Virtumonde
I think I finally got Virtumonde out of my system. Virtumonde, AKA the Vundo Trojan, Virtumondo and MS Juan is a trojan horse that causes popups and advertising for bullshit antispyware programs, 
as well as other problems including slowing of the processor and denial of service with some high traffic websites such as Google. I am not certain where I picked it up from.
I got rid of it by running Spybot Search & Destroy several times with the modem physically disconnected, and forcing reboots several times. Virtumonde inserts itself in your memory and attaches to Explorer.Exe and Winlogon. They must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot your computer. You have to force a reboot, because when Winlogon cranks up again, the virus files will be replicated. Virtumonde DLL files are usually designated by eight random upper and lower case characters and stored in the Windows system32 directory. Unless you remove the DLL files first, while they are running, the DLL file will simply rename itself and replicate. Nasty stuff.
If you want the best in spyware protection, you don't have to pay for it. Spyware Search & Destroy is absolutely free, and is constantly updated. You can flip the switches any way you desire. The support is through an international internet forum and is quite efficient. Do consider donating to help support the cause.
Update: It's back. The offending files are: system32\sejuvoma.dll, system32\jejuvusu.dll, system32\yizesoko.dll, system32\turakana.dll, and system32\jeziluku.dll
I'm going for Dr. Delete.
Update: So far, so good. It looks like Dr. Delete euthanized those little sonovabiches.
Update: Nope. Dr. Delete failed. I'm trying f-vmonde. The offending files are: system32\supilime.dll and system32\pihimage.dll.
as well as other problems including slowing of the processor and denial of service with some high traffic websites such as Google. I am not certain where I picked it up from.I got rid of it by running Spybot Search & Destroy several times with the modem physically disconnected, and forcing reboots several times. Virtumonde inserts itself in your memory and attaches to Explorer.Exe and Winlogon. They must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot your computer. You have to force a reboot, because when Winlogon cranks up again, the virus files will be replicated. Virtumonde DLL files are usually designated by eight random upper and lower case characters and stored in the Windows system32 directory. Unless you remove the DLL files first, while they are running, the DLL file will simply rename itself and replicate. Nasty stuff.
If you want the best in spyware protection, you don't have to pay for it. Spyware Search & Destroy is absolutely free, and is constantly updated. You can flip the switches any way you desire. The support is through an international internet forum and is quite efficient. Do consider donating to help support the cause.
Update: It's back. The offending files are: system32\sejuvoma.dll, system32\jejuvusu.dll, system32\yizesoko.dll, system32\turakana.dll, and system32\jeziluku.dll
I'm going for Dr. Delete.
Update: So far, so good. It looks like Dr. Delete euthanized those little sonovabiches.
Update: Nope. Dr. Delete failed. I'm trying f-vmonde. The offending files are: system32\supilime.dll and system32\pihimage.dll.
Labels: Internet, Personal Reference, Viri and Trojans and Worms Oh My
posted by Xavier at 8:41 AM
12 Comments:
Hi
had a similar issue
found a super anti spyware program
http://tinyurl.com/ox7un
I was afraid of it
but it worked, now I use linux
I had that problem too.
Norton Interent Security 2009 (I got an NFR copy from a Symantec employee who I go shooting with) was how I got it off my system. It was NASTY!!!
My wife is laughing at me the whole time.... she uses a mac.
My next home computer will be a mac mini.
Good luck I had the same thing happen to the computer that my wife uses. Of the three computers that we have she is using XP the other two are Vista. I had to re-install XP on my wife computer. Luckily I have two hard drives on that computer with files on one and programs on the other. The one with files seams not be effected.
If you still have trouble, Xavier, go to the Tech Support Guy website, register as a member, and start a thread in the Security forum, the guys there will walk you through a custom cleanup that will get rid of Vundo free of charge. I can recommend them, they fixed it for me on two different computers. Good people.
Sometimes running Spybot while in Safe Mode can help. Also, remember to disable System Restore.
There was a utility that would remove Vitruamonde a while back but I don't know if it is still available.
Here is f-secure's page on virtumonde, I used the "f-vmonde" tool to eradicate my infection.
http://www.f-secure.com/sw-desc/virtumonde.shtml
Malwarebytes.org has a neat (free) utility that can clean up some stuff that Spybot missed.
YMMV.
I had same problem - used Microsoft OneCare: http://onecare.live.com/standard/en-us/3/default.htm
You have to pay for it eventually, but the free trial scrubbed my PC clean.
!Killbox is also a nice little free program that can delete files while they are running, and was instrumental to getting rid of some spyware/trojans for me in the past.
Another helpful program is spywareblaster, which stops a lot of the junk from getting onto your computer in the first place, and it doesn't even have to be running(no memory/processor use), not exactly sure how it works, but it "immunizes" your computer.
Xavier
Run Kapersky's online scan. Its about as comprehensive as they get. Only thing is it doesnt allow you to delete anything. Instead write down the paths and names of all the offending viri it ID's. Then use Windows Explore file manager to find each one. Rename each one with what ever name you like, oh and make sure you write down the renamed files name. Then reboot into safe mode, F8, I believe. then go and delete all the files you have renamed. Then reboot as normal, should take care of it.
Its somewhat labor intensive, but my last infection had to be handled like this.
I had virtumode once tried spybot and some other stuff, eventually I went with Prevx after I came across a review on Dans Data.
To avoid this kind of thing in the future try using firefox with the NoScript extension. Its wonderful.
Post a Comment
<< Home