Log in

View Full Version : Virtumonde


Specker
24-12-2008, 05:49 PM
How the fuck do i get rid of it? The constant opening of pop ups is really pissing me off now. It has also screwed up my google, so i can't even search for Virtumonde Removal without getting some kind of fake Spyware software advert. I currently have Ad-Aware, this does fine in finding it, but just doesn't remove it. So i was wondering if anyone had some experience with getting rid of the bastard! Thanks in advance

Llort
24-12-2008, 07:51 PM
I've found this link on google, I guess it is safe:

http://www.softpedia.com/get/Antivirus/VundoFix.shtml

or direct link:

http://download.softpedia.com/dl/c531c28671ba1c7c1f3d453bff461dab/495292a4/100033165/software/antivirus/VundoFix.exe


btw this is what symantec says:

Updated: June 15, 2006 10:39:00 AM
Type: Adware
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.VirtuMonde is an adware program that downloads and displays popup advertisements.

When the program runs, it adds one of the following registry entries so that the adware runs whenever Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\"WindowsUpd" = "[ADWARE FILENAME]"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\"SysUpd" = "[ADWARE FILENAME]"

The program creates one of the following registry subkeys to store the configuration information:
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

The program also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6F A-41D9-4F05-9650-8B3FBE72124D}
scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft\Windows\CurrentVersion\Ext\ Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}

The program also creates the following files:
%System%\cidrules.dll
%System%\wincore.dll
%System%\winhost32.exe
%System%\winupd.dll
%UserProfile%\Local Settings\Temp\cidrules.dll
%UserProfile%\Local Settings\Temp\wincore.dll

The program periodically makes an HTTP connection to virtumonde.com, on port 80 or 8081, to download commands and popup advertisements.

Flawless
24-12-2008, 07:52 PM
http://www.malwarebytes.org/

One of the best programs out there, should remove it.

and I highly recommend this program for any reason, its awesome.

Porn fucked you over? Use it.
You're an idiot? Use it.
You think you might be pregnant? Probably best to use it.

Specker
24-12-2008, 08:01 PM
Thanks both :) I've just DLed the VundoFix, no harm in, but i can't connect to the malwarebytes site. Says it doesn't exist :S, but again this could be another side effect of the infection. Hopefully VundoFix will do it. Flawless, i don't suppose you have a direct link for the download, would be greatly appreciated :)

edit: gah, Vundo didn't pick it up =/ Thanks anyway

Flawless
25-12-2008, 12:32 AM
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

Llort
25-12-2008, 11:48 AM
or an even directer direct link:

http://dw.com.com/redir?edId=3&siteId=4&oId=3001-8022_4-10804572&ontId=8022_4&spi=af330875a2f9483aedc14d4a1a8ce566&lop=txt&tag=idl2&pid=10984636&mfgId=6290020&merId=6290020&pguid=lg@H@AoPjAYAAFgsXWkAAAEX&destUrl=http%3a%2f%2fsoftware-files.download.com%2fsd%2f76PLICk41sVKDmt9JADIRJXz lvrpWKXR1tk1NJ7sNfNCYjpMi478M3eRgrUwvv7vo-kPeakq82VgovstkidI-UWJ-9ccyljU%2fsoftware%2f10984636%2f10804572%2f3%2fmba m-setup.exe%3flop%3dlink%26ptype%3d1901%26ontid%3d80 22%26siteId%3d4%26edId%3d3%26spi%3daf330875a2f9483 aedc14d4a1a8ce566%26pid%3d10984636%26psid%3d108045 72

Specker
25-12-2008, 05:39 PM
Cheers, i'll try that one next. It came from Miniclip actually, thats what i get for trying to solve boredom ;) I just assumed Miniclip would be reasonably trustworthy, apprently not :(