How Does One Get Rid Of A Bug Known as "virtumonde"

[mysts]

We are using winxp pro.
Somehow we have picked up a bug known as "virtumonde".
After running a half dozen cleaners both in regular mode and safe mode it is still there.
Spybot found it and supposedly fixed it but it came right back.
It appears to be a multipart bug that keeps reinstalling itself.
Has anyone ever heard of this thing and if so how to get rid of it.

[Soopafresh]

Restart in safe mode and re-run your spyware cleaners.

[mysts]

As stated in my original post I already ran the cleaners in safe mode.

[zoobie]

make sure you're not on the internet when cleaning
otherwise, it will just go get the files again
http://www.virtumonde-removal.com.removal-instructions.com/removeVirtuMonde.html

[poisondeathray]

nod32 should work, but not free

give dr. web cureit a try (free)
http://freedrweb.com/cureit/

[Midzuki]

If everything else fails, try gmer:

http://www.gmer.net/files.php

(OK, jimdagys will not like to read this, but what the heck )

[Soopafresh]

As stated in my original post I already ran the cleaners in safe mode.

Sorry. Didn't catch that.

[deckard8]

This worked for me when nothing else did.

http://vundofix.atribune.org/

[sunderland]

try this works a treat SmitfraudFix cant beat it and its free
http://siri.geekstogo.com/SmitfraudFix.php

[Krispy Kritter]

One thing I've noticed is that quite often programs like this place their files in the temp folder. Boot into Safe Mode, delete all of the files in your temp folder (Documents and Settings/"user folder"/Local Settings/Temp Also sometimes the temp folder on the C: drive and the temp folder within the Windows folder). Then run your spyware cleaner. I use Lavasoft Adaware (free) and SpyBot Search and Destroy (free). This should eliminate most of your issues. I've had a few that this didn't completely solve, but the main files were removed with this process and I was only seeing "file cannot be found" errors. Those can be resolved by removing those references from the registry.

[cyflyer]

This little bastard called 'virtumonde' seems to have surfaced on my computer recently. Nod32 sees it, but can't do anything about it. Fat load of good that is ! Neither can spybot etc. Reading the Eset Nod32 forums it seems to have everyone running around like headless chickens, with no definate answers. try this download, try that download. Of all the suggestions made on this thread this year, has anyone had any SUCCESS in eliminating this little scumbag, any definate answers ?

[mysts]

Hello cyflyer,

I got virtumonde some time ago and finally got rid of it this way:


First off it is in several locations and you have to get rid of all. If you don't it will replicate itself.
I went to safe mode for the whole procedure.
Run a program called malwarebytes. It will remove some of it.
Then run spybot(sd) and that will get rid of some of it.
Then run trojan remover and that will get rid of some of it.
Repeat this process until all the programs come up clean-then you should be ok.

This worked for me.

Good luck

[poisondeathray]

This little bastard called 'virtumonde' seems to have surfaced on my computer recently. Nod32 sees it, but can't do anything about it. Fat load of good that is ! Neither can spybot etc. Reading the Eset Nod32 forums it seems to have everyone running around like headless chickens, with no definate answers. try this download, try that download. Of all the suggestions made on this thread this year, has anyone had any SUCCESS in eliminating this little scumbag, any definate answers ?

I had the exact same thing with nod32 about 1/2 year ago. (Funny thing is I got the infection right after my earlier post in this thread after I suggested nod32 LOL!)

This is the only time that I have been disappointed with Nod32 which I have run for a few years on many of my systems. It could detect it but not clear it definitively!

Dr. Web CureIt (free) did it for me

[kisrum]

Major Geeks is a bossy website, but the advice there got me out of some jams. Scroll down for virtumonde removal info. I remember it wasn't easy.

[Bjs]

As with all malware, do not forget to disable system restore or they will come back

[fatbloke88]

Do what Bjs said and disable system restore,update and run malwarebytes antimalware and super antispyware in safe mode,when finished reboot and rescan,write down the whereabouts of any files that haven't been removed then use an ubuntu live disk to delete the files.
The malware makers seem to update there programs to make it hard for the anti virus/spyware removal programs to keep up.
You could also run Hijack this and copy paste the output into http://www.hijackthis.de
The problem is the trojan writes fake dll's everywhere so windows won't delete them whilst windows is running because it thinks its using them.javascript:emoticon('')
Hope this helps

[cyflyer]

Thanks for all the suggestions. Am still in the process of scanning away with all the downloaded programs.

I remember it wasn't easy

You weren't kidding ! My head is still spinning from all that. Downloaded everything exept MGtools. After all the time taken to download this, download that, try that, time reading and researching it, etc, not sure if it isn't easier to just reformat hdd and install windows from scratch !
Hopefully the anti-virus programs we pay so much for might catch up and do what they're supposed to.

[SCDVD]

If you do manage to clean up your system, stay away from slimy web sites. If you don't, your probability of reinfection is 100%. One of the worst of all are bit torrent downloads of pirated content and applications. A meaningful percentage of these downloads have been "modified" to contain a load of little gotcha surprises. "Free" keygens are one of the favorite "containers" for malware. Did you happen to run a keygen and apparently nothing happened? Well, something did happen; you just got infected with a load of malware. Or did you ever download a video that didn't play with your normal video playing applications and then tried to play it with the included "player"? If so, congratulations, you've been had.

It's impossible to confirm but there are reports that some application developers have created "custom" variations of their programs and released them into the wild for the purpose of punishing those who download pirated versions of their software.

Even worse is that some of this malware is the result of state sponsored or criminal "development" programs that are intended to enhance their capability to spy on or sabotage computers and networks. if you dabble around in their cesspools, you are inadvertently helping their "R&D" programs. Related to this, it's not a bad idea to change passwords, credit card and bank account numbers and anything else that may have been compromised by your little "experience". Some of these upload this information to IP locations on the dark side that collect and use this information.

[cyflyer]

Thanks for the input SCDVD, however I NEVER go into any slimey websites, nor any downloads. Are these nasties carried by USB sticks ? I occasionally load a picture and take it to work to print on a colour laser printer. Maybe caught it off there ? I did scan my USB with Nod32 and it found a INF/Autorun Virus positive , which I'm not sure if thats related.

[aedipuss]

imo with the nasties like virtumonde it is easier and safer to format the boot drive and start over. some of them are self-replicating using randomly generated names for copies of themselves that are just about impossible to find and remove.

that usb virus has even infected u.s. government military computers forcing them to ban all removable media.

[SCDVD]

cyflyer. My comments were not aimed at you in particular but rather at all of the readers of this thread.

USB sticks are a common mode of infection when you don't know where else it has been used. More and more businesses ban their use because of this. It's a bit like venereal disease; it doesn't much matter where it originally came from, if you aren't careful where you stick your "tool", you will get infected.

[cyflyer]

aedipuss- which USB virus ? The one I mentioned ?
SCDVD- Nice analogy LOL !

[aedipuss]

the autorun usb virus/trojan is pretty generic and goes by a bunch of names.

here's the article about the military-

http://blog.wired.com/defense/2008/11/military-usb-ba.html

[cyflyer]

Well it all appears to be under control. A combination of all the above I suppose. Thanks. The only issue that is now linguering is that since all that malware scanning I seem to not have any autoplay function on my drives, ie no promp dialog asking me which program, even though I set this in the properties-autoplay-prompt. Whats happened here ?

On the viral infected USB's , does an infected usb spred the virus on insertion to the computer, or do I have to actually access the the usb ? , in other words, can I do an anti-virus scan on the 'suspect' usb on insertion to the computer before it spreds anything ?

[Midzuki]

cyflyer wrote:

Well it all appears to be under control. A combination of all the above I suppose. Thanks. The only issue that is now linguering is that since all that malware scanning I seem to not have any autoplay function on my drives, ie no promp dialog asking me which program, even though I set this in the properties-autoplay-prompt. Whats happened here ?

What do you still see in the autoplay function?
Don't you know it's evil?
I have no autoplaying drives on my PC ---
---- no more applications trying to run without my permission.
No regrets until now.

[Nitemare]

If anyone else in your house (kids) use the computers, you could be at risk.

One week my son managed to infect 3 PCs in the same house. He downloaded some "must have" program that ruined his PC, then took his business to my wife's PC. After ruining hers, she moved to mine (where she had an administrator account) My son followed her to my PC and used her login (she removed her password to make it more convenient) and he infected mine. I worked 7 days that week and all of this went down without my knowledge.

When I finally got a day off, I had to spend it cleaning out PCs of malware. Now, everyone is back to good (for now) and my wife no longer has administrator privileges on my PC.

The point is that it's EASY to get infected. My kid disabled my virus/malware apps because they warned him that the program was infected, but because all of his "friends use it and they have no trouble", he installed it anyway. My niece does the same thing at my sister's house. They get infected when she follows links from Myspace.

It's getting to the point where I'm thinking of getting rid of the internet entirely.

[cyflyer]

Nitemare, I sympathise with you. Even though I have no kids, all my friends do and its the same all the time. I keep saying "don't let the kids play on your computer' but do they listen ? Kids should be banned from adults' computers !
As to my woes, I think I spoke too soon. The anti-virus alarms are going off again for the same thing. No more mucking about. A format/re-installation is on the cards. Well pissed off with the supposed ESET support team. Sent an inquiery about this virus, and they don't even bother to reply. Some support !

[Laddydaddy]

cyflyer,

Try running malwarebytes and then running combofix. That worked for me.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[MOVIEGEEK]

Setup a guest account for your kids and password protect your account.
BTW:SuperAntiSpyware is what I use to get rid of those pesky bugs.

[SCDVD]

Setup a guest account for your kids and password protect your account.

That won't provide much protection. Most of this stuff hammers the OS itself and there is only one OS. User access control isn't capable of protecting the OS from malware.