Brian phoned yesterday, to ask if Adam could take a look at Jasmine’s laptop. Adam wasn’t in, so Diana suggested that he talk to me. Brian initially said that he didn’t want to take my time looking at a PC with a potential virus on it. I told him just to drop the machine off, and I would add it to the other two computers on my desk. I’m second-level support for the eight computers we have in our house, so all of the hard problems come to me.
This laptop took forever to boot, and would come up with a message (as I had seen in the bitdefender forum) of:
Your system could become unstable
A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0×28f, Baud rate 192000)
Although the panel looks like a Windows error, the wording is pretty suspicious (and grammatically incorrect). It’s the virus talking, not Windows. (There’s no reason for the kernel to be going to a COM2 port, when you have high-speed Internet access!)
Other symptoms included thousands of pot???.tmp files in the root directory, and an inability to start up a command prompt, because the /windows/systems32/ directory was hidden.
First, I downloaded the VundoFix program from atribune.org and ran that. This program was last updated in January 2007. It took a while, but VundoFix confirmed the Virtumonde virus. I followed through to clean up the virus, and it removed and patched a lot of files … except one. VundoFix said that this file would be removed after a reboot. I rebooted, VundoFix came up, and the last file was supposedly fixed. With another reboot, however, the system32 directory was still invisible, and another run of VundoFix disclosed an infected file. I retried the search, fix and reboot three more times, with the same result.
With another web search, I found that Lavasoft had developed a VirtuMonde remover, and it has been incorporated into Ad-Aware 2007 (including the free version). I downloaded Ad-Aware 2007 Free, but when I tried to install it, the installation would fail because some other program was simultaneously being installed.
Looking at Windows Task Manager … Processes … I saw multiple instances of msiexec running. One of these msiexec processes blocks other installation requests. I killed these processes, and Ad-Aware 2007 installed smoothly. Running Ad-Adware then not only found and isolated the files infected by Virtumonde, but also two other viruses … as well as the usual browser malware. I always thought that Ad-Aware was just for browsers … but I guess Lavasoft does much more than that!
When I could bring up a command prompt, it was a simple instruction to delete pot*.tmp, in two directories.
The laptop seems to be working fine, now. I’m 99% certain that I’ve killed the Virtumonde virus. The 1% uncertainty is that there are msiexec processes that come up after a cold boot. These could be normal processes (e.g. one turned out to be the anti-virus profiles from Sympatico Security Services being refreshed) … or they could be the Virtumode virus continuing to lurk.
Brian picked up the machine this morning. I’ve advised him to back up all of the data files on CDROM, in the case that the virus isn’t really dead. He had been advised by a technician in a store to just reinstall Windows XP. For systems engineers from the mainframe generation, reinstalling an operating system is an extraordinary measure that isn’t taken lightly. In my opinion, the problem determination skills of PC-oriented technicians leaves much to be desired. The elapsed time — not working time, because it took so long for the programs to run, and the infected operating system to reboot — to fix the machine was probably 6 to 8 hours.
Most PC technicians are all about action, not thinking. Sticking to a problem for the better part of a working day requires patience. I wish that university and college students could develop the good analytical discipline to figure out the one technical issue that is wrong, and put that right.
RSS
When you run the Vundofix tool you should always run it in safe mode. That will give you the best chance for removeal. Other paid programs like webroot and spyware doctor will also kill it in it’s tracks. the free solutions are Spybot S and D and ad-aware but those do not keep you protected from getting it in the first place
In the computer repair business I run into this bad boy all the time. Their is a site that focuses only on this strain and how to remove it. check out http://www.virtumonde.net . They have plenty of removal guides for this.
I read a blog post on vundoremoval.com that said doing a system restore was the simplest way. I tried it and it worked great. After that I used spybot and removed the other traces. All in all it took under an hour and about 5 minutes of actual sit down time. If you just got infected recently then that vundo removal guide is the best.
it took me weeks to remove virtumonde.. and only one program fixes everything.. SDFix!!!
Please run the following:
1. sdfix
1. Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/R…ools/SDFix.exe
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
3. Reboot into Safe Mode`:-
Reboot into >>>safe mode
4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Goodluck!!!
all you need is a program called “superantispyware” , it cleared out all of my vundo, virtumonde,etc, even from my memory, and its free for home use, with a donation if you think fit.
Yeah SDFix is rock
the only one little proggy that helped me to get rid off this crap///
I sure wish that there were dates by the entries above. I have tried Superantispyware, AdAware, Spybot S-D, X-raypc, several online House Calls….all to no avail. Safe mode approach, Hiren’s CD and booting to Ram Drive utilizing programs on the disk still did not crack this recent version. Oh..by the way…the today is July 12, 2008. Going to try the SDfix mentioned above. Thanks for the ray of hope by your post michelle.
michael in kansas
I second michael in kansas (Oldphart)–it’s Sept 1, 2008 and I’ve contracted the virus. I’ll try SDFix and see what happens….
Not one person has mentioned stopping system restore. I can assure that if you have had this virus more than a day, it is imbedded in your system restore. I don’t believe anyone will have long term success without first shutting off system restore.