A Nurse with a Gun

Sunday, November 16, 2008


I think I finally got Virtumonde out of my system. Virtumonde, AKA the Vundo Trojan, Virtumondo and MS Juan is a trojan horse that causes popups and advertising for bullshit antispyware programs, as well as other problems including slowing of the processor and denial of service with some high traffic websites such as Google. I am not certain where I picked it up from.

I got rid of it by running Spybot Search & Destroy several times with the modem physically disconnected, and forcing reboots several times. Virtumonde inserts itself in your memory and attaches to Explorer.Exe and Winlogon. They must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot your computer. You have to force a reboot, because when Winlogon cranks up again, the virus files will be replicated. Virtumonde DLL files are usually designated by eight random upper and lower case characters and stored in the Windows system32 directory. Unless you remove the DLL files first, while they are running, the DLL file will simply rename itself and replicate. Nasty stuff.

If you want the best in spyware protection, you don't have to pay for it. Spyware Search & Destroy is absolutely free, and is constantly updated. You can flip the switches any way you desire. The support is through an international internet forum and is quite efficient. Do consider donating to help support the cause.

Update: It's back. The offending files are: system32\sejuvoma.dll, system32\jejuvusu.dll, system32\yizesoko.dll, system32\turakana.dll, and system32\jeziluku.dll

I'm going for Dr. Delete.

Update: So far, so good. It looks like Dr. Delete euthanized those little sonovabiches.

Update: Nope. Dr. Delete failed. I'm trying f-vmonde. The offending files are: system32\supilime.dll and system32\pihimage.dll.

Labels: , ,


Blogger dropdownstairs said...

had a similar issue
found a super anti spyware program
I was afraid of it
but it worked, now I use linux

11:59 AM  
Anonymous Anonymous said...

I had that problem too.

Norton Interent Security 2009 (I got an NFR copy from a Symantec employee who I go shooting with) was how I got it off my system. It was NASTY!!!

My wife is laughing at me the whole time.... she uses a mac.

My next home computer will be a mac mini.

1:58 PM  
Anonymous Anonymous said...

Good luck I had the same thing happen to the computer that my wife uses. Of the three computers that we have she is using XP the other two are Vista. I had to re-install XP on my wife computer. Luckily I have two hard drives on that computer with files on one and programs on the other. The one with files seams not be effected.

2:24 PM  
Blogger Bob said...

If you still have trouble, Xavier, go to the Tech Support Guy website, register as a member, and start a thread in the Security forum, the guys there will walk you through a custom cleanup that will get rid of Vundo free of charge. I can recommend them, they fixed it for me on two different computers. Good people.

2:27 PM  
Anonymous netbrad said...

Sometimes running Spybot while in Safe Mode can help. Also, remember to disable System Restore.

There was a utility that would remove Vitruamonde a while back but I don't know if it is still available.

5:15 PM  
Anonymous Anonymous said...

Here is f-secure's page on virtumonde, I used the "f-vmonde" tool to eradicate my infection.


6:10 PM  
Anonymous Chalzc said...

Malwarebytes.org has a neat (free) utility that can clean up some stuff that Spybot missed.


8:56 PM  
Anonymous George said...

I had same problem - used Microsoft OneCare: http://onecare.live.com/standard/en-us/3/default.htm

You have to pay for it eventually, but the free trial scrubbed my PC clean.

10:30 PM  
Blogger Mikael said...

!Killbox is also a nice little free program that can delete files while they are running, and was instrumental to getting rid of some spyware/trojans for me in the past.

Another helpful program is spywareblaster, which stops a lot of the junk from getting onto your computer in the first place, and it doesn't even have to be running(no memory/processor use), not exactly sure how it works, but it "immunizes" your computer.

3:48 PM  
Anonymous Anonymous said...


Run Kapersky's online scan. Its about as comprehensive as they get. Only thing is it doesnt allow you to delete anything. Instead write down the paths and names of all the offending viri it ID's. Then use Windows Explore file manager to find each one. Rename each one with what ever name you like, oh and make sure you write down the renamed files name. Then reboot into safe mode, F8, I believe. then go and delete all the files you have renamed. Then reboot as normal, should take care of it.

Its somewhat labor intensive, but my last infection had to be handled like this.

7:15 PM  
Anonymous Tim D said...

I had virtumode once tried spybot and some other stuff, eventually I went with Prevx after I came across a review on Dans Data.

3:01 AM  
Anonymous Anonymous said...

To avoid this kind of thing in the future try using firefox with the NoScript extension. Its wonderful.

7:00 PM  

Post a Comment

<< Home

Links to this post:

Create a Link