockup and hangups when booting up. I'm not getting much in the way of popups. I'm using Safari as my main browser, with Flock occasionally. I can't remember when I last opened Internet Explorer. Maybe that helps with the popups.

    • profile image

      Kevin 8 years ago

      Just a little FYI update. Make sure to update Malwarebytes and run it. Granted Virtumonde was pretty much gone and all signs/errors I was having with my PC were fixed, I updated and ran Malwarebytes this week and it was able to find 6 more things that it didn't find last week (before the updates).

      Updated it a few hours ago as well and nothing found. :)

    • profile image

      maconmac 8 years ago

      Dear Charlemont,

      Last evening I was able to download Malwarebytes, but it wouldn't open in normal running mode. I will try to run it in safe mode today. I had never been able to download it before, so this seems to be progress. Spybot wouldn't open in Safe Mode. I haven't yet tried Safe Mode with Networking.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      eric, FREE Malwarebyte's removes detected infections. Paid version provides real-time protection.

      maconmac, so you mean that you run MBAM in Safe Mode and it found nothing? Same as Spybot?

    • profile image

      eric 8 years ago

      could have frreakin told me that malwarebytes and it's FREE download

      cost money to activate for removal of bugs...thanks great help

    • profile image

      maconmac 8 years ago

      Dear Charlemont

      Thanks for the suggestion, but all the items in my Startup menu have paths listed in the Command column. There are none with just a name and no pathway. I have considered turning them off individually, but am afraid of doing some real harm.

      I have tried starting in Safe Mode and it didn't help, but I've never tried Safe Mode with Networking. What is the difference?

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      maconmac,

      try turn off irrelevant or suspicious processes.

      1. Go to Start-->Run, type in MSCONFIG and click OK.

      2. When Microsoft Configuration Utility loads up, navigate to Startup tab.

      3. Unheck boxes of the processes that do not have the path under Command column. So, if the process has just a name (and not a full path like C:\ ), uncheck it.

      4. Click OK.

      5. Restart Windows and try downloading Malwarebyte's this time. If you're lucky to download and install it, restart again and boot into Safe Mode (hold F8 key right after system beep until Boot Menu appears, then select Safe Mode with Networking). Do not forget to update Malwarebyte's database with latest definitions. Do a full system scan at least twice.

    • profile image

      bryan 8 years ago

      so after fighting this beast for a very long time to no avail. i turned to the guys at onlinecomputerrepair.org - they started out tryin the same techniques i was doing. tryin to use malwarebytes. but just like me they had no luck, even after renaming extensions, directories and such. (they told me that i had a very very bad case of it). after they did a bunch of behind the scenes work i knew nothin about (killing certain processes and such) , what ultimately did the job for my computer was ComboFix. virtumonde was blocking all the security software, and combofix was the one that got through. and it cleaned out the virus, and then we got MBAM to work again and used that to kill the misc. adware that was left. in the end, the guys over there told me it would take about 1-3 hours. mine ended up taking 4-5, because it kept freezing and such and we kept having to reconnect. because they use screen sharing software, which basically means they tap into your computer and take control of it and u just sit and watch. it cost 89.99 for the infection removal but was well worth it, as i had spent way too many hours tryin my self. so in the end

      -Try malwarebytes first (if it is to severe and being blocked like mine, and u cannot not get it to run by changing the program extension name and directory) then use combofix. if that does not work. use onlinecomputerrepair.org. they also do all kinds of other pc tune ups, and etc. if combofix works, then use MBAM to clean up anything left. thats all.

    • profile image

      maconmac 8 years ago

      My last post is awhile ago, but to refresh, my version of virtumonde will not let me download either Spybot or Malwarebyts. It apparently blocks the download site. I do have Spybot already on my computer, but it has a padlock on it and it will not open either through the shortcut or directly from the file on the C drive. My girlfriend did have a copy of Spywarebots on her computer (where it works flawlessly). I downloaded it to a removable drive, but this version also has the padlock and will not open. Any more suggestions. I'm going to try to download Malwarebytes to a removable drive and see if it will run from there, but I'm not too hopeful. Any suggestions?

    • profile image

      Rob 8 years ago

      I finally got rid of my virtumonde infection. It was total hell - I wrote up my eventual solution. Spyware Doctor really didn't fix it...neither did AVG :-/

      http://softwareblend.blogspot.com/

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Daniel, it's good to have the right tool at hand, right? ;-)

    • profile image

      Daniel 8 years ago

      Oh and LAW: It was the same to me. try Malwarebytes, it worked on me!

      Post your ICQ Nr, if you need more help :)

    • profile image

      Daniel 8 years ago

      O M G! Thank you charlemont!!!! I really got tears in my eyes right now.

      Im in this battle against Virtumonde since nearly 16 hours now. I tried all: Reg.Cleaner, Deletprogramms for this DLL (wich name ive known since the battle starts), Spybot from the beginning, Symantec AV, Spydoctor (really shit this program).But nothing worked.

      Then i found your site and tried these Virtumonde removers, wich both didnt work and found nothing (i tried many many times...). Even the manual dleting of the reg. entrys havent brought anything. And all the time i had this DLL right in front of me at the screen and i cant kill her.

      But then i read your Update, to use the Malwarebytes program. This was the key. I found EVERYTHING, killed EVERYTHING and nothing left, even the bad DLL.(by the way: Spybot found the bad reg entries all the time, i removed them always, but nothing changed, after Malwarebytes, everything was clean.)

      I really got to thank you for this site. You saved my day and my PC :)

      Now im feeling really good.

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Hi Law, follow the pattern that seems to gain positive results. Download Malwarebyte's above and install it, update, then run full system scan 2 or 3 times, restarting Windows after each. Do NOT use Start-->Shutdown-->Restart. Instead, do hard reset (press the button on the computer case).

    • profile image

      Law 8 years ago

      OMG!

      I'm still struggling with this malware!

      I ran spybot, and it detected the 5 different Virtumonde entries. I had thought this was the problem. I managed to get Spybot to "Fix the selected issues", but right now, I'm still having pop-ups, and my connection is still slow. I've ran the VundoFix but it didn't detect any infected items at all! My head is starting to spin!

    • profile image

      Chad C. 8 years ago

      Thanks for this great info! I struggled with this malware for a while today. The first thing I ran was Spybot, but it couldn't remove this malware, it could only detect it. I then tried VundoFix, which found nothing, and then VirtumundoBeGone, which appeared to fix part of the problem. Still, Spybot was finding entries for it. I finally found this site. I tried Malwarebytes and it found NUMEROUS entries for this problem and fixed or quarantined them all. It appears to have cleaned it all out. Spybot no longer finds entries any more. Thanks again!

    • profile image

      Kevin 8 years ago

      Thanks for having the page charlemont. So far 24hrs and running just fine.

    • profile image

      Max 8 years ago

      I run malwarebytes and spybot both in safe mode and found (MWB) 47 entries! On reboot Spybot-SD resident alerted me of a registry entry about to be performed: winsidebyside to which I said no and remember my choice.

      Done.

      No more problems. All gone. Cheers,

      Max

    • charlemont profile image
      Author

      charlemont 8 years ago from Lithuania

      Kevin, I'm glad your computer is clean now. Thanks for visiting my hub!

    • profile image

      Kevin 8 years ago

      Just finished running malwarebytes two times. The first time it found 38 objects and removed 36. Restarted and found the remaining 2 and was able t get rid of them. Ran Spybot again and this time nothing came up. So I'm pretty sure malwarebytes was able to get rid of it, WOOHOO! Everything seems to be perfectly back to normal.

      So Malwarebytes rules :)

    • profile image

      Kevin 8 years ago

      I tried the spybot a few times, and it seems to find everything, but doesn't remove it. It keep coming back. Then I tried the Vundo remover and it does not even find anything at all!

      I am starting to get worried here. My next step will be to try malwarebytes... I will post my results.

    • profile image

      yoshi 8 years ago

      malwarebytes worked for me! Thanks for having this here.

    • eaglegordon profile image

      eaglegordon 8 years ago

      Spybot ranks as my favorite for scanning.

      I haven't been infected with this trojan yet, do keep my defenses up.

      But had a friend who had a vary persistent virus infection. End result was clean the hard drive and reinstall. All his important data was saved, before.

    • profile image

      TOMBO COMBO 8 years ago

      @ Bryan you could try to install again by re-running the installer program. It will either let you remove the program or install it again. Then id try to install it into a custom directory and rename like from above. You might have to rename the installer program also. Did u try spybot search and destroy yet? cause if you can get that going first you might hurt it enough to run malwarebytes.Make sure to disable tea timer before using malwarebytes. Oh yeah did u go into safe mode to try running the program, hit f8 while windows is loading right after bios shows up (hit it a bunch). and disconnect your internet while trying to kill it. There is a program called remove toolbar buddy by scorpio that can help deleting the browser helper object (not free) but you can try it and it will show you the name of the .dll file screwing things up. even if u buy it, it cant delete it without regenerating, but points you in a good direction. If you read my prior post about enabling show hidden & protected operating system files it will guide you to the bad files. check msconfig and write down the names of the bad .dlls and uncheck them from the start up section, if you use hijack this it can help name the bad files. There is a program called pocket killbox! (free) that lets you delete protected files. I suggest, delete on reboot - all files, add as many of the files your shure about that are bad to its list. You can also use file shredder on spybot to delete them. Almost all the grey-faded files are infected.If you can get into the registry the browser helper object key is what reinfects the machine, it loads right away on start up and reinfects the machine. Delete if you can, toolbar buddy identifies the name of the .dll in the registry and in system32/ . check prior post also.

    • profile image

      bryan 8 years ago

      @tombo combo. that did not work. and i can not uninstall either. any other suggestions or ways to get it off. thanks in advance

    • profile image

      TOMBO COMBO 8 years ago

      @ Bryan assuming its already installed, right-click on the malwarebytes shortcut, check the properties, look at the target path, that is the actual program location

      go into my computer, click on c: drive.

      Navigate to C:/ProgramFiles/malwarebytes?

      im betting the .exe is there in that directory

      then rename the file, and always go here to run it

      Alternatively if you still have problems try to reinstall malwarebytes and give it a custom install directory to help confuse the WALDO VIRUS, and do the steps above also. guwd-lukk

    • profile image

      bryan 8 years ago

      @charlemont, no i have it installed but it is being blocked by virtumonde. i think there is a way to rename something in Malwarebytes to get it to work. @tombo combo, how do i rename a program file to get it to work. thanks

    • sean.rutger profile image

      sean.rutger 8 years ago from USA

      This hub is very useful. I use spybot S&D primarily, and for months I had noticed that every time I ran a spybot scan, Virtumonde came up and could not be removed completely. The last time I checked, spybot was able to remove it (they must have done an update that can handle Virtumonde). I'm glad it wasn't just me who was having trouble with the malware... While I was reading this hub at work it started an office hate-fest when the guy down the hall heard me talking and jumped in with an "I hate virtumonde!" himself. Thanks for the info and the good read!

    • MarcNorris profile image

      MarcNorris 8 years ago from Canada

      I got hit by the Virtumonde virus and AVG woudn't deal with it. Neither would Ad-Aware or Spybot, but eventually I was able to get rid of it with Norton 360, though it took five or so tries for it to get rid of it.

      I wish I would have seen your hub sooner - it would have saved me the headache.