11/28/2008

Virtumonde – The Trojan from Hell


About Sunday of this week, I noticed my computer seemed slower than usual. It also took a long time to shut down and startup. I was getting these crazy popups about antispyware programs, about male enhancement drugs and the usual junk you get in email. Those are signs of a virus. I did a scan with McAfee and it detected “Virtumonde.” It characterized it as adware. I had never heard of it before. Thinking McAfee would take care of it, I didn’t worry about it. Well, long story short, McAfee detected it, but couldn’t delete it. It deleted certain traces of it. But, the thing about this Trojan (and it was a Trojan despite what McAfee says) it stayed in resident memory. As soon as it discovered parts of it were deleted, it would startup its engine and replicate itself. I went into safe mode, ran McAfee, Spybot Search and Destroy, Super Antispyware, SpySweeper. All would say it had deleted it, but none were able to get to the main Virtumonde engine which was in resident memory. It would then replicate itself and I was back at square one. None of the speciality programs such as FxVmonde, VirtumondeBeGone or VundoFix worked either.

I would go into my MSCONFIG file, delete some dll files I knew had to be associated with Virtumonde and as soon as I would disable them, they would enable themselves again. I had been working at this for two days with minimal results. I did not want to do a format and install of Windows unless I absolutely had too. Even with that, there was no guarantee I would get to the main parts of Virtumonde. I do computer maintenance on the side. So, I knew that someday I would come across this Trojan/adware problem again. I had to find a solution. I tried many on the internet. But, none of them worked for me.

My solution was to run all the programs I mentioned above (SpySweeper, Spybot Search and Destroy, etc.) in SAFE MODE. I had already done that once with little in the way of results. But, I did it again. But, this time, when I rebooted back from safe mode into normal Windows startup, I quickly ran McAfee again. As soon as McAfee starting scanning, I clicked on the Firefox browser. Whenever I did that in the past, I would get taken to a male enhancement product, or antispyware program. This time, McAfee was able to detect it when this happened since it was already scanning and picked up the program in resident memory. It notified me of this once scanning ended. I knew I had it when this happened. I rebooted, checked for the Virtumonde dll (fiapezobun, uripuvet, jasoreje and so on) files in MSCONFIG and none were there. Virtumonde was gone.

This was the worst malware, adware, virus…whatever you want to call it, I have ever dealt with in my life. It had made browsing on the internet almost impossible. I would click on an icon on my desktop and the computer would freeze up sometimes. My advice, make sure you have Spybot (best free antispyware program on the market) and at least one other free antispyware program like Super Antispyware Program. Run both in safe mode and then run whatever antivirus program you have in normal Windows mode. It worked for me when all else failed.

7 comments:

When I recently had a problem that my Kaspersky AV, nor SuperAntiSpyware could fix, I was advised to download and run Malwarebyte. That solved it after a marathon 9 hour scan. Now I run this overnight if anything strange is happening. It usually picks up something.

jakill, THANKS for letting me know about malwarebyte! I d/l it and ran it. It found two remnants of Virtumonde (two dll files that could not function) and deleted them. I thank you for this and for you comment! Come again sometime! :)

You're welcome, David. And I will keep calling.

Thanks for this info. Do you have any idea on where you got this trojan? I sometimes get this warning from McAfee that it has blocked a trojan, this happened a couple of times while I was dropping ECs. It is disturbing to learn that McAfee didn't detect this Virtumonde trojan. :o(

Babette, I fear I am getting this virtumonde adware/trojan when I am ec dropping. I got it again Saturday. Malwarebyte (thanks again jakill), took care of it for me. McAfee is basically worthless against this trojan. I suggest you download malwarebyte and run it. thanks for coming by.

Hey, I ran across your blog entry when I was searching for information about this rotten trojan. I was infected with a variant of Virtumonde as well. Running scans in Safe Mode didn't work at all since the trojan hijacks Winlogon.exe, explorer.exe and lsass.exe (which run in SafeMode). Malwarebyte, SpyBot, Ad-Aware, and every "Vundo" fixing problem didn't work.

I ultimately wiped it from my system with something called ComboFix. There are rather complex instructions found on SpyBot's forum which require the download of Microsoft's Boot Disk recovery console. If Virtumonde pops back up, check it out:

http://forums.spybot.info/showthread.php?t=40880

Pure, thanks for your input on this terrible trojan. I d/l combofix and it detected nothing. But, I will keep it just in case. Thanks for posting your comments here.

Related Posts Plugin for WordPress, Blogger... Please help the costs of this blog. Please visit our Sponsors on right side of the blog. Thank you!