How to remove Virtumonde / FAQ
What is VirtuMonde?
VirtuMonde is an adware that downloads and popups advertisements without users permission.
VirtuMonde and VirtuMondo. Is it the same?
Yes it is the same adware.
What does it do?
VirtuMonde starts together with Windows and connects to the Internet. It hides from the user and pops up various advertisements. It regularly contacts predetermined web sites to receive advertisments. VirtuMundo works hand to hand with some parasites as well as advertising-supported programs.
Is VirtuMonde dangerous?
Yes. As every adware it not online slows down your computers work, but also pops up user with nasty advertisements. It is also tracking the websites your browse.
What systems does it effect?
VirtuMonde may effect: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP, Windows Vista
What is VirtuMondo risk impact?
Low, but still dangerous.
What are the VirtuMondo file names?
It has been detected as WindowsUpd1.exe or sysupd.exe, but as many adwares it may rename.
What values does it add?
“WindowsUpd” = “[ADWARE FILENAME]”
“SysUpd” = “[ADWARE FILENAME]”
to the registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
What registry keys does it create?
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft
\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
What files does it create?
# %System%\cidrules.dll
# %System%\wincore.dll
# %System%\winhost32.exe
# %System%\winupd.dll
# %UserProfile%\Local Settings\Temp\cidrules.dll
# %UserProfile%\Local Settings\Temp\wincore.dll
Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP, Windows Vista).
* %UserProfile% is a variable that refers to the current user’s profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
What connections VirtuMonde does?
HTTP connection to virtumonde.com from time to time, usually on port 80 or 8081.
June 6th, 2008 at 1:55 pm
i found the C:\Windows\System32 on my computer and when i wanted to see the files it said they were hidden and i shouldn’t mess with them if i wanted my computer to work right. but i opened them and some of themare empty. is this really a virus?
June 6th, 2008 at 3:12 pm
no, some of them could be empty, don’t worry about that
June 29th, 2008 at 10:19 pm
From personal experience, it does affect Windows Vista as well.