Author |
Topic: Virtumonde Spyware/Malware |
Lee Baucum
From: McAllen, Texas (Extreme South) The Final Frontier
|
Posted 4 Jul 2006 2:53 pm
|
|
Anybody have an easy way of removing this program? Spybot doesn't find it, but Adaware does. In fact Adaware claims to have removed the files, but they always return. I get popups whenever I launch Internet Explorer (Microsoft).
It looks like the file(s) get embedded in the registry keys, which I'm afraid to deal with.
Lee, from South Texas |
|
|
|
Dave Potter
From: Texas
|
Posted 4 Jul 2006 3:07 pm
|
|
Lee, you're right to have a healthy respect for editing your registry. It's not that it can't be done, but, if you delete something critical, you can break it. One precaution would be to use one of the several free utilities that you can use to do complete registry backups, in case that's needed.
I got a lot of Google hits for "virtumonde". One of them was from the Symantec website, I quote:
" To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"WindowsUpd" = "[ADWARE FILENAME]"
5. Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
6. In the right pane, delete the value:
"SysUpd" = "[ADWARE FILENAME]"
7. Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft
\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
8. Exit the Registry Editor."
So, here's something to try.
[This message was edited by Dave Potter on 04 July 2006 at 04:22 PM.] |
|
|
|
Wiz Feinberg
From: Mid-Michigan, USA
|
|
|
|
Lee Baucum
From: McAllen, Texas (Extreme South) The Final Frontier
|
Posted 4 Jul 2006 8:14 pm
|
|
Thanks, Wiz. I tried that tool and got this response:
Symantec Adware.VirtuMonde Removal Tool 1.0.3
Adware.VirtuMonde has not been found on your computer.
I wonder if it would help to run the tool in Safe Mode. |
|
|
|
Lee Baucum
From: McAllen, Texas (Extreme South) The Final Frontier
|
Posted 4 Jul 2006 8:19 pm
|
|
By the way. Even though the popups only happen when using Microsoft Internet Explorer, I can hear the hard driving running almost all the time, like the computer is doing something. Norton periodically tells me that it is trying to scan certain files, such as Notepad files and Powerpoint files. I'm wondering if these are files of information that are being sent out by my computer.
|
|
|
|
Wiz Feinberg
From: Mid-Michigan, USA
|
|
|
|
Wiz Feinberg
From: Mid-Michigan, USA
|
Posted 4 Jul 2006 11:16 pm
|
|
There is a topic about removing Virtumundo/Winfixer on this Bleeping Computer Forum. It involves downloading two removal tools and running one, then the other. |
|
|
|
Lee Baucum
From: McAllen, Texas (Extreme South) The Final Frontier
|
Posted 5 Jul 2006 5:08 am
|
|
Thanks, Wiz. I had already downloaded and ran "Windows Defender". While it did clean up a bunch of stuff I didn't know I had, it didn't do anything to Virtumonde.
I'll try the Bleeping Computer Forum.
Thanks, again.
Lee |
|
|
|