virtumonde

VirusResponce Lab 2009 AKA virus repsonve Lab 2009 is related to the AntivirusLab 2009 and almos the exact saem besides a name change.  People who normally get infected with this bogus security software got it from a Trojan virus that is already on their computer.  Once again this is a scam product so do not belive the bogus scan results and do not purchase the software.

What the symptoms of virusRepsonse Lap 2009 are

• Bogus Scan Results
• Auto Scan on startup showing fake results
• Scareware tactics used to trick user into purchasing the software like ( Your identity is being stolen or your computer is being hacked or your key strokes are being recoreded.
• constant re-directs adn pop-ups to purchase the software
• Other pop-ups and slow down of the computer

Here is what VirusResponse Looks like

We do recommend you scan your computer with the free trial of Spyware Doctor with Antivirus to see how infected you really are.  If it is just this fake security product then follow the manual directions below.  If you have other trojans and spyware applications then consider making a purchase of Spyware Doctor with Antivirus Here to remove all other threats and to keep your PC secure.

As well we do recommend this remote computer support company.  They are the leaders in remote computer repair and can have you up and going in no time at all.

Manual removal intructions for VirusResponce Lab 2009 ( Please read our disclaimer bellow )

Kill processes:

• VirusResponseLab2009.exe

Delete registry values:

• HKEY_CLASSES_ROOT\CLSID\{A21C8D81-A9C7-46c6-A488-2A32FA0DAEB6}
• HKEY_CLASSES_ROOT\CLSID\{C2A9759D-210A-0253-D944-8B76AC2B0D92}
• HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
• HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
• HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
• HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
• HKEY_CURRENT_USER\Software\VirusResponseLab2009
• HKEY_CLASSES_ROOT\AVLWarning.WarningBHO
• HKEY_CLASSES_ROOT\AVLWarning.WarningBHO.1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusResponseLab2009
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A21C8D81-A9C7-46c6-A488-2A32FA0DAEB6}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusResponseLab2009
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “VirusResponseLab2009″

Unregister DLLs:

• fbjvt.dll AVLWarning.dll

Delete files:
c:\\Program Files\\VirusResponseLab2009 c:\\Program Files\\VirusResponseLab2009\\VirusResponseLab2009.exe c:\\Program Files\\VirusResponseLab2009\\AVLWarning.dll c:\\Program Files\\VirusResponseLab2009\\uninst.exe C:\\WINDOWS\\system32\\fbjvt.dll c:\\Documents and Settings\\Adminstrator\\Desktop\\VirusResponse Lab 2009.lnk c:\\Documents and Settings\\Adminstrator\\Start Menu\\VirusResponse Lab 2009.lnk c:\\Documents and Settings\\Adminstrator\\Start Menu\\Programs\\VirusResponse Lab 2009 c:\\Documents and Settings\\Adminstrator\\Start Menu\\Programs\\VirusResponse Lab 2009 2.1\\VirusResponse Lab 2009.lnk

Please note that the virus strain may change over time and that the files may move around a bit but the basic info is here.  If you are not computer savvy then please do not manually remove this as you need to know what you are doing.  consider purchasing a good antivirus or getting expert help.

Malware Destructor 2009 is yet another fake security product that shows bogus scan results.  this is known as a rouge spyware program.  Those who are infected with this fake security software will also be infected with other items such as virtumonde, vundo zlob and the like.

Some common symptoms people run into are the following

• Fake scan results
• System tray security shield shows false warning
• constant re-directs to the Malware destructor 2009 website
• Overall system slowness
• Unable to fully remove software via the add and removal interface in windows

Here is what Malware Destructor 2009 looks like

We do recommend you download Spyware doctor with Antivirus here to help in the removal of this fake security software and to ensure no other trojans are on your computer.

If the above site does not work then download Spyware Doctor with Antivirus from our server here.

As well you can have this remote computer support company work on your computer.  they operate 100% online and are the worlds leaders when it comes to computer repair online.  They offer a no fix no fee policy so if they do not fix your issue you are not charged.  It’s an all aroudn great service.

For other software products to help in the removal please read our Expert removal Guide on top.  We list many different software products there as well

Manual removal of  Malware Detector 2009 ( Read Disclaimer at bottom of page )

Kill processes:

• energy.exe hymt.exe tempdoc.exe MD345d.exe

Delete registry values:

• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_CLASSES_ROOT\MD345d.DocHostUIHandler
• Numerous entries underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “MalwareDestructor2009″

Unregister DLLs:

• FW.dll PE.dll mozcrt19.dll sqlite3.dll

Delete files:

• c:\Program Files\MalwareDestructor2009\MalwareDestructor2009.exe
• c:\Program Files\MalwareDestructor2009\MalwareDestructor2009.url
• %UserProfile%\Start Menu\Programs\MalwareDestructor2009
• %UserProfile%\Start Menu\MalwareDestructor2009.lnk
• %UserProfile%\Start Menu\Programs\MalwareDestructor2009\MalwareDestructor2009.lnk
• %UserProfile%\Start Menu\Programs\MalwareDestructor2009\MalwareDestructor2009 Website.lnk
• %UserProfile%\Desktop\MalwareDestructor2009.exe
• C:\%UserProfile%\Recent\cb.tmp
• C:\%UserProfile%\Recent\CLSV.dll
• C:\%UserProfile%\Recent\CLSV.drv
• C:\%UserProfile%\Recent\eb.tmp
• C:\%UserProfile%\Recent\energy.exe
• C:\%UserProfile%\Recent\energy.sys
• C:\%UserProfile%\Recent\energy.tmp
• C:\%UserProfile%\Recent\exec.dll
• C:\%UserProfile%\Recent\fix.sys
• C:\%UserProfile%\Recent\PE.drv
• C:\%UserProfile%\Recent\PE.sys
• C:\%UserProfile%\Recent\std.drv
• C:\%UserProfile%\Recent\tjd.exe
• C:\%UserProfile%\Recent\tjd.tmp
• C:\%UserProfile%\Start Menu\Malware Destructor 2009 2009.lnk
• C:\%UserProfile%\Start Menu\Programs\Malware Destructor 2009 2009.lnk
• c:\Documents and Settings\All Users\Application Data\7c69f0c
• c:\Documents and Settings\All Users\Application Data\7c69f0c\MCatcher.exe
• c:\Documents and Settings\All Users\Application Data\7c69f0c\SystemFeed
• c:\Documents and Settings\All Users\Application Data\7c69f0c\SystemFeed\vd952342.bd
• c:\Documents and Settings\All Users\Application Data\SystemFeed
• c:\Documents and Settings\All Users\Application Data\SystemFeed\mctch.ini
• C:\%UserProfile%\Application Data\Malware Destructor 2009 2009
• C:\%UserProfile%\Application Data\Malware Destructor 2009 2009\Instructions.ini
• C:\%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Destructor 2009 2009.lnk
• C:\%UserProfile%\Desktop\Malware Destructor 2009 2009.lnk

Personal Antivirus

AKA: POV and Personalantivirus is a fake security product none as a rouge antispyware program.  This software falls in the scareware department because it trys to prey on users fear and lack of knowledge.  This is a fake security program that will only show bogus results.  Users should pay no attention to any mesagges this thing says.  Those infected will notice constant pop-ups saying they are infected.  A security shield in the system tray as well as re-directs in their web browser to a bogus sales page asking you to make the purchase.

Many individuals may also have normal websites blocked.  We do recommend Spyware Doctor with Antivirus or PC Tools IS to remove this client.  You can download Spyware Doctor with Anti-virus on our site Here or PCtools IS Here.  Many users find they can not directly download security products online as those real security sites have been blocked.

In almost all cases the fake POV software is the least of your worries.  Most likely this software got installed on your computer via a trojan virus and that is what really needs to be removed.

Some screen shots

To remove Personal Antivirus form your computer we do suggest purchasing a real client to help out.  however here are the manual removal options.

Remove Personal Antivirus files and folders:

%Documents and Settings%\All Users\Desktop\Personal Antivirus.lnk
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus Home Page.lnk
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus\Personal Antivirus.lnk
%Documents and Settings%\All Users\Start Menu\Programs\Personal Antivirus\Purchase License.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Antivirus.lnk
%UserProfile%\Application Data\Personal Antivirus
%UserProfile%\Application Data\Personal Antivirus\settings.ini
%UserProfile%\Application Data\Personal Antivirus\uill.ini
%UserProfile%\Application Data\Personal Antivirus\unins000.exe
%UserProfile%\Application Data\Personal Antivirus\Uninstall Personal Antivirus.lnk
%UserProfile%\Application Data\Personal Antivirus\db
%UserProfile%\Application Data\Personal Antivirus\db\config.cfg
%UserProfile%\Application Data\Personal Antivirus\db\Timeout.inf
%UserProfile%\Application Data\Personal Antivirus\db\Urls.inf
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
%Program Files%\Personal Antivirus
%Program Files%\Personal Antivirus\activate.ico
%Program Files%\Personal Antivirus\Explorer.ico
%Program Files%\Personal Antivirus\PerAvir.exe
%Program Files%\Personal Antivirus\unins000.dat
%Program Files%\Personal Antivirus\uninstall.ico
%Program Files%\Personal Antivirus\working.log
%Program Files%\Personal Antivirus\db
%Program Files%\Personal Antivirus\db\DBInfo.ver
%Program Files%\Personal Antivirus\db\ia080614.db
%Program Files%\Personal Antivirus\db\ia080618x.db
%Program Files%\Personal Antivirus\Languages
%Program Files%\Personal Antivirus\Languages\IAEs.lng
%Program Files%\Personal Antivirus\Languages\IAFr.lng
%Program Files%\Personal Antivirus\Languages\IAGer.lng
%Program Files%\Personal Antivirus\Languages\IAIt.lng
%WINDOWS%\system32\log.txt
%UserProfile%\Application Data\Microsoft\Windows\winlogon.exe
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\log.txt
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe

Remove Personal Antivirus registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal Antivirus_is1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITGRDENGINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PrS”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Personal Antivirus”

Please note that if you have a trojan that installed this fake client then the program will most likely come right back.  That is why you should get real protection if you do not have any.  As well you can always view our main page for other recommended software and advanced removal tools and guides

Virus Remover Professional, also known as VirusRemoverProfessional is a fake rogue virus program that shows only bogus results and tries to create fear in the user to purchase the program buy saying things like all their passwords are begin stolen. This fake security product will keep scanning your computer and give annoying pop-ups as well as re-directs in your web browser until you make the purchase of the product. Once again we do not recommend purchasing this fake product.

Quick pic of what this fake software looks like

In just about every case someone who gets infected with such a fake client like Virus Remover Professional got that way from a fake video codec or some BS tiral software.  you should expect to also be infected with a trojan such as Virtumonde, Vundo or Zlob if you have this bogus security client on your computer.

we normally recommend Spyware Doctor with antivirus for removal of such things but at this time it FAILED to remove this fake client.  we have reported the threat to PCtools and they are working on a cure.

In the mean time you can always try to remove this client manually.  Check out this Remove Virus remover Profesional page for manual removal of this.

Please not that www.onlinecomputerrepair.org as always is aware of this threat as well and they can also remove it for you.

Over the years this site has written many free guides to help people out in trying to fully remove the virtumonde threat.  The issue is all the traces of Virtumonde keep mutating and now every infection we come across has a rootkit virus that needs to be removed before Virtumonde can fully be killed.

Every computer we have encountered over the last 30 days that was infected with Virtumonde now also has  several other threats as well.  Because of this the free guides will no longer work and if you really want to remove Virtumonde you will have to pay for Virtumonde removal software.  IT SUCKS I know but even as an expert at removing viruses I can’t remove this thing with out software.  Granted I have bulk licences to items normal people do not and can still remove this for practically free but even most experts can not remove this threat anymore with out extreme help from several programs.

WHAT AM I TO DO ?

The only advice we can offer is to recommend solutions that will work.  The first is to donwload Spyware doctor with Antivirus from www.pctools.com .  You will need to purchase the software for it to remove virtumonde but it still does a great job of it.  If you have further issue you can use their free support or if you are not happy with it then you can get a full refund.  This is the software I personally have on my computer and it works great.

For those that just don’t want to deal with this threat at all we still recommend the guys over at www.onlinecomputerrepair.org.  It will cost you 89 bucks but there is no waiting around and in about an hour or two you will have your computer up and running like new.  They will even give you a free computer tune-up when you pay for an infection removal but you will need to mention this site.  They give our clients this freeby because we send them many customers.  This is an online computer repair company based in the good old USA.  They know what they are doing and if for any reason they can not help you out then you do not have to pay a cent.

For those that are using McAfee, I feel your pain.  This software does almost nothing it seems to stop it and it is unable to fully remove the virtumonde threat.  Norton does a far better job and Trend Micro works a little better then Norton but we still recommend Spyware Doctor with Antivirus over them because it actually does work to remove the rootkit part.

Please note you may have to go under custom settings and check the “scan for rootkits” box.

With the Virtumonde Trojan still in full swing is seems that many free tools in the past that we recommended have not been updated in several months and do not address the newer strains of Virtumonde.  The two past free tools we also had people download were vundofix.exe and Spybot Search and Destroy.  While both of these are still great tools to use to fight of Virtumonde they will no longer get the job done to fully remove not only Virtumonde but the several other virus strains like Smitfraud, Zlob and Vundo that come down with this trojan.

We can still confirm that the latest Spyware Doctor with Antivirus still does the best job aat not only removing Virtumonde but also is a must have to protect your computer so you do not get infected again.  The makers of this software over at www.pctools.com is still offering free support so if you run into issue you they can help you fully remove this threat.  Chances are you will not need their support as this is a very easy program to use.

For those that are not tech savvy at all we suggest using the pros at www.onlinecomputerrepair.org.  This is by far our favorite virus removal company.  They are based in the US and will 100% remove all threats on your computer in a very short time.  These guys make it seem too easy and offer very competative rates.

Some other programs you can use in adition to Spyware Doctor with Antivirus to help combat Virtumonde.  Leep in mind that none of the below provide active protection against viruses and spyware except Spyware Doctor with Antivirus.

Spybot Search and Destroy:  Free client that works to help remove many threats.  Does not fully remove Virtumonde but can be very helpful

Vundofix.exe:  Designed just for Vundo/Virtumonde.  Does not work as well as it used to because most of the Virtumonde traces have mutated to different names.  Still it may find parts of the Virtumonde strain

Malwarebytes: Not a bad program for being free.  Often times this will find close to 60-70 percent of Virtumonde on the first scan

AS Always we are still recommened Spyware Doctor with Antivirus as a permanent fix to not only fully remove Virtumonde but also to keep your computer from getting re-infected.  This is good stuff people!!!

FOR ADVANCED USERS ONLY

Highjackthis.exe

Combofix.exe

Just as the Virtumonde strain started dying down it is coming back with great force over the next few weeks and with a new twist. You see in the past people who have been infected with Virtumonde could normally still view websites and they were able to download software to remove Virtumonde and get any needed Windows Updates.  That is about to change.

On April 1st Conficker.C will activate.  curenlty Conficker.A and Conicker.B also known as As W32/Conficker.worm, Win32/Conficker.AA, Downup, W32.Downadup and Kido,  Will activate it’s code and report back to the maker for instructions.  While no one knows for sure what will happen I can give you a very good idea.

Right now Conficker.C blocks websites that It knows can effect it’s program.  such as Norton, Microsoft, PCTools, and hudreds of other sites that have antivirus removal software on it.  Once this code reports to it’s maker you can be sure that you will be infected with many other trojan viruses like Virtumonde, Smitfraud, Zlob and the like.

In adition to this you will also have a fake securty client that keeps popp-ing up and doing a bogus scan.  What ever you do, DO NOT give them your credit card information unless you want your card maxed out in a few minutes and your personal info stolen.

The solution to Remove Conficker.C and other Trojans like Virtumonde

 Prevention: ToPrevent such infections you should always keep your operating system up to date.  Having Automatic updates turned on is a must.   A well you need to have an anti-virus and anti-spyware client installed on your computer and kept up to date. I know many people are ignorant and think  ” I ALREADY HAVE A CLIENT LIKE avg, Avast, Spybot, Avara, Clamware and the like.  Well if that is you then you need to WAKE UP!!!.  No free client in the world offers real protection.  It’s just a stripped down version of their paid program.  In fact out of the above only Avast offer up front protection to stop you from getting infected and as you can read on their website they will tell you it’s a light client and it will not fully protect you.

You need an all aroudn solution that will not only prevent attacks but also fully remove anything you currenlty have on your computer.  I do know that Spyware Doctor with antivirus does fully remove virtumonde and Conficker and they offer free support for those who need it.  This is the client I personally use and the only one I recommend on this site because I know it works.

The other solution to prevent such trojans and viruses like conficker.c and Virtumonde is to avoid free software programs and sites.  Myspace, facebook, youtube are all fine but most torrent sites out there and PRon sites have a ton of virues on them.  Avoid installing any active X controll or Video Codec software from any website unless you know that website is a known trusted website.

The information gathered about Conficker.C was taken from  this ConfikerC Removal site, remove Conficker.C from the folks over at Removevirus.org and CNN.

As you will know from reading this blog Virtumonde has been aroudn since 2004.  This Trojan virus is always mutating and changing to avoid detection.  It does seem that now when people are infected with Virtumonde they also are being infected with root kits.  This is a very big deal as rootkits are some of the hardest infections to remove.

On this site you will notice we do recommend using Spyware Doctor with Antivirus as it’s one of the only security suits that can remove virtumonde.  It is very important for those that end up purchasing this program that they go to the settings and click the check box to “Scan for hidden Rookits”.  This will help Spyware Doctor with Antivirus not only fully remove virtumonde but also clean any of the hidden rootkits out.

As always we do recommend following out Expert Removal guide located on top.  This will help give you an action plan for removing this threat.  As well if you are in over your head and need an expert we suggest using www.onlinecomputerrepair.org.  This is a U.S. based computer repair company that can remote into your computer and fully remove all viruses and trojans or you don’t pay a cent.  The best part is it’s about half the cost of taking your computer to a shop and a whole lot cheaper then calling in a tech.  This is a very small company and they have a total of 3 workers.  Mark, Ryan and Jason.  All three are great to work with.  I have used them many times before when I am too busy to clean clients computers myself.

Virtumonde has been around since late 2004 and since it’s birth it has been the cause of millions of infections.  Since Early December of 2008 this trojan virus has seemed to really take off again.  In January of 2009.  This month we have seen a huge increase in the amount of people getting infected with this Trojan.

The simplest ways to avoid infection is to stay away from none trusted sites. For instance if your on Youtube and watch a funny video.  There is nothing wrong with it.  However if you start reading the comments and see something like “If you thought this video was funny you need to check this one out”.  If you were to follow the link you may be taken to a site that then asks you to install a video codec or active  X controller.  If you click yes to this then you just got infected.  It really is that simple.

Besides practicing safe browsing it is important to have real upfront protection.  There is not 1 free client on the market that offers good enough upfront protection.  In fact almost all free clients offer no protection on the front end.  They only kick in after your computer is infected and that is normally too late.  Even the free clients that have upfront protection are just stripped down version of the real thing.  that is why most companies have a free and paid version.

If you are already infected with Virtumonde then you should consider getting software that is known to remove Virtumonde like Spyware Doctor with Antivirus found on www.pctools.com.  This software will not only help you remove Virtumonde but also stop you from getting infected again.

The other option we recommend is having www.onlinecomputerrepair.org have a look at your computer.  This is a leading online computer repair company that can remote into your computer and fully remove Virtumonde.  The cost is about half of calling a tech out and best part is you have your computer back up in about an hour.

Trojan Virtumonde is known as the biggest threat for computers these days. Trojan is a virus, which infects your computer once you have clicked on an infected file, which obviously you do not know about. This virus enters your computer with your permission and infects your computer and threat level of it is high risk.

Trojan Virtumonde is a very serious threat and has caused a lot of computers to go down. The people whose computers were infected with Trojan Virtumonde reported that everything was working fine when just with a snap of a finger the computer just did not seem to be in control and now acting with its own mind.  Besides the constant pop-ups and re-directs many people will find their computer very, very slow.

You do have several options when it comes to removing this threat.  The easiest is to just hire a pro to remove this for you.  I know many of you already thought of this and that thought quickly left your mind after you thought of paying out a few hundred bucks and waiting several days to get your computer back.  The good news is this computer repair company can 100% remove Virtumonde and all other viruses for a very low price and they can do it right now.  This is the leading remote computer repair company on the web and they have a no fix no fee guarantee. It is important here to share the fact that the threat of Trojan Virtumonde is on the rise among other Virtumonde threats.

For those that want to save a few bucks and are computer savvy you can always purchase software to remove this threat for you as well.  Check out our Virtumonde home page.  They have several guides as well as other software to help you 100% remove all your viruses.  It’s a great resource site and dedicated to removing Virtumonde.

The only other source that comes to mind to check out is this Remove Virus site.  It has not been around all that long but they have some very simple to follow guides that you may find useful as well.  If you are not computer savvy however then you really should just consider having the online computer repair company mentioned above take care of this for you.