I was infected by the Virtumonde virus/trojan about a week ago. According to the F-Secure website Virtumonde
runs hidden from the user and displays pop-up advertisements. The adware connects to a server and queries for advertisements to display. The adware actively prevents removal by using several different techniques.
In my case, whenever I opened Internet Explorer a pop-up advertisement would appear, whatever my homepage was set to.
I attempted several different methods of removing this virus, with little success. I even went as far as restoring the system to a time close to a fresh installation, but was unable to find a point that didn’t contain the virus. Besides, I did not want to lose any data that I might otherwise save if I managed to remove it without System Restore.
Searching through many websites arrived at via Google, I managed to find many “solutions” that were either out of date, or just didn’t work. I decided to experiment with a hybrid of solutions, and finally managed to remove it.
I outline the steps I used to remove the virus. A little warning though: the steps I took involve deleting System Restore data points, which may prove useful later on. I’ve labelled these two steps “Optional”. If, however, you find that the virus still resides in your computer even after running the other steps, you might then try going through all the steps including that of disabling System Restore.
- Disable System Restore (Optional): Right-click the My Computer icon (found on the Desktop or under the Start menu). Under the “System Restore” tab, click on the box labelled “Turn off System Restore”.
- Run “cleanmgr” (Optional): Next, go to the Start menu and click “run”. Type “cleanmgr” into the box and press Enter or Return. Wait for a moment while Windows XP scans your system. When it’s done, look under the second tab; there should be an option to delete all the previous System Restore points. Delete them, and click OK.
- Download F-Secure’s f-vmonde.zip: Go to F-Secure’s webpage on Virtumonde and download f-vmonde.zip (it’s provided free). This is a Virtumonde remover.
- Download Spybot Search & Destroy: Now go download and install Spybot Search & Destroy. In my experience, F-Secure’s f-vmonde.zip solution only removed half the files infected with Virtumonde. Search & Destroy removed the rest, but was in itself unable to remove all the infected files.
- Restart computer in Safe Mode: Restart the computer in Safe Mode. You can do this by pressing F8 when your computer is starting up (after hitting the restart button). (Alternatively: Getting into Windows XP in safe mode).
- Run f-vmonde.zip and Spybot Search & Destroy: Start with the f-vmonde.zip. Run the program contained within the zip archive. A command prompt should pop-up, asking you if you would like to continue. Enter “Y”, and the program should scan your computer for the virus (this should not take longer than 30 seconds).
It should then prompt you either that (a) your computer does not have Virtumonde, or (b) that the infected files have been removed and you should restart the system. I’m assuming you received the message contained in (b), so let’s move on to Spybot Search & Destroy.
Open Spybot Search & Destroy and run the scan. This scan may take a while, so go grab a coffee and a newspaper. After it finishes scanning, you should see that it has cleaned the Virtmonde virus from your system.
- Restart and Re-enable System Restore: Restart your system in normal mode (just hit restart) and then re-enable System Restore. Your computer should be Virtumonde-free by now.
I hope this works for you.