Anybody have an easy way of removing this program? Spybot doesn't find it, but Adaware does. In fact Adaware claims to have removed the files, but they always return. I get popups whenever I launch Internet Explorer (Microsoft).
It looks like the file(s) get embedded in the registry keys, which I'm afraid to deal with.
Lee, from South Texas
Virtumonde Spyware/Malware
Moderator: Wiz Feinberg
-
Lee Baucum
- Posts: 10803
- Joined: 11 Apr 1999 12:01 am
- Location: McAllen, Texas (Extreme South) The Final Frontier
-
Dave Potter
- Posts: 1565
- Joined: 15 Apr 2003 12:01 am
- Location: Texas
Lee, you're right to have a healthy respect for editing your registry. It's not that it can't be done, but, if you delete something critical, you can break it. One precaution would be to use one of the several free utilities that you can use to do complete registry backups, in case that's needed.
I got a lot of Google hits for "virtumonde". One of them was from the Symantec website, I quote:
" To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"WindowsUpd" = "[ADWARE FILENAME]"
5. Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
6. In the right pane, delete the value:
"SysUpd" = "[ADWARE FILENAME]"
7. Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft
\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
8. Exit the Registry Editor."
So, here's something to try.
<font size="1" color="#8e236b"><p align="center">[This message was edited by Dave Potter on 04 July 2006 at 04:22 PM.]</p></FONT>
I got a lot of Google hits for "virtumonde". One of them was from the Symantec website, I quote:
" To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
Then click OK.
Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"WindowsUpd" = "[ADWARE FILENAME]"
5. Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
6. In the right pane, delete the value:
"SysUpd" = "[ADWARE FILENAME]"
7. Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft
\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
8. Exit the Registry Editor."
So, here's something to try.
<font size="1" color="#8e236b"><p align="center">[This message was edited by Dave Potter on 04 July 2006 at 04:22 PM.]</p></FONT>
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
Lee;
Download the Symantec Virtumonde Removal Tool here. Read the instructions on that page first. Print them out if necessary.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
Download the Symantec Virtumonde Removal Tool here. Read the instructions on that page first. Print them out if necessary.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
-
Lee Baucum
- Posts: 10803
- Joined: 11 Apr 1999 12:01 am
- Location: McAllen, Texas (Extreme South) The Final Frontier
-
Lee Baucum
- Posts: 10803
- Joined: 11 Apr 1999 12:01 am
- Location: McAllen, Texas (Extreme South) The Final Frontier
By the way. Even though the popups only happen when using Microsoft Internet Explorer, I can hear the hard driving running almost all the time, like the computer is doing something. Norton periodically tells me that it is trying to scan certain files, such as Notepad files and Powerpoint files. I'm wondering if these are files of information that are being sent out by my computer.
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
Lee;
If you are running a properly licensed copy of Windows XP, download Windows Defender and let it do a full system scan, with updated definitions.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
If you are running a properly licensed copy of Windows XP, download Windows Defender and let it do a full system scan, with updated definitions.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
There is a topic about removing Virtumundo/Winfixer on this Bleeping Computer Forum. It involves downloading two removal tools and running one, then the other.
-
Lee Baucum
- Posts: 10803
- Joined: 11 Apr 1999 12:01 am
- Location: McAllen, Texas (Extreme South) The Final Frontier