My wife’s boss tells her they think the computer has gone out. It won’t boot up. So I’m asked to look at it, see if I can figure out what is wrong or if they just need to buy a new machine. At first glance I can tell there is nothing wrong with the hardware, but something is wrong it won’t load windows. It just starts then hangs.
So going in to safe mode by hitting F8 at start up, it loads. Right off I notice that something is wrong with Avast, its not loading? Not only will it not load, it tells me the System Administrator has blocked me from running it. Wait a minute, I’m logged in as Administrator. I already have Spybot Search and Destroy on there, so I run it. It comes back that it is corrupt several times, but it discovers Virtumonde.
Let the Battle Begin!
Virtumonde is another name for the Vundo family of malware. This is what is used if you have ever get Microsoft AntiVirus 2009, WinFixer, or any other variants. If you didn’t install it or see it before, its probably a Vundo Virus.
So what are some things it may do?
- It will cause the infected web browser to pop up advertisements
- It will change the background and/or screensaver
- It will modify the display properties part of the control panel removing the background and screensaver tabs (right click properties, on desktop)
- It will disable Automatic Updates
- It will generate infected DLL’s in the C:windowssystem32 directory, these can be found in the user’s startup in the registry
- It will also load these random infect DLL’s as Browser Help Objects in IE
- It can block the user from using regedit and or task manager
- It will try to disable the firewall and Antivirus software installed on the machine
- It will refresh the desktop over and over causing the system to run slow
- It will delete some of my favorite Anti-Malware programs (pieces of spybot)
- It will change/alter popular sites, such as Google
- It will cause the hard drive to constantly be accessed by winlogon process, again slowing down the machine
Round 1 Ding Ding
Avast was no good, could not run! I have ClamWin on my jump drive lets try that… Found it. Ok lets go to C:windowssystem32 and delete v2294kws9.dll ok done. Run again, ok lets go delete vimproas.dll, etc… never ending. So downloaded AdWare by LavaSoft, nope can’t install it. Geesh I tried about 10 different programs. Nothing either it wouldn’t install or it would just remove itself as soon as it was put on the machine.
Round 2 Knock Out – Fix!
So I gave up that night and went home. The next day I was talking to our Windows guy at work, explaining what I’ve ran into. He says “Oh thats easy, just download MalwareBytes and use it.” I’ll be honest I never have heard of MalwareBytes and was a bit skeptic. So I went and downloaded and threw it on my USB Stick. Guess what, it is going to stay there forever!
I ran it the first time full scan, and it discovered 98 infections. Wow! It couldn’t clean it up right off, it needed to reboot to finish cleaning so I rebooted it. This time I ran it again, 28 infections ok this is getting old. Third time full scan 3 am and it comes back clean, no infections found. So I rebooted into normal mode, clicked the users icon and it loaded windows with no problems at all. 
So my hats off to MalwareBytes! If you have any form of this virus, this is the stuff to fix it.
spring
This sounds like a story right out of my book. This happen to a neighbor friend of mine and I ended up reinstalling Windows. Wish I would have known this then. Thanks for the tip. I will try it next time.
I was to the point of giving up and just doing a reinstall. This was truly a life saver. I would put MalwareBytes in your arsenal.
I recently had my own battle with Virtumonde and used Malwarebytes as part of my arsenal to zap it.
Battled this sucker f-o-r-e-v-e-r with all sorts of av/adware solutions; tried everything. Then finally was able to get rid of this evil trojan by opening up malware bytes; opening and using process killer to kill 1) explorer, 2)smss, 3) winlogon. This finally stopped the trojan’s renaming dll’s on launch and adding new dll’s to startup. Then alt+tabbed over to Malwarebytes {updated on download before whole process} and ran to remove.
I found out about Malwarebytes battling Antivirus 2008 which removed almost all of my Properties tabs and constant nagging windows.
Killed it dead in it’s tracks!!!!!!!!!!
So good, I bought 4 copies from them!
If you use Malwarebytes, please consider buying a copy of two. It’s only fair to reward them with $ when they save you hours!
The Corporate version of Symantec found NOTHING, removed NOTHING, stopped NOTHING and is garbage.
Spend money on software that WORKS!
is this real?
It is absolutely real
Unfortunately I have seen Vundo also remove malwarebytes and cause it to be useless as well. I have also see malwarebytes catch some of the files that vundo is creating and using but not all of them and if you don't get all of them it just comes right back so far I have yet to find any real solution to this other than re-imaging or reformatting and re-installing your system.
I totally agree and have said before, once infected the best thing is to reformat and reinstall the system. Sometimes tho that is not an options. Also when a virus is catching malwarebytes, something to use is this: mbam.malwarebytes.org/program/random.php it will generate a random name for malwarebytes and allow you to download it.
I totally agree and have said before, once infected the best thing is to reformat and reinstall the system. Sometimes tho that is not an options. Also when a virus is catching malwarebytes, something to use is this: mbam.malwarebytes.org/program/random.php it will generate a random name for malwarebytes and allow you to download it.