Home » Blogs » Steve's blog

VirtuMonde Trojan struck...

Posted April 18th, 2008 by Steve

It is an easy thing to get into a false sense of security when it comes to your computer. Even for a techie guy like myself. I have a well known antivirus software installed on my PC and have always kept the virus definition files up to date. That should keep me reasonably protected. I said "reasonably" because no computer is 100% safe or immune. That is until the dark force strikes.

This particular day I noticed my Windows PC was running somewhat slower than usual. That usually is a give away that your computer has picked up something undesirable. Then other strange thing started to happen. Browser windows started popping up with warning that I need this or that software. File browser windows closed suddenly when they were not meant to. And my Internet browser seem to freeze for a couple of minutes. This definitely calls for drastic action. The first thing I did was starting up my Spybot Search & Destroy software and did a scan on my computer files.

Just as I have suspected, there was indeed something undesirable hiding on my PC and doing who knows what in the background while I was happily using my computer or surfing the Net. Spybot Search & Destroy identified a Trojan adware called VirtuMonde. Apparently this is a common trojan but I have not heard of it until now. I promptly used Spybot Search & Destroy to fix it. At least I thought it did. It supposedly deleted the malicious files on my hard drive. I thought that was the end of my trouble and little did I knew it was just the beginning. By the time I finished scanning and fixing with Spybot S&D, it was already late at night. And hence called it a day. The next day hell broke loose on my PC. When I started my PC for the first time for the day, the first thing I noticed was a couple of MSDOS command prompt windows opened up and closed by themselves. That was definitely not normal. And then I noticed that I could not get to different websites. I tried some of those highly available ones like yahoo or google. They just hung there telling me it was loading. Something definitely isn't right. Then my desktop went blank except for the wall paper. No Start key, no taskbar, just plain wallpaper. When I invoke the Task Manager, I noticed the explorer process was missing. (The Windows explorer.exe is the program that handles what you see on your screen. All the icons, file browsers, etc.) And every now and then the Internet browser continue to open a new pages with some kinds of Ads. Now I do have a serious problem on my hand.

To cut the long story short, it took me the whole weekend to clean out this VirtuMonde Trojan. I did a bit of research on this trojan and found out that this trojan is apparently more sophisticated than most. When Windows boots up, VirtuMonde gets loaded during boot time and attaches itself to explorer.exe and then goes memory resident. From time to time it verifies itself that it is running and is able to recreate itself. What Spybot managed to delete from my harddisk was not everything. And this program will recreate itself using a random name if necessary. Using the program HijackThis, I was able to identify the file in question. Unfortunately this file cannot be deleted because it is being used by a program process in memory. I tried different ways to get rid of this trojan and after almost 20 hours of trying, I finally found a way to get rid of this Trojan.

As mentioned earlier, VirtuMonde will load itself into the memory during Windows boot time. So the first task would be to stop the Trojan from being loaded into the memory during bootup. Easier said than done. Eventually I managed to accomplish this by booting up into the Recovery Mode using the Windows install CD. This is the plain DOS mode that does not involve loading Windows. And hence VirtuMonde was not loaded into the memory. I was able to delete the culprit file then. Having done that, I rebooted and this time the Trojan was not activated into memory resident. The next step would be to rerun Spybot S&D. And this time round, it again detects more files in question and subsequently fixed these as well. Only after that my computer was back to normal again.

The moral of the story is, make effort to protect your PC with the appropriate software. Removing viruses or Trojan can be a very time consuming exercise. Therefore it is best not to let them get hold of your PC, to begin with...

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
6 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.