virtumonde

Virtumonde is known to be one of the most prevalent malicious software encountered in the latest period of time. Due to its characteristics and unique way of conducting various system modifications, Virtumonde usually is the result of other auxiliary infections with different forms of malware.

For people asking themselves “what is Virtumonde”, according to antivirus experts, this piece of software is best described as a Trojan horse. Disguising itself as legitimate software, infections with Virtumonde usually result from e-mail attachments carrying the Trojan. However, due to latest research on a large number of different variations of this malicious software, antivirus products such as Spyware Doctor with Antivirus are capable to recognize and remove Virtumonde from an infected PC.  However, due to the various system-wide modifications that this malware does, complete disinfection can only be done together with other more specific configurations and settings adjustments at the operating system level.

In order to remove Virtumonde, it is not only important to be able to detect, isolate and delete all infected files but also to make sure that the malware cannot infect the system again. As Virtumonde infects user PCs by exploiting vulnerabilities in different software that is widely used, proper maintenance of operating system settings, updates and security patches are in many cases required in order to completely recover from a Virtumonde based infection.  Security clients like Spyware Doctor with Antivirus use what is known as Heuristic scanning.  This means that even if your infection of virtumonde is unique it will be able to detect this threat because the software knows what this program does and when it attempts to execute the malisious code this security client will stop it.

Due to the fact that Virtumonde may end up blocking security clients from installing or updating you may find you are unable to install any software program to help remove this threat.  In these instances we recommend using www.onlinecomputerrepair.org.  This is a remote virus removal site that can fully remove all threats.  Because this online virus removal company does not fully rely on software to remove Virtumonde they will be able to dig down into your computer manually and help flush out all threats on your system.  This is the best way to go for individuals who have little computer knowledge or those who just need an expert to remove this for them because they can not install any security client.

As the first typical sign of infection with Virtumonde is the presence of a registry key named “MS Juan”, Virtumonde is also known by this name. Once infected, Virtumonde will download and install rogue antispyware software, in an attempt to steal credit card data and any additional private information available. If you just became infected with Virtumonde then now is the time to act.  The longer you wait the harder it will be to fully remove this threat.  Please note that this program is well known to slow computers down to a crawl and the longer it’s on your system the more viruses and fake security clients you will end up encountering.

Having Virtumonde alone is bad enough but when you add in a Smitfraud client like PC Antispyware 2010 it makes for a great disaster.  Most people already know that Virtumode causes pop-ups and a ton of re-directs and adverts but many of the latest infections are also coming with PC Antispyware 2010 as well.

Virtumonde has always been one of the hardest things to remove on any computer.  there are no set trace files becuase every infection brings random strings and names.  One key component lately has been for a downloader trojan to also install a fake security client.  for many people who finally remove the Fake security product they find it comes right back.

You will need to first remove all the other trojans and viruses on your computer before you have a chance of fully removing the fake client.  If you do not you will find that your just going to keep having to remove the same strains over and over again.

We do still recommend Spyware Doctor with Antivirus.  BE SURE to go under settings and check the box to scan for root kits.  If you do not do this then you may not be able to remove Virtumonde.

If you happen to have PC Antispyware 2010 then you will want to check out this PC Antispyware 2010 removal article.  It’s one of the better written articles on this particular strain.

If you’re infected with Virtumonde AKA vurtumondo AKA Vundo then the close to 80% drop in infections over the past 6 months is probably not good news to you because you still got infected.

However for most people out there including us we are very happy to report that through the efforts of many people out there the Virtumonde strain has died down for now.  Having been in the field for a dozen years I can say that this guy will be back again but it may never hit the threat level that it has in the past.

Quick break down of what we are still seeing in the Virtumonde virus and Virtumonde.dll world

• All virtumonde strains have downloader Troajans
• Everyone infected with virtumonde will have several viruses on their system
• In almost all case a fake security client is installed

We are also seeing Smitfraud as well as Virtumonde again on plenty of systems.

The removal process can not be done manually as we have stated in last months post.  The strains change way to often.

For those who are not computer repair experts you only have a few options.  Pay a pro to remove it.  We suggest www.onlinecomputerrepair.org because they are cheap and work fast.  Your other option is to pay for software that can fully remove this threat.  We recommend Spyware Doctor with Antivirus here.

For the experts out there you can still use the smae old tools

Spybot S &D + highjack this + any scrubber program + smitfraudfix.exe and combofix.exe if needed.   If you have not heard of these programs before then do not use them.  In novice hands they will only cause your system to crash

As always be sure to backup your data first.  You can get a free 2 gig data backup that works online 100% for free.  just check out Mozy Here

VirusResponce Lab 2009 AKA virus repsonve Lab 2009 is related to the AntivirusLab 2009 and almos the exact saem besides a name change.  People who normally get infected with this bogus security software got it from a Trojan virus that is already on their computer.  Once again this is a scam product so do not belive the bogus scan results and do not purchase the software.

What the symptoms of virusRepsonse Lap 2009 are

• Bogus Scan Results
• Auto Scan on startup showing fake results
• Scareware tactics used to trick user into purchasing the software like ( Your identity is being stolen or your computer is being hacked or your key strokes are being recoreded.
• constant re-directs adn pop-ups to purchase the software
• Other pop-ups and slow down of the computer

Here is what VirusResponse Looks like

We do recommend you scan your computer with the free trial of Spyware Doctor with Antivirus to see how infected you really are.  If it is just this fake security product then follow the manual directions below.  If you have other trojans and spyware applications then consider making a purchase of Spyware Doctor with Antivirus Here to remove all other threats and to keep your PC secure.

As well we do recommend this remote computer support company.  They are the leaders in remote computer repair and can have you up and going in no time at all.

Manual removal intructions for VirusResponce Lab 2009 ( Please read our disclaimer bellow )

Kill processes:

• VirusResponseLab2009.exe

Delete registry values:

• HKEY_CLASSES_ROOT\CLSID\{A21C8D81-A9C7-46c6-A488-2A32FA0DAEB6}
• HKEY_CLASSES_ROOT\CLSID\{C2A9759D-210A-0253-D944-8B76AC2B0D92}
• HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
• HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
• HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
• HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
• HKEY_CURRENT_USER\Software\VirusResponseLab2009
• HKEY_CLASSES_ROOT\AVLWarning.WarningBHO
• HKEY_CLASSES_ROOT\AVLWarning.WarningBHO.1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusResponseLab2009
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A21C8D81-A9C7-46c6-A488-2A32FA0DAEB6}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusResponseLab2009
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “VirusResponseLab2009″

Unregister DLLs:

• fbjvt.dll AVLWarning.dll

Delete files:
c:\\Program Files\\VirusResponseLab2009 c:\\Program Files\\VirusResponseLab2009\\VirusResponseLab2009.exe c:\\Program Files\\VirusResponseLab2009\\AVLWarning.dll c:\\Program Files\\VirusResponseLab2009\\uninst.exe C:\\WINDOWS\\system32\\fbjvt.dll c:\\Documents and Settings\\Adminstrator\\Desktop\\VirusResponse Lab 2009.lnk c:\\Documents and Settings\\Adminstrator\\Start Menu\\VirusResponse Lab 2009.lnk c:\\Documents and Settings\\Adminstrator\\Start Menu\\Programs\\VirusResponse Lab 2009 c:\\Documents and Settings\\Adminstrator\\Start Menu\\Programs\\VirusResponse Lab 2009 2.1\\VirusResponse Lab 2009.lnk

Please note that the virus strain may change over time and that the files may move around a bit but the basic info is here.  If you are not computer savvy then please do not manually remove this as you need to know what you are doing.  consider purchasing a good antivirus or getting expert help.

Malware Destructor 2009 is yet another fake security product that shows bogus scan results.  this is known as a rouge spyware program.  Those who are infected with this fake security software will also be infected with other items such as virtumonde, vundo zlob and the like.

Some common symptoms people run into are the following

• Fake scan results
• System tray security shield shows false warning
• constant re-directs to the Malware destructor 2009 website
• Overall system slowness
• Unable to fully remove software via the add and removal interface in windows

Here is what Malware Destructor 2009 looks like

We do recommend you download Spyware doctor with Antivirus here to help in the removal of this fake security software and to ensure no other trojans are on your computer.

If the above site does not work then download Spyware Doctor with Antivirus from our server here.

As well you can have this remote computer support company work on your computer.  they operate 100% online and are the worlds leaders when it comes to computer repair online.  They offer a no fix no fee policy so if they do not fix your issue you are not charged.  It’s an all aroudn great service.

For other software products to help in the removal please read our Expert removal Guide on top.  We list many different software products there as well

Manual removal of  Malware Detector 2009 ( Read Disclaimer at bottom of page )

Kill processes:

• energy.exe hymt.exe tempdoc.exe MD345d.exe

Delete registry values:

• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_CLASSES_ROOT\MD345d.DocHostUIHandler
• Numerous entries underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “MalwareDestructor2009″

Unregister DLLs:

• FW.dll PE.dll mozcrt19.dll sqlite3.dll

Delete files:

• c:\Program Files\MalwareDestructor2009\MalwareDestructor2009.exe
• c:\Program Files\MalwareDestructor2009\MalwareDestructor2009.url
• %UserProfile%\Start Menu\Programs\MalwareDestructor2009
• %UserProfile%\Start Menu\MalwareDestructor2009.lnk
• %UserProfile%\Start Menu\Programs\MalwareDestructor2009\MalwareDestructor2009.lnk
• %UserProfile%\Start Menu\Programs\MalwareDestructor2009\MalwareDestructor2009 Website.lnk
• %UserProfile%\Desktop\MalwareDestructor2009.exe
• C:\%UserProfile%\Recent\cb.tmp
• C:\%UserProfile%\Recent\CLSV.dll
• C:\%UserProfile%\Recent\CLSV.drv
• C:\%UserProfile%\Recent\eb.tmp
• C:\%UserProfile%\Recent\energy.exe
• C:\%UserProfile%\Recent\energy.sys
• C:\%UserProfile%\Recent\energy.tmp
• C:\%UserProfile%\Recent\exec.dll
• C:\%UserProfile%\Recent\fix.sys
• C:\%UserProfile%\Recent\PE.drv
• C:\%UserProfile%\Recent\PE.sys
• C:\%UserProfile%\Recent\std.drv
• C:\%UserProfile%\Recent\tjd.exe
• C:\%UserProfile%\Recent\tjd.tmp
• C:\%UserProfile%\Start Menu\Malware Destructor 2009 2009.lnk
• C:\%UserProfile%\Start Menu\Programs\Malware Destructor 2009 2009.lnk
• c:\Documents and Settings\All Users\Application Data\7c69f0c
• c:\Documents and Settings\All Users\Application Data\7c69f0c\MCatcher.exe
• c:\Documents and Settings\All Users\Application Data\7c69f0c\SystemFeed
• c:\Documents and Settings\All Users\Application Data\7c69f0c\SystemFeed\vd952342.bd
• c:\Documents and Settings\All Users\Application Data\SystemFeed
• c:\Documents and Settings\All Users\Application Data\SystemFeed\mctch.ini
• C:\%UserProfile%\Application Data\Malware Destructor 2009 2009
• C:\%UserProfile%\Application Data\Malware Destructor 2009 2009\Instructions.ini
• C:\%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Destructor 2009 2009.lnk
• C:\%UserProfile%\Desktop\Malware Destructor 2009 2009.lnk

Personal Antivirus

AKA: POV and Personalantivirus is a fake security product none as a rouge antispyware program.  This software falls in the scareware department because it trys to prey on users fear and lack of knowledge.  This is a fake security program that will only show bogus results.  Users should pay no attention to any mesagges this thing says.  Those infected will notice constant pop-ups saying they are infected.  A security shield in the system tray as well as re-directs in their web browser to a bogus sales page asking you to make the purchase.

Many individuals may also have normal websites blocked.  We do recommend Spyware Doctor with Antivirus or PC Tools IS to remove this client.  You can download Spyware Doctor with Anti-virus on our site Here or PCtools IS Here.  Many users find they can not directly download security products online as those real security sites have been blocked.

In almost all cases the fake POV software is the least of your worries.  Most likely this software got installed on your computer via a trojan virus and that is what really needs to be removed.

Some screen shots

To remove Personal Antivirus form your computer we do suggest purchasing a real client to help out.  however here are the manual removal options.

Remove Personal Antivirus files and folders:

%Documents and Settings%\All Users\Desktop\Personal Antivirus.lnk
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus Home Page.lnk
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus.lnk
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus\Purchase License.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Antivirus.lnk
%UserProfile%\Application Data\Personal Antivirus
%UserProfile%\Application Data\Personal Antivirus\settings.ini
%UserProfile%\Application Data\Personal Antivirus\uill.ini
%UserProfile%\Application Data\Personal Antivirus\unins000.exe
%UserProfile%\Application Data\Personal Antivirus\Uninstall Personal Antivirus.lnk
%UserProfile%\Application Data\Personal Antivirus\db
%UserProfile%\Application Data\Personal Antivirus\db\config.cfg
%UserProfile%\Application Data\Personal Antivirus\db\Timeout.inf
%UserProfile%\Application Data\Personal Antivirus\db\Urls.inf
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
%Program Files%\Personal Antivirus
%Program Files%\Personal Antivirus\activate.ico
%Program Files%\Personal Antivirus\Explorer.ico
%Program Files%\Personal Antivirus\PerAvir.exe
%Program Files%\Personal Antivirus\unins000.dat
%Program Files%\Personal Antivirus\uninstall.ico
%Program Files%\Personal Antivirus\working.log
%Program Files%\Personal Antivirus\db
%Program Files%\Personal Antivirus\db\DBInfo.ver
%Program Files%\Personal Antivirus\db\ia080614.db
%Program Files%\Personal Antivirus\db\ia080618x.db
%Program Files%\Personal Antivirus\Languages
%Program Files%\Personal Antivirus\Languages\IAEs.lng
%Program Files%\Personal Antivirus\Languages\IAFr.lng
%Program Files%\Personal Antivirus\Languages\IAGer.lng
%Program Files%\Personal Antivirus\Languages\IAIt.lng
%WINDOWS%\system32\log.txt
%UserProfile%\Application Data\Microsoft\Windows\winlogon.exe
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe

Remove Personal Antivirus registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal Antivirus_is1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITGRDENGINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PrS”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Personal Antivirus”

Please note that if you have a trojan that installed this fake client then the program will most likely come right back.  That is why you should get real protection if you do not have any.  As well you can always view our main page for other recommended software and advanced removal tools and guides

Virus Remover Professional, also known as VirusRemoverProfessional is a fake rogue virus program that shows only bogus results and tries to create fear in the user to purchase the program buy saying things like all their passwords are begin stolen. This fake security product will keep scanning your computer and give annoying pop-ups as well as re-directs in your web browser until you make the purchase of the product. Once again we do not recommend purchasing this fake product.

Quick pic of what this fake software looks like

In just about every case someone who gets infected with such a fake client like Virus Remover Professional got that way from a fake video codec or some BS tiral software.  you should expect to also be infected with a trojan such as Virtumonde, Vundo or Zlob if you have this bogus security client on your computer.

we normally recommend Spyware Doctor with antivirus for removal of such things but at this time it FAILED to remove this fake client.  we have reported the threat to PCtools and they are working on a cure.

In the mean time you can always try to remove this client manually.  Check out this Remove Virus remover Profesional page for manual removal of this.

Please not that www.onlinecomputerrepair.org as always is aware of this threat as well and they can also remove it for you.

Over the years this site has written many free guides to help people out in trying to fully remove the virtumonde threat.  The issue is all the traces of Virtumonde keep mutating and now every infection we come across has a rootkit virus that needs to be removed before Virtumonde can fully be killed.

Every computer we have encountered over the last 30 days that was infected with Virtumonde now also has  several other threats as well.  Because of this the free guides will no longer work and if you really want to remove Virtumonde you will have to pay for Virtumonde removal software.  IT SUCKS I know but even as an expert at removing viruses I can’t remove this thing with out software.  Granted I have bulk licences to items normal people do not and can still remove this for practically free but even most experts can not remove this threat anymore with out extreme help from several programs.

WHAT AM I TO DO ?

The only advice we can offer is to recommend solutions that will work.  The first is to donwload Spyware doctor with Antivirus from www.pctools.com .  You will need to purchase the software for it to remove virtumonde but it still does a great job of it.  If you have further issue you can use their free support or if you are not happy with it then you can get a full refund.  This is the software I personally have on my computer and it works great.

For those that just don’t want to deal with this threat at all we still recommend the guys over at www.onlinecomputerrepair.org.  It will cost you 89 bucks but there is no waiting around and in about an hour or two you will have your computer up and running like new.  They will even give you a free computer tune-up when you pay for an infection removal but you will need to mention this site.  They give our clients this freeby because we send them many customers.  This is an online computer repair company based in the good old USA.  They know what they are doing and if for any reason they can not help you out then you do not have to pay a cent.

For those that are using McAfee, I feel your pain.  This software does almost nothing it seems to stop it and it is unable to fully remove the virtumonde threat.  Norton does a far better job and Trend Micro works a little better then Norton but we still recommend Spyware Doctor with Antivirus over them because it actually does work to remove the rootkit part.

Please note you may have to go under custom settings and check the “scan for rootkits” box.

With the Virtumonde Trojan still in full swing is seems that many free tools in the past that we recommended have not been updated in several months and do not address the newer strains of Virtumonde.  The two past free tools we also had people download were vundofix.exe and Spybot Search and Destroy.  While both of these are still great tools to use to fight of Virtumonde they will no longer get the job done to fully remove not only Virtumonde but the several other virus strains like Smitfraud, Zlob and Vundo that come down with this trojan.

We can still confirm that the latest Spyware Doctor with Antivirus still does the best job aat not only removing Virtumonde but also is a must have to protect your computer so you do not get infected again.  The makers of this software over at www.pctools.com is still offering free support so if you run into issue you they can help you fully remove this threat.  Chances are you will not need their support as this is a very easy program to use.

For those that are not tech savvy at all we suggest using the pros at www.onlinecomputerrepair.org.  This is by far our favorite virus removal company.  They are based in the US and will 100% remove all threats on your computer in a very short time.  These guys make it seem too easy and offer very competative rates.

Some other programs you can use in adition to Spyware Doctor with Antivirus to help combat Virtumonde.  Leep in mind that none of the below provide active protection against viruses and spyware except Spyware Doctor with Antivirus.

Spybot Search and Destroy:  Free client that works to help remove many threats.  Does not fully remove Virtumonde but can be very helpful

Vundofix.exe:  Designed just for Vundo/Virtumonde.  Does not work as well as it used to because most of the Virtumonde traces have mutated to different names.  Still it may find parts of the Virtumonde strain

Malwarebytes: Not a bad program for being free.  Often times this will find close to 60-70 percent of Virtumonde on the first scan

AS Always we are still recommened Spyware Doctor with Antivirus as a permanent fix to not only fully remove Virtumonde but also to keep your computer from getting re-infected.  This is good stuff people!!!

FOR ADVANCED USERS ONLY

Highjackthis.exe

Combofix.exe

Just as the Virtumonde strain started dying down it is coming back with great force over the next few weeks and with a new twist. You see in the past people who have been infected with Virtumonde could normally still view websites and they were able to download software to remove Virtumonde and get any needed Windows Updates.  That is about to change.

On April 1st Conficker.C will activate.  curenlty Conficker.A and Conicker.B also known as As W32/Conficker.worm, Win32/Conficker.AA, Downup, W32.Downadup and Kido,  Will activate it’s code and report back to the maker for instructions.  While no one knows for sure what will happen I can give you a very good idea.

Right now Conficker.C blocks websites that It knows can effect it’s program.  such as Norton, Microsoft, PCTools, and hudreds of other sites that have antivirus removal software on it.  Once this code reports to it’s maker you can be sure that you will be infected with many other trojan viruses like Virtumonde, Smitfraud, Zlob and the like.

In adition to this you will also have a fake securty client that keeps popp-ing up and doing a bogus scan.  What ever you do, DO NOT give them your credit card information unless you want your card maxed out in a few minutes and your personal info stolen.

The solution to Remove Conficker.C and other Trojans like Virtumonde

 Prevention: ToPrevent such infections you should always keep your operating system up to date.  Having Automatic updates turned on is a must.   A well you need to have an anti-virus and anti-spyware client installed on your computer and kept up to date. I know many people are ignorant and think  ” I ALREADY HAVE A CLIENT LIKE avg, Avast, Spybot, Avara, Clamware and the like.  Well if that is you then you need to WAKE UP!!!.  No free client in the world offers real protection.  It’s just a stripped down version of their paid program.  In fact out of the above only Avast offer up front protection to stop you from getting infected and as you can read on their website they will tell you it’s a light client and it will not fully protect you.

You need an all aroudn solution that will not only prevent attacks but also fully remove anything you currenlty have on your computer.  I do know that Spyware Doctor with antivirus does fully remove virtumonde and Conficker and they offer free support for those who need it.  This is the client I personally use and the only one I recommend on this site because I know it works.

The other solution to prevent such trojans and viruses like conficker.c and Virtumonde is to avoid free software programs and sites.  Myspace, facebook, youtube are all fine but most torrent sites out there and PRon sites have a ton of virues on them.  Avoid installing any active X controll or Video Codec software from any website unless you know that website is a known trusted website.

The information gathered about Conficker.C was taken from  this ConfikerC Removal site, remove Conficker.C from the folks over at Removevirus.org and CNN.