I've got a Virtumonde Problem

[Solid Snake]

So there's apparently a nasty gadget called Virtumonde that's attached itself to my computer. Here's the strange thing; absolutely no anti-adware program I've used -- and I have five on my computer -- has proven effective at ridding it. Every one of them identifies some Virtumonde files and (presumably) rids of the problem. But every time I restart the computer the same pop-up ads have bombarded. I'm not sure how Virtumonde has managed to pull this off, but it's mildly distressing to say the least.

Here's what I have working on my computer:

Paid Versions

Trend Micro PC-cillin
Spyware Doctor by PCTools

Free Versions

Ad-Aware
Malwarebtyes' Anti-Malware
Spybot - Search and Destroy

I've also run a program called Vundo Removal that supposedly would help rid of this but it didn't even identify a single corrupt file or registry, let alone eliminate anything. Most the others at least eliminate dozens of "corrupted" information every time, but the same files and registries keep magically reappearing.

...any ideas how to fix this piece of junk?

[Krylo]

Wikipedia has the answer.

Basically, those programs aren't removing it because the DLL component boots up on winlogon, which means that they can't delete it. It then recreates all the other files at boot.

To fix it you have to find the proper .dll, and rename it with no extension, then start up in safe mode and run your virus removal programs AND manually delete the .dll file (which is no longer a .dll).

Alternatively: get a better browser that isn't susceptible to it.

[Solid Snake]

How exactly do I identify the "proper .dll" though? The file names appear to be randomized.

EDIT: Found a system32 .dll file listed under "Virtumonde" with Spybot, but when I look under my hidden files in my C drive, the eight-letter file in question is...nowhere to be found. Heh.

[Krylo]

MAGIC!

Quote:

Originally Posted by wiki

Infected DLLs (with randomized names such as "__c00369AB.dat") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.

Alternatively, you could try reading more closely.

[Solid Snake]

So when I click "Manage Add Ons" and happen to see an eight-letter .dll file among the standards, it's a pretty good guess that's the one, eh?

EDIT: Nope, apparently not. Still can't find the folder with that .dll name in Windows \ System32.

[Kim]

Fuck that! Use magnets to pull the infected files! Viruses are magnetic, so if you use strong enough magnets, you should be able to just yank them out.

SCIENCE bests MAGIC once again...

[Krylo]

Oh shit, I totally forgot to suggest that.

Damnit, I'm slipping.

[Solid Snake]

Well, I did everything the Wikipedia article recommended -- renamed the DLL file and got rid of the DLL suffix, went into safe mode, deleted the registries...
...yup. Nothing worked.

EDIT: I've downloaded the newest version of Firefox, which has gotten rid of the popups for IE. But even if I get rid of IE (is it even possible for a computer using Windows to delete IE?), the Virtumonde program is still running every time I reboot my computer, and I'm afraid it's going to chew through a lot of my available memory.

[Dauntasa]

There is a program called Vundofix which is designed to get of Virtumonde. It's freeware, so you can just google it and then download it.