Club PA 2.0 has arrived! If you'd like to access some extra PA content and help support the forums, check it out at
The image size limit has been raised to 1mb! Anything larger than that should be linked to. This is a HARD limit, please do not abuse it.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

Virtumonde.dll aka help my compute has a virulat pestilance

MalechaiMalechai Registered User regular
Alright so I seem to have picked up a nasty little Trojan/key logger known as Virtumonde. I running spybot S&D constantly trying to eradicate the little bugger. For now I've stoped it from altering my registy but It just wont go away. Looking for some advice here, thanks.

Note: Ran S&D on start up twice one time it seemed to have iradicated it but has come back for more. Seems to have immbedded it's self in the registry and system 32. Running XP pro.

Malechai on


  • seasleepyseasleepy Registered User regular
    edited May 2008
    I've had good luck with Vundofix in the past. Lavasoft also apparently has a Virtumonde remover in the latest Ad-Aware, but I haven't used it.

    seasleepy on
    Steam | Nintendo: seasleepy | PSN: seasleepy1
  • MalechaiMalechai Registered User regular
    edited May 2008
    Thanks I'll definatly give that a shot.

    Malechai on
  • MalechaiMalechai Registered User regular
    edited May 2008
    Thanks for the attempt but vundofix didn't even see virtumonde. Thinking I may have to go to a special forum and use combofix with some expert support.

    Malechai on
  • GrimReaperGrimReaper Registered User regular
    edited May 2008
    Download and run HiJackThis and post the log file here as a downloadable text file or in a spoiler. (ideally as linked text file)

    Then we'll tell you what to delete from where.

    GrimReaper on
    PSN | Steam
    I've got a spare copy of Portal, if anyone wants it message me.
  • JerikTelorianJerikTelorian Registered User regular
    edited May 2008
    I fixed these at school for the past two years, I'll whip up a guide over the next couple hours to help you out.

    Download RegMon and Process Explorer:

    Put them on a Flash Drive.

    Record the name of the vundo infection (e.g. htthy.dll).

    Now, while in Normal Windows mode (not safe mode), open both ProcExp, and RegMon. The next part takes mostly a keen eye to get past. Record some Registry activity, and look for odd patterns of three entries. They should have a wierd entry in the last column (like 0xfff9f). Check those, and look for the name of your virus in the other columns. If you find it, record the name of the process they are in (for me, this is almost always either lsass.exe or winlogon.exe).

    Now, navigate to that process with ProcExp. Right click on it, and select "Properties", then the "Threads" tab. If your previous searching was correct, you should find a thread with the name of your virus in there. It shoudl be fairly easy to find because it will have a very high CPU use. Kill the threads with the virus name in them, then close Process Explorer.

    Now, open the Registry Editor. This part can be fairly dangerous if you don't know how to play with the registry, so be careful. Search for, and remove keys related to the virus. In some instances, you might need to edit only part of a key relative to the virus, leaving the other parts behind. It's tricky business, but if you're already comfortable mucking about in the registry, it shouldn't be hard.

    Finally, reboot, and navigate to c:\windows\system32\, and delete [virusname.dll]. Boom, you're clean.

    JerikTelorian on
    SteamID -- JerikTelorian
    XBL: LiquidSnake2061
    Shade wrote: »
    Anyone notice how some things (mattresses and the copy machines in Highrise) are totally impenetrable? A steel wall, yeah that makes sense, but bullets should obliterate copy machines.

    I don't know about you, but I always buy a bullet proof printer. Its a lot more expensive, but I think the advantages are apparent.
Sign In or Register to comment.