Coevolving Innovations

… in Business Organizations and Information Technologies

Slaying the virtumonde virus

Brian phoned yesterday, to ask if Adam could take a look at Jasmine’s laptop. Adam wasn’t in, so Diana suggested that he talk to me. Brian initially said that he didn’t want to take my time looking at a PC with a potential virus on it. I told him just to drop the machine off, and I would add it to the other two computers on my desk. I’m second-level support for the eight computers we have in our house, so all of the hard problems come to me.

This laptop took forever to boot, and would come up with a message (as I had seen in the bitdefender forum) of:

Your system could become unstable

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS – Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

Although the panel looks like a Windows error, the wording is pretty suspicious (and grammatically incorrect). It’s the virus talking, not Windows. (There’s no reason for the kernel to be going to a COM2 port, when you have high-speed Internet access!)

Other symptoms included thousands of pot???.tmp files in the root directory, and an inability to start up a command prompt, because the /windows/systems32/ directory was hidden.

First, I downloaded the VundoFix program from atribune.org and ran that. This program was last updated in January 2007. It took a while, but VundoFix confirmed the Virtumonde virus. I followed through to clean up the virus, and it removed and patched a lot of files … except one. VundoFix said that this file would be removed after a reboot. I rebooted, VundoFix came up, and the last file was supposedly fixed. With another reboot, however, the system32 directory was still invisible, and another run of VundoFix disclosed an infected file. I retried the search, fix and reboot three more times, with the same result.

With another web search, I found that Lavasoft had developed a VirtuMonde remover, and it has been incorporated into Ad-Aware 2007 (including the free version). I downloaded Ad-Aware 2007 Free, but when I tried to install it, the installation would fail because some other program was simultaneously being installed.

Looking at Windows Task Manager … Processes … I saw multiple instances of msiexec running. One of these msiexec processes blocks other installation requests. I killed these processes, and Ad-Aware 2007 installed smoothly. Running Ad-Adware then not only found and isolated the files infected by Virtumonde, but also two other viruses … as well as the usual browser malware. I always thought that Ad-Aware was just for browsers … but I guess Lavasoft does much more than that!

When I could bring up a command prompt, it was a simple instruction to delete pot*.tmp, in two directories.

The laptop seems to be working fine, now. I’m 99% certain that I’ve killed the Virtumonde virus. The 1% uncertainty is that there are msiexec processes that come up after a cold boot. These could be normal processes (e.g. one turned out to be the anti-virus profiles from Sympatico Security Services being refreshed) … or they could be the Virtumode virus continuing to lurk.

Brian picked up the machine this morning. I’ve advised him to back up all of the data files on CDROM, in the case that the virus isn’t really dead. He had been advised by a technician in a store to just reinstall Windows XP. For systems engineers from the mainframe generation, reinstalling an operating system is an extraordinary measure that isn’t taken lightly. In my opinion, the problem determination skills of PC-oriented technicians leaves much to be desired. The elapsed time — not working time, because it took so long for the programs to run, and the infected operating system to reboot — to fix the machine was probably 6 to 8 hours.

Most PC technicians are all about action, not thinking. Sticking to a problem for the better part of a working day requires patience. I wish that university and college students could develop the good analytical discipline to figure out the one technical issue that is wrong, and put that right.

14 Comments

  • When you run the Vundofix tool you should always run it in safe mode. That will give you the best chance for removeal. Other paid programs like webroot and spyware doctor will also kill it in it’s tracks. the free solutions are Spybot S and D and ad-aware but those do not keep you protected from getting it in the first place

  • In the computer repair business I run into this bad boy all the time. Their is a site that focuses only on this strain and how to remove it. check out http://www.virtumonde.net . They have plenty of removal guides for this.

  • I read a blog post on vundoremoval.com that said doing a system restore was the simplest way. I tried it and it worked great. After that I used spybot and removed the other traces. All in all it took under an hour and about 5 minutes of actual sit down time. If you just got infected recently then that vundo removal guide is the best.

  • it took me weeks to remove virtumonde.. and only one program fixes everything.. SDFix!!!

    Please run the following:

    1. sdfix

    1. Download SDFix and save it to your Desktop.

    http://downloads.andymanchesta.com/R…ools/SDFix.exe

    2. Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    3. Reboot into Safe Mode`:-

    Reboot into >>>safe mode

    4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
    Type Y to begin the cleanup process.

    It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    Press any Key and it will restart the PC.

    When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

    Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    Goodluck!!!

  • all you need is a program called “superantispyware” , it cleared out all of my vundo, virtumonde,etc, even from my memory, and its free for home use, with a donation if you think fit.

  • Yeah SDFix is rock

    the only one little proggy that helped me to get rid off this crap///

  • I sure wish that there were dates by the entries above. I have tried Superantispyware, AdAware, Spybot S-D, X-raypc, several online House Calls….all to no avail. Safe mode approach, Hiren’s CD and booting to Ram Drive utilizing programs on the disk still did not crack this recent version. Oh..by the way…the today is July 12, 2008. Going to try the SDfix mentioned above. Thanks for the ray of hope by your post michelle.

    michael in kansas

  • I second michael in kansas (Oldphart)–it’s Sept 1, 2008 and I’ve contracted the virus. I’ll try SDFix and see what happens….

  • I think Virtumonde virus showed how actually vulnerable and imperfect popular antivirus suites are. People bundle
    their computers with loads of security programs only to find out that virtumonde feels just great in their protected systems. Self-proclaimed techies recommend to install half a dozen additional applications without giving any reasons except “this might help”. Somehow this makes me think that it’s much better to have protection AGAINST infection, rather than tools to cure virtumonde. Not specaking about registry changes it can make; sometimes it just doesn’t make sense to remove the trojan because the system is already a mess.

  • Not one person has mentioned stopping system restore. I can assure that if you have had this virus more than a day, it is imbedded in your system restore. I don’t believe anyone will have long term success without first shutting off system restore.

  • SDFix was the ONLY app that took the Virtumonde virus off. The date is Jan 12, 2009 and it worked great!

  • I have tryed all the above all week long…..I backed up pics,music,a few programs,and will re-instal xp with a complete wipeout….I say uncle to the virus

  • i wanted to try sdfix…. it isn’t there anymore. :(

    any new solutions?

  • Just got ensnared with this bugger. Going to give a go with SDFix, per the recommendations above (Spybot S&D didn’t take it out, running avast boot-time scan at the moment). SDFix download and readme can be found here:
    http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm


Leave a Reply

Your email address will not be published. Required fields are marked *

  • RSS qoto.org/@daviding (Mastodon)

    • daviding: “Instead of #SustainableDevelopmentGoals, #KaitlinKish #Steph…” March 12, 2023
      Instead of #SustainableDevelopmentGoals, #KaitlinKish #StephenQulley say #EcologicalLivelihoodGoals. "informal processes of exchange, familial care, place-bound community, mutual aid, and reciprocation –​which we designate as _Livelihood_"Open access book for March 13 https://wiki.st-on.org/2023-03-13 #SystemsThinking #EcologicalEconomics
    • daviding: “From the debate between Michael Quinn Patton and Michael C. …” March 10, 2023
      From the debate between Michael Quinn Patton and Michael C. Jackson OBE on "Systems Concepts in Evaluation" on 2023-02-27, I've digested into text the few minutes with the largest contention. https://ingbrief.wordpress.com/2023/03/10/concerns-with-the-way-systems-thinking-is-used-in-evaluation-michael-c-jackson-obe-2023-02-27/ #SystemsThinking #evaluation
    • daviding: “Peer-reviewed article on #SystemsChanges Learning 2019-2022 …” March 9, 2023
      Peer-reviewed article on #SystemsChanges Learning 2019-2022 published in special issue of J. #Systemics #Cybernetics & #Informatics, on "#Sustainable, Smart and #SystemicDesign #PostAnthropocene" edited by #MarieDavidova #SusuNousala #ThomasJMarlowe https://coevolving.com/blogs/index.php/archive/systems-changes-learning-recasting-reifying-jsci/ #SystemsThinking
    • daviding: “Truthiness was coined by Stephen Colbert in 2005, and became…” March 7, 2023
      Truthiness was coined by Stephen Colbert in 2005, and became legitimated as an entry in a dictionary by 2010. > ... _truth_ just wasn’t “dumb enough.” “I wanted a silly word that would feel wrong in your mouth,” he said. > What he was driving at wasn’t _truth_ anyway, but a mere approximation of it […]
    • daviding: “Generative AI, such as ChatGPT, may be better viewed as putt…” March 7, 2023
      Generative AI, such as ChatGPT, may be better viewed as putting together hypotheses, where testing either leads to corroboration or truthiness. > The glitch seems to be a linear consequence of the fact that so-called Large-Language Models are about predicting what _sounds right_, based on its huge data sets. As a commenter put it in […]
  • RSS on IngBrief

  • Recent Posts

  • Archives

  • RSS on daviding.com

  • RSS on Media Queue

  • Meta

  • Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License
    Theme modified from DevDmBootstrap4 by Danny Machal