Generally, I have good luck doing essentially what you describe to remove
this type of malware. Boot into safe mode, and run an antimalware program
to remove the problem. Then, manually clean up any left over files and
registry entries. See this page for one example of a suggested method to
follow for cleaning this problem from your computer:
http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde . The
programs that I typically use, in this order, are malwarebytes, f-secure
online, and hitman pro (online).
One thing that I'm beginning to suspect is that some of these common malware
problems are now being reinforced by use of a root kit to keep reinstalling
the malware after it is removed. If you are confident that you removed the
malware using the usual methods, but the virus reinstalls itself, this may
be the reason why. Hopefully, one of the three programs that I mentioned
will pick up on root kit, if it is going on, but I get the impression that
the antimalware programs maybe lagging behind a bit in this department.
Sites like bleepingcomputer have volunter antimalware experts that will walk
you through a clean up of an infected computer (or so it appears from
browsing their site), though I've not actually made use of that. I'm afraid
that I don't have the expertise to make much use of something like a Hijack
This log, but it seems like some of the people on these help forums can
recognize what should and shouldn't be showing up there.
A couple of other thoughts. It is important that you be able to update your
antivirus signatures before running the scan. This type of malware is being
constantly tweaked to try and stay ahead of the antimalware scans. You
mentioned running an erasure program and then reinstalling windows. Does
this program erase the whole drive or just the areas that it is deleting
files from. I don't really know, but I wonder if a root kit might not slide
by a process like this. I'm fairly certain something like Derek's Boot and
Nuke will over-write the entire drive, including areas that are not
typically used for data storage. The hard drive manufacture's diagnostic
disc, if it offers to zero the drive, would be another option to make sure
that you are starting with a clean drive for fresh windows installation.
Finally, you mentioned installing additional programs on this new install of
windows. Any chance these are previously downloaded programs that might be
infected, or do you need to visit a web site to download these programs to
reinstall them? These infections typically hop onto the computer from the
ads running on just about any web site. On the other hand, when this
occurs, the first popup that you see is only an ad. It's clicking on it to
try and close it that downloads the virus. I tell people to shut down their
computers at the first sign of this popup. (Or use clt-alt-del to kill the
web browser running the ad.)
I hope some of this useful.
John Sproule
--------------- Original Message Below ------------
Date: Sun, 5 Sep 2010 21:11:18 -0700
From: alan smith <[log in to unmask]>
Subject: virtumonde??
This program is a problem ( to put it politely? ) So far it has 3
designations, .sdn .dll .sci
I have 2 main computers, a tower, an IBM desktop & 2 small Compaq desktops.
All are running XPpro sp2. I use Spybot S&D and when I checked their spies
etc. the name
virtumonde appears! Yet when they do a scan, they go right past it! I was
going to use the IBM to clean the drive from my tower, but when I ran a
Spybot scan, Virtumonde was there too, so I used a Compaq to do the
cleaning? I went into SAFE mode & ran KASPERSKY's
boot disk. No luck. Then I tried RKILL.exe, & .com, & .scr AND .pif. all in
safe mode, but no luck! I even tried to find it in the registry as listed by
PC!Clean. Still no luck! Tonight I did a
Spybot scan & watched the folders, all 1,282,000 of them & Virtumonde took
up half of my
"C" drive which has 31.25Gb which has 4.25Gb clear. When my tower
didn'tclean, I checked the IBM & it's in there too. I made 7 passes with
Heidi's ERASER & installed XPpro again plus the extra programs that I use.
Well !! Guess who showed up?? Virtumonde!! I'm about ready to go to LINUX !!
Has anyone had this much trouble with this program AND was it solved??????
Thank you for your support. Al Smith
PCBUILD's List Owners:
Bob Wright<[log in to unmask]>
Mark Rode<[log in to unmask]>
|