Virtumonde Virus Infection

[Si Hunt]

I've fallen victim to a virus which won't go away. It seems to exist to make pop ups and other adverts for websites appear, and to direct me to 'rogue' virus cleaner websites.

I believe's it's known as "Virtumonde" and seems to manifest itself by a number of .dll files which have appeared in C:\Windows\System32. These can't be deleted, because they are always locked or in use, even when I start in Safe Mode. Winpatrol constantly asks me if I want to install a series of dll files ("opnomlLC.dl" and "pmnlijkKA.dll", though I think they are randomly named) in the startup routine. This triggered Winpatrol to suggest deleting multiple "suspicious" files from its Active Tasks tab simultaneously, but nothing in there is suspicious or can be killed.

Anyone know something free that can get rid of this? AVG doesn't seem to make it through a scan and once its started, can't be stopped.

Si.

[Zbigniev Hamson]

I actually got this the other day. Well, I got something called vundo, but the according to google they seem to be the same thing.

First I would try this http://www.symantec.com/security_res...112210-3747-99

Follow the instructions about shutting down system restore though, don't just run it as it. And also it took about an hour and a half to run on my system so it probably won't be swift.

The thing is, by the time I ran that I think I had already got rid of it with Malwarebyte's Malware removal softwarehttp://www.malwarebytes.org/mbam.php

I ran that a few times first, but when it reebooted it would still be there. Eventually I think I ran the malware tool, and then the vundo removal tool straight after. It reported that it hadn't found anything, but after that I could reboot and it didn't come back.

It still seemed to permentantly bugger up my anti-virus software though, so I had to reinstall that afterwards too. Took quite a few hours for everything to run all-in-all.

To be fair I can't be sure what it was that I did that actually resulted in the removal of the virus. I know I ran the Malwarebyte's software quite a few times, it certainly didn't work first time. I only ran the removal tool twice, but both times it said it didn't actually find anything. But maybe if you use that first, before trying anything else, it will work. I only tried starting in Safe Mode once, but I think by that time it had already gone off my system anyway.

[Si Hunt]

Thanks for that!

Will give it a try.

Si.

[Zbigniev Hamson]

I got that Malwarebytes software last year for another similar adware virus. Even the free version seems to do a pretty good job of removing stuff like this (or at least the 2 things like this that I've had).

There's also a bit of software called SmitFraudFix that removes various types of malware and adware, although it might not work for this specific type. Worth a try if nothing else works though.

[Si Hunt]

Follow the instructions about shutting down system restore though, don't just run it as it.

I've looked this up and it seems to mean I won't be able to restore from any earlier points. Why is this advisable? Isn't it a bit dangerous, as surely I WANT to be able to restore as a last resort if I'm trying to deal with a virus?

Si.

[Dirk Gently]

Because if you use the restore point then you are likely to reinstall the virus, as I understand it.
Have you tried using the restore function already, from an earlier point?

[Zbigniev Hamson]

Some viruses can hide themselves away in resore points, or in some other way manipulate them in order to find other ways to keep springing back into life. If you have some earlier restore points then you could give one a go first. If that clears up the virus problem then job done, but it won't work for hte majority of them. If you try that and the virus is still there, then those earlier restore points are uselss anyway, so by removing them you give the virus one less place to hide.

Come to think of it, it may have been my removal of them that allowed me to get rid of the virus, becuase it was only after I did that that it stopped coming back on every reboot.

[Si Hunt]

Well I've run the malwarebytes software and it appeared to detect and remove the threat (unlike Windows OneCare live scan, which found it and failed to fix it, or Spyware Doctor, which found it then asked for £40 to fix it). Fingers crossed, it seems all quiet at the moment, though I'm just waiting for that WinPatrol box to pop up, in which case I'll have to try the Vundofix one.

Si.

[Chanson]

http://www.lavasoft.com/products/ad_aware_free.php

(on behalf of someone else)

[Si Hunt]

(on behalf of someone else)

Mysterious! Who is it?

Incidentally, neither ad-aware nor CCleaner have picked up the last two viruses I had AT ALL. I wonder if either of them are any good really.

Si.

[Zbigniev Hamson]

CCleaner isn't going to detect any virus at all because that's not what it's for, it's just a utility for freeing up disk space by deleting temporary and un-needed files. It offers precisely zero defence against viruses

I agree with you about Ad-aware though, I got rid of that after it proved to be useless.

[Si Hunt]

Incidentally, that Malaware program seems to have gotton rid of the virus and the computer has been fine today (although oddly I ran an AVG scan this afternoon and it found and cleaned up one, despite no visible bad effects... something different?). So thank you very much for your help!

Si.

[Zbigniev Hamson]

I'm sure you'll have a few days of "is it really gone" paranoia, but it sounds like it was just a bit of annoying adware to try and get you to buy a product. It's sole purpose was to keep annoying you and be really obvious, so if you've got no symptoms at all it's very likely that it's gone