Killing the Virtumonde Spyware Virus
I don’t have any form of real-time virus, spyware or firewall protection on my main computers at home, other than the basic firewall capabilities of my Dlink router, which serves up wireless connectivity to my laptops, PocketPC and Wii. In all these years I’ve never had a virus or spyware problem. When my wife’s laptop decided to bite the dust, my main laptop, which is in the living room, became something of a communal laptop, used by my wife, daughter and me. Over the course of a month or so, the laptop was getting slower and slower, which was driving my wife crackers. Finally I decided to do some spring cleaning to try to get the laptop to it’s former speed demon status. The laptop in question is only 8 months old, which means it’s main OS is Vista. I’ve already written before on my Vista experiences, so won’t bore you here, but having Vista seemed to be a particular problem in vanquishing the evil peril that lurked beneath.
My first attempt at making the laptop faster, had me pruning files, defragmenting the hard disk and trying various other odds and sods, but something told me, there was a greater problem at hand. In the past Lavasoft’s Ad-Aware, has been a tool I’ve turned to, to determine if there was something untoward installed on my machines. I downloaded the latest version, 2007 and sure enough once the software had done it’s snooping, it determined that I was infected by the Virtumonde spyware virus. I let Ad-Aware try to remove the virus and although it reported the virus was gone, upon rebooting, I knew it was still infesting my machine. This virus is a bugger to get rid of as it infects the explorer process and reinfects the host. Once I found out I had the Virtumonde virus, I tried many of the freely available spam busting programs, but to no avail. Ad-Aware now even refused to admit that the virus was still present, after telling me, it had been vanquished. I was now beginning to get really annoyed and a little frustrated,
After doing a bit of research on the Internet, I was able to manually confirm that I was indeed still being plagued by Virtumonde. I brought up MSConfig and looked at the programs in my startup list. Sure enough there were two programs on the startup list that I did not recognise. These two programs are just two of the pseudonyms used by the virus to hide it’s identity. Some of the popular program names are “MS Juan”, “cmds”, and “MSSERVER”. To further confirm these programs roots, they were all set to run from a temporary directory on my laptop, a directory that is linked to the primary user account on the laptop, in this case “colboy”. So the command line for the virus looks something like this ‘rundll32 “c:\Users\colboy\AppData\local\temp\mrkocaef.dll”,run’, the DLL being some random kind of file name. Now using MSConfig, I can just de-select these pesky programs and life is good again, er not quite so fast. I did this, rebooted and found that the files had been added once again to the startup program list. In fact it’s worse than that. I could deselect the programs, exit MSConfig, go back into MSConfig and the programs had again risen from the ashes. The reason for this, as mention previously, is because the main Virtumonde virus, attaches itself to the Explorer process, the one that it an integral part of Windows. As soon as the virus sees the settings in the registry being removed, it regenerates them. Unable to find a software tool to remove the virus and unable to remove it manually, I decided to grin my teeth and bare it for a little while. I even toyed with the idea of just re-formatting everything and at the same time downgrading to Windows XP, but decided I really only wanted to do that as a last resort.
Anyway a few days passed and I finally had a splash of inspiration. Would I have a better chance of removing the virus, if I was in Safe Mode. Safe Mode is a way of running Vista, and indeed former versions of Windows, whereby a limited amount of functionality is enabled. With Windows 95 and 98, Safe Mode was usually enforced after Windows crashed or blue screened for whatever reason. You usually had to reboot into Safe mode, to allow Windows a chance to fix itself. I decided to go one stage more primitive by going into Safe Mode with Command Line, thinking this would give me a a pure console/DOS screen.
You get into Safe Mode, by pressing the [F8] key usually just after you switch your machine on, after the machine reports it’s BIOS settings and tells you the keys required to enter the BIOS setup. I usually press [F8] every second or so, until I get the screen asking me what form of Windows I want to boot. Here I select Safe Mode with Command Line. Once boot up has completed, you get a basic background and a console window, although this looked slightly different to the command line safe mode I’d used before in prior versions of Windows. The first thing I wanted to do, was remove everything in the temporary directory associated with my user login. This is the same directory in which those DLL files were being run from when I checked using MSConfig. I did this by typing:
cd \users\colboy\appdata\local\temp del *.* /s/f/q
This deletes all files in the currently selected directory, and all sub directories, including read only files, without asking for confirmation. Please bare in mind this directory name will differ depending on the path reported in MSConfig. I ran the delete command a couple of times, just to make sure nothing was missed, as I will still asked confirmation on some files. Now all the files were vanquished, I was about to reboot, but thought I’d see if MSConfig would run in this primitive safe mode. As luck would have it, it did, so I ensured the commands flagged to run at startup, were no longer checked, not that it would have made much difference, seeing as the DLL’s were no longer there, but liked to do this just for completeness.
I rebooted my machine and lo and behold, Virtumonde was but a distant memory. I am a little perturbed that Windows Vista’s Defender didn’t prevent the infection, but now at least I know how to get rid of Virtumonde if it returns, as now do you. Any questions on this process, don’t hesitate to post a comment or email me. Please also remember all these steps are repeated at your own risk. It worked for me, and should work for you just fine, but you never know how these things mutant and change over time.
convert this post to pdf.
Filed under: Unpublished Article
Cheers Colin,
Only had my Vista laptop for 5 days and already was infected with this nasty, your method seemed to work great.
Brilliant had this on a laptop and a PC, just on the Verge of the dreaded format , tried numerous spyware and virus checkers which all said they cleared it but they hadn’t…..Your fix worked a treat…nice one
Good post on getting rid of this pest. One caution to your readers, though: don’t try del *.* /s/f/q unless the trojan resides (as yours did) in a temporary location! The particular variety of Virtumonde I aquired resides in C:\Windows\System32… not a good place to delete files indiscriminantly…
In any case, if you’re not sure, just delete the particular file reported by your scanning program, e.g.,
del C:\Windows\System32\__cc02839s.dll
Hi Colin,
I have the Virtumonde virus. Also, I no way have the technical capabilities of someone like yourself. On my main compute, I run Norton Internet Security 2008 & am virus free. However, my other computer which is networked wireless did not have any protection. Yesterday, I was hit with Virtumonde. After researching on the web, I purchased PC Tools spyware Doctor because it seemed like the best & their site discussed this virus. But it keeps returning just like you say. I really do not have the ability to perform some of the above fixes that you suggest - they are just too complicated for me. any suggestions.
Tom
Tom, let me know where you are having difficulty and I’ll try to help. Maybe I can then edit the original post to make it easier for others. Colin
your comments helped in removing this tenacious little bugger, I took it one step further. I’ve got an old Pavilian I’ve been preparing for my nephew, and somehow got this thing on it.
After following what you talked about, I still was not able to completely get rid of it. Even going into “safe” mode (any kind). Then it dawned on me……….if this thing attaches itself to items that are related to “start-up” then even “safe” mode would not really work……………So I had the bright idea of booting into my Puppy linux disk and getting into windows that way.
it took a lot of work, but after printing the results of all scans from SPSD, HJT, and others, I just went to each directory and deleted the “files” listed. Then after rebooting back into Windows, and using Regedit, deleted ALL references in the registry pertaining to this monster. It took half a day to do this, but it worked. You just have to “rescan” several times until NOTHING shows up. It’s time consuming…but even if you have lots of stuff to scan (which take long to scan) it’s better than reformatting and backing up all your junk.
Hey Colin,
How do I put in the command line of deleting the virus with windows xp because it might be a little different. Please let me know soon as I am so desperate right now.
Johnny
Should be the same as Vista. When turning the machine on, or restarting for that matter, hit the [F8] key a few times after the usual BIOS screen, i.e. the screen that tells you the BIOS your machine has and amount of memory, etc. You should be presented with a list of options. You should see the one detail in the blog posting there. Colin
Hey Colin,
After loading in safe mode, I got the command prompt. However because I logged into my account on Windows Xp Home Edition, it gave me documents and settings along with my account name. I do not know what how to enter the command line after that. All I know is that I have to enter del C:\Windows\System32\__cbXpQiJc.dll
Please help!! Thanks!
Johnny
hi
I have this virus however this command prompt s not working or me this one advanced.
I downloaded something it said it was a key, but When I tried to open got an anti virus a red icon in the task bar.
I tried to run a virus scan or a spyware scan my computer will reboot and restart itself automatically without warning. Out of about several attempts of running both scans its only managed about 3 virus scans and about 3 spyware scans, nothing gets to open it keeps flashing on and off.
The virus scan has detected MRI in adware, but spybot keeps sticking half way requesting a restart.
I cannot get online nothing opens they all shut down as soon as it opens, I cannot even ope folders, the system flashes back and forward and changes before you can open any program of folder.
I cannot run a hijack this log. Cannot start in safe mode or work in safe mode, keeps giving a pop up saying if I wish to work in safe mode, click yes, when I do it goes back to it again.
Ive also tried symantec’s online virus scanner, and spybot but it also triggers a reboot when its scanning. Could a virus/spyware or damaged files be causing the reboots ? apart from formatting the hard drive i’m all out of ideas of what to do. any ideas??
I managed to run the cleaners once I click on them before the system flashes
they keep detecting something called Virtumonde.
I used the vundo fix which also found the same name with a whole lot of letters after it.
but what I noticed was it attached itself to the run file and opened the cmd and typed an exe code. Then it closed Firefox and reopened it and now I cannot even get the system to stabilize for 1 minute
please beware of this Trojan if you see something bring up the cmd /mscofig screen from your run of your computer
do not download cancel it.
It is just not responding to this command prompt!
STILL FLASHING AND UNSTABLE THIS IS A TERRIBLE TROJAN PLEASE BEWARE!
Any help will be greatly appreciated
cheers guys
I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work. Look forward to reading more from you in the future.