Virtumonde virus is eating my wife's computer

I’m out of town, so all I can do is tell my not very computer fluent wife what to do to try to get rid of what appears to be a massive Virtumonde virus takeover of her computer. Spybot found several instances of it and said it fixed it, but the problems appear to still be there. She has NOD32 from ESET running so I’m not sure how it got on there to begin with (all she does is chat on Meebo with a few people she knows well, chat on a forum of moms, do Facebook (very basic) and email.

Anyway, ran Spybot, it found instances, rebooted for cause, scanned again and cleaned. But then NOD32 showed that it also found and cleaned/quarantined a few instances of it. Yet today my wife calls me and says the computer is still acting wonky with the same behavior that appears to still be the Virtumonde virii.

Help! What is the best way to clean her computer of this thing, especially an approach simple enough to lead her through on the phone? And we cannot find an XP System disk (who knows where it is after the recent move?)

This is related to XP Antivirus 2009, etc, right? Man, this is the fucking worst. Best thing I’ve found is Malwarebytes or Super AntiSpyware. There’s also something called VundoFix, which I have not used myself, but which is for this specific thing.

Good luck!

Vundofix will get rid of it specifically, taking into account the various tricks it does to try and evade removal.

Yeah, and I’m kinda pissed that it got through her virus checker. It appears to attach itself to explorer.exe, and regenerate. Agrh! I’ll look at those.

It gets through those a lot because it’s technically classed as spyware, not a virus (I guess).

Man, I remember the first one of these a user of mine caught, maybe six or seven months ago now. At the time, I just couldn’t find a fix at all. It’s still a real bear to deal with, but between MB and SAS, I’m usually successful. If neither one of those works, it’ll probably be because the stuff is preventing them from either running or updating… if you can get them to install, try to update and run them in safe mode. If that doesn’t work either, give VundoFix a shot I guess, but the odds are good that you’ll need to rebuild.

Chances are she’s hooking to a helper within use or startup of Internet Explorer. Beyond knowing which version she got, they can be nasty with keylogger install as well.

Have her start here:

See if that will launch from IE. If so it should clean up IE and several of the versions of virtumonde. If that doesn’t work, launch or find anything, at the very least have her switch to an alternate browser, and not do anything on the PC involving passwords, account numbers, or purchases until you can get back and help clean it.

I see SAS is about $30, I assume MB is also a pay program - which would you recommend to start with? My gut says SAS.

Also - why not start with Vundofix? It seems to be specifically built for this?

You can run MB for free for a trial period if I remember right. The Onecare Live runtime scanner I linked is also free and is only an applet install, so you don’t even have to uninstall your current programs.

You want It is FREE. You can scan and clean with the free version.

I had Virtumonde as well very recently, it’s typically caused from an outdated Java install. (so as long as Firefox loads applets you can get it.) First virus/trojan I’ve had in 3 or 4 years. I got infected on my work computer on which I do not browse sketchy sites.

I’m pretty savvy and could NOT get rid of this thing using HiJackThis and PrcessExplorer. I tried multiple scanners and AV programs nothing could get rid of it, it kept regenerating like the goddamn T-1000, EXCEPT for the Malwarebytes one. That is the one you want. Worked perfectly and it was all gone in 5 minutes.

First thing to check is if she can do a System Restore using the Windows utility, that’s about the only way to be sure. Unfortunately many viruses/spywares knock out the utility first thing.

I’m fond of Spyware Terminator’s real-time shield, it seems pretty powerful, but after you’re already hosed, I always lean for a full OS reinstall.


She’s using Firefox - how does that effect this?

I have nothing to add other than to say that I thought that mentioning your ‘not very … flatulent wife’ was kind of a weird way to start a thread about viruses until I read it more closely.

SAS free version will take care of this no problem. My wife had this horrendous trojan a few weeks ago. If you’re looking for a resident Spyware scanner, the best free one I’ve found is Spyware Terminator.

MB is the best. The free version can remove Vundo with ease. I haven’t tested the paid version for prevention yet.

Sadly, System Restore points being infected is one of the first things these suckers do these days.


Disable system restore
Install MBAM, update definitions.
Install Anti-Vir or AVG or ESET. Update definitions.
Reboot into safe mode.
Run both MBAM and the Anti-virus software.

After that, you’re going to have to manually clean up some registry keys or just run CCleaner and hope you’ve got everything.

I remove this stuff daily and it’s about knowing what to use and look for, the latter part being what’s difficult.

We actually called Microsoft for help on this one. They turned out to be knowledgable of the problem and very helpful in resolving it. I think we used HijackThis, but i can’t remember the Spyware cleaner found off the top…

I used to clean this on a regular basis for work. We generally used a combination of HijackThis and vundofix, though vundofix has to be the newest version, since if I remember right there’s an arms race between the virtumonde people and the vundofix people.

I had this on one of my machines a year or two ago, and I explained my problems and got help to get rid of it on The mods there are quite helpful if you follow their instructions. It did involve using Hijack This, I remember.

It shouldn’t, except that it’s one of the traditional entry points for the malware. If you or she have anything that you use IE for on that machine then maybe it’s related. If not then like someone else suggested it probably had another form of entry onto the machine.

I’m just going to parrot this because it’s almost exactly what I do at work, only I have been using Spyware Terminator. I like that it will let you run scheduled scans and update automatically, but won’t hound you to purchase a full version. I use it for removal and Spybot for prevention. We’re stuck with SAV for virus removal, though.

They’re both available in free and paid versions. The free versions work fine and aren’t time-limited or crippled or anything.