What the hell is Virtumonde you ask? I’d like to tell you but it seems I can’t quite get anyone willing to commit to exactly what it is.
You see, the other day I got an invitation to try out the new Internet-based TV service Joost. After installing it my PC began to act very strange. I can’t say for sure that Joost was the cause but some cursory evidence suggests it might have been involved. Joost, it turns out, is put out by the same people who brought us Kazaa. Kazaa was the P2P file sharing tool that came loaded with all sorts of spyware, etc.
Anyway, not long after watching a bit of overly-compressed video shows my PC started popping up ads all over the place. I launched Lavasoft‘s AdAware which has always been good at this sort of thing and it came up empty. I have had a sense that AdAware just isn’t what it used to be and that my previous investment in it may have run its course.
I then ran Eset‘s NOD32. NOD32 is the best damned virus protection engine in the world as far as I’m concerned. It’s small, fast and effective. I’ve seen it run circles around the bloatware that is passed off as protection from the better known providers. In fact, 90% of the time I work on cleaning up other PC’s it’s those mainstream “protection” products that are causing much of the problem. The concern here is that NOD32 didn’t see anything either. However, once I started poking it did block further attempts to infect my system.
The most telling symptom I had were the websites that my PC kept trying to access. I did a search on these and Google immediately kicked back a slew of hits for Virtumonde. I also found a few people who claimed that Spyware Doctor from PC Tools was effective at finding and removing it.
You have to understand that you need to be careful with recommendations like this. Half the time the product being recommended is a scam. There are loads of products out there sold as spyware and virus protection that do nothing else but add the very things they claim to protect you from. However, I found some solid reviews of this one on trusted sites. Further, I have a fond spot in my memory for “PC Tools”. I’m pretty sure this company has nothing to do with the PC Tools of my memory. That DOS-based utility was indispensable in its day. Based on all of that I decided to give it a shot. It was $29.95 so it wasn’t going to break the bank either way.
I was glad to see that it quickly identified several instances of Virtumonde and also actively started blocking continued attempts to spread. That alone made it worthwhile. After a full scan and removal I rebooted and ran again. More instances were found. This is typical with this sort of thing as it often will take a reboot or three to get free. I repeated this a few times and each time I was confident that I’d emerged clean only to be hit within a few minutes of rebooting.
So much for complete protection from any of the tools I had. Back to Google. I found several references to another free app called Vundofix that seemed to work for people. It’s a tiny single .EXE file but be patient when you run it. It’ll take a LONG time. At the end of running it I was surprised to see that it had identified 10 DLL’s that were all seemingly randomly named as infected. It removed the ones it could and marked the ones it couldn’t to be deleted after rebooting. On reboot it did indeed remove the others. However, the problem continued to persist and Vundofix continued to find new variations.
I then decided it was time for me to dig into the tool many people use but that I’d managed to avoid all this time—Hijack This. Hijack This is essentially a power system scanner that shows you everything in your system that gets loaded that could possibly be harmful. It includes everything so you have to be very careful here as you can easily remove perfectly sound elements that are not in any way infected and could take away something vital to the OS.
The log it produced immediately pointed out several attempts to load random DLL’s, INI files and curious Windows Logon attempts. I removed all of these and now seem to be Virtumonde-free for now. I also uninstalled Joost and don’t plan to return to it for now until I see a lot more feedback from people on it with regard to what it may or may not install.
The funny part in all of this is the passing of the buck I ran into when posting about his. The NOD32 community tell me it’s spyware and, as such, NOD32 shouldn’t be expected to deal with this (even though NOD32 features suggest it does target this sort of thing). Spyware Doctor reps say it’s a virus and outside the scope of its software. Ah, you’ve got to love living on the technology edge.