ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Virtumonde Removal Tools and Guide

Updated on July 23, 2010

What is Virtumonde Trojan

In the eyes of most PC users adware virtumonde is a common spyware that displays ads in a highly aggressive way. But this is only one side of the medal, the visible part of the malware. Inside, it's a demon.

Depending on security lab, Virtumonde trojan has been attributed high, elevated or critical levels of danger. This is not a common case in the world of IT security, so there must have been substantial reasons why this malware (alternatively known as Vundo) still received a good portion of attention on the part of anti-malware software makers.

Trojan Details

Virtu monde modifies the Windows Internet connection settings and displays various pop-up advertisements, such as those of fake antispyware programs (including, but not limited to Antispyware Master, Sysprotect, Storage Protector).

This parasite adheres itself to critical Windows system processes (Explorer and Winlogon) which makes it hard to fight the infection using conventional methods.

Virtumondo exploits vulnerabilities in Sun Java. Whenever computer restarts, the malicious files are recreated. There's no surprise that Internet Exlorer is affected by this virus; MS native browser has always been known for its vulnerabilities. Unfortunately, both Mozilla Firefox and Opera browsers (regarded as more secure than IE) are not virtumonde-resistant.

This malware is known under different names depending on security lab that classified it.

  • Downloader.Virtumonde.G
  • Spyware/Virtumonde
  • Trojan.Virtumod
  • Trojan:Win32/Vundo.A
  • Trojan.Downloader.Virmo-3
  • Trojan.Downloader.Virtumonde.F

The Trojan Virtumondo generates a random .DLL once executed, and then it's capable of stopping security programs, and also infects system processes (e.g. Winlogon). The trojan ensures its active presence in the infected system by adding registry keys to auto-start every time the computer is restarted.

Some variations of malware collect serial numbers of hard drives and report these data in encoded form to its servers. If the infected system is a Virtual Machine, then the virus behaves without any signs of its presence. But if the system is real, then its starts displaying adware, warning messages to scare the user into bying something that allegedly would repair the infection. Despite the months of malware activity passing by, innocent victims fall for the scam and pay for fake antispyware products. Of course none of them can remove it because those rogue security programs make part of the malware.

This malicious evil is hard to remove since it changes its files, and executes itself automatically with Windows reboot. There are not that many unremovable trojan horses like this one.

Signs of Infection

It's easy to tell when your PC has been infected with this type of malware - endless loop of pop-ups will tell you the adware is there.

Web browser will start showing unrelated ads claiming there's system deterioration detected and offering a fix for it.

Desktop backgroun (a.k.a. desktop wallpaper) will be changed to an image threatening with system infection. Screensaver will be changed to a blue screen. Attempts to change the wallpaper and screensaver will be unsuccessful because the malware changes Registry values to hide tabs of Desktop Properties window.

Virus can go further and disable both Task Manager and Registry Editor, thus preventing the user from removing its registry keys or stopping the malicious process.

Trojan can also disable the Windows Security Center control panel because it either replaces WSC with a fake imitation to promote some counterfeit security program, or simply blocks access to this essential part of  Windows security administration. In both cases, the trojan takes full control over Windows security applets.

Additionally, desktop icons and taskbar may disappear to make user experience still more frustrating.

In brief, this pesky parasite goes to great lengths to ensure it may resist almost all attempts to clean it out of the infected computer.

Hard drive may start spinning consistently because of Winlogon process accessing the disk.

Internet connection stability may be affected as well. Web browsers may be redirected to unwanted sites; on the contrary, certain websites my not load fully, or may freeze.

Trojan Hijacked Desktop Background
Trojan Hijacked Desktop Background

How to remove virtumonde

Before getting to the list of removers, it's important to describe why this malware is so hard to get rid of.

Some antiviruses successfully remove parts of the infection, but miss the hidden DLL file. Once the system is restarted, the hidden DLL recreates the virus.

The main malicious DLL file is missed because it runs side-by-side with Winlogon process, which is patronated by Windows itself. Antivirus software cannot fight with Windows.

This particular Malware creates files with random names to make its detection a tough task.

Vundo Fix
Vundo Fix

Free Virtumonde Remover

This Virtumonde fix is known to have removed the stubborn infection from over 1 million computers over the world.

Vundo fix usage:

  1. Download the file. If it's an archive, unpack it.
  2. Double-click the executable (.EXE) file.
  3. When the program opens, click the Scan button.
  4. Once the scan is finished, click Remove.
  5. The program will ask is you want to remove the detected files. Agree to the prompt.
  6. The desktop may go blank because the fix tool will begin removing the malware.
  7. At the end, the fix will as for reboot; choose "yes".


Symantec provides a free virtumonde remover that's capable of curing certain variants of the malware.

How to use Symantec Tool:

  1. Download the .EXE tool;
  2. Disconnect from the Internet;
  3. Turn OFF System Restore;
  4. Double-click the file you downloaded;
  5. Click Start to initiate the scan.
  6. When finished, restart and re-enable System Restore.

Note: this virtumonde fix does not cover all of the trojan variants, so it may be useless in some cases.

In case a supported malware is detected, the Symantec remover will delete the malicious files and associated registry entries.

A bit of statistics

Fact 1: Kaspersky Labs after analyzing its virus activity statistics informed that the family of trojans happened to be #1 most frequently reported case of malware infection in February, 2008.

Certainly no single malware can occupy the #1 spot of most widespread threat for a long period of time because new dangers appear every minute. But we definitely see the huge potential behind this pesky parasite.

Fact 2: Google Trends - a tool used to analyze search volume for any given query - shows that this malware doesn't get searched for less as time goes by.

Prevent Infection

Malware removers have beed created by volunteers or software companies to stop the spread of the malware.

However, it's always better to prevent infection, than bother getting rid of it. Unfortunately, the tools above only work for system clean up. They don't have any kind of real-time protection to stip the trojan at the Ethernet gates.

If you value your time or don't want to risk losing the data on the hard drive, consider setting a permanent anti-virtumondo shield.

One of such long-existing in the software world programs is SpyBot Search & Destroy. Our visitor Jerrico reported his positive experience with this antispyware, so here's a link to official Spybot Search and Destroy download website.

Useless Virtumonde Removal Programs

After reading lots of forum posts and blogs and Yahoo! Answers I came to conclusion that you should be careful what virtumonde removal software to use.

There are forums that blindly advise to cure sick PC's with PC Tools Spyware Doctor. While this program certainly helps in some cases, there are lots of people reporting no effect from the use of Spyware Doctor. Even its edition with antivirus may fail.

Another highly recommended program is SpyHunter. Unfortunately, it's nothing but a free scanner which doesn't remove detected malware. But even paid version might be unable to remove detected infections.

Ad-aware from Lavasoft has a free version with removal capability, but it only deals with a small number of trojan mutations. Thus chances are it will be unable to erase your particular infection.

One more often recommended program is SpyNoMore. I tried to download it myself, but... well, here's how it went.

1. SpyNoMore is distributed by Regnow. I supposed a company that big would take control of the files it hosts. Nope, apparently it doesn't. The .exe I downloaded from Regnow was 125 KB in size. As you might guess, it's too little for an antispyware program. Ok, I expected it to be a downloader only - and guessed that right. But checked the downloader for malware anyway.

2. I double-clicked the executable and it asked where the SpyNoMore setup should be saved. I pointed it to the folder.

3. The downloaded file was bigger - 2.9 MB in size, but still it looked kinda strange. Even before the setup was downloaded, avast! antivirus popped up a message warning about a trojan.

4. I tested the file with TrojanRemover as well. Infected!

Sadly, crap is distributed via trustworthy websites.

The screenshots to prove my experience are below.

SpyNoMore Suspicious Setup

SpyNoMore Downloader. 125 KB only... suspicious
SpyNoMore Downloader. 125 KB only... suspicious
SpyNoMore Setup: less than 3 megs in size. Wonder why so little?..
SpyNoMore Setup: less than 3 megs in size. Wonder why so little?..
avast! detected a trojan horse inside SpyNoMore setup
avast! detected a trojan horse inside SpyNoMore setup


SpyNoMore is a shady antispyware that gets distributed via credible network, but in the form of a small-size downloadable .exe instead of a full setup file. It contains a trojan horse inside, that's why it definitely makes sense to stay away from this program. DO NOT download or install SpyNoMore if you care about your PC safety.

NOTE: I'm closely monitoring the situation to be able to recommend only those software programs that are most suitable to fix this type of malware.

Update 1/7/2009: Visitors of this hub report about much success they have with Malwarebyte's. It seems to be a true Virtumonde killer. So if you're still having problems deleting Virtumonde after you've tried out all other remedies, I suggest that you get a copy of Malwarebyte's and finally answer the question "How to remove Virtumonde?" Tip: do a scan with Malwarebyte's at least twice.

Update 1/29/2009: It seems that Malwarebyte's anti-malware has become the Virtumonde enemy #1. Those who stand behind this virus go to great lengths to prevent Malwarebyte's from even installing onto infected system. More and more frustrated victims of Virtumonde report that they cannot download and/or install MBAM because the virus actively blocks such attempts.

Here's a good news: Malwarebyte's guys developed a trick that allows to beat the nasty parasite.

  1. Download Malwarebyte's anti-malware.
  2. Rename the setup file to something generic like virtumondekiller.exe or goodluck.exe - just keep the .exe file extension intact.
  3. Right-click on My Computer, select Properties. Go to Hardware, click on Device Manager.
  4. On the View menu click to show hidden devices.
  5. Navigate to Non-Plug and Play Drivers, and look for the one called TDSSserv.sys (other common filenames are: TDSSspax.sys, gaopdxserv.sys, UACmxegjtve.sys). Right-click on it and choose Disable.
  6. Restart Windows. 
  7. Install Malwarebyte's anti-malware. If you couldn't download the software earlier, try now.
  8. If the program does not start, or closes with errors, find mbam.exe located in C:\Program Files\Malwarebytes' Anti-Malware and rename the file (e.g. to file.exe). Double-click it, update anti-malware definitions and scan the system as many times as you want ;-)

If you have difficulty updating Malwarebyte's, here's a link to download the latest database of MBAM signatures:

Malwarebyte's anti-malware database.

(This is NOT the software installer, but only MBAM program database with latest anti-malware definitions. Double-click the downloaded mbam-rules.exe and follow the instructions to update your current installation of Malwarebyte's anti-malware).

Note: follow this procedure only if Malwarebyte's would not install. The driver TDSSserv.sys is part of the infection and should not be in your system.

The screenshots below show the steps.

How to force Malwarebyte's installation: Step 1

Right-click on My Computer icon, select Properties, go to Hardware --  Device Manager.
Right-click on My Computer icon, select Properties, go to Hardware -- Device Manager.

How to force Malwarebyte's installation: Step 2

On the View menu, select Show hidden devices.
On the View menu, select Show hidden devices.

How to force Malwarebyte's installation: Step 3

Scroll down to Non-Plug and Play Drivers.
Scroll down to Non-Plug and Play Drivers.

How to force Malwarebyte's installation: Step 4

Locate TDSSserv.sys (or something like that), right-click on it and choose Disable.
Locate TDSSserv.sys (or something like that), right-click on it and choose Disable.
a-squared anti-malware v5.0
a-squared anti-malware v5.0
Malwarebyte's Anti-malware v1.46
Malwarebyte's Anti-malware v1.46


I'm receiving emails from PC owners who undergo Virtumonde infection the second and third time after complete removal.

This is why I have to stress the following:

Removing virtumonde does not mean it will never come back. In fact, another infection can re-occur the next moment. Unless you closed the hole through which it had slipped into your computer, nobody can guarantee you this nightmare won't repeat.

If your current security software configuration didn't block this virus, it's very much recommended to change something in your PC security approach.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)