Virtumonde Removal Guide
Virtumonde is a Trojan which forms part of the well publicized and despised Vundo family of Trojans. It does not seek the user’s permission before forcefully entering and rooting itself in the system, and will proceed to cause havoc on the user’s system. It carries the infection of rogue security applications, some of which have been identified as WinFixer, SysProtect and WinAntiSpwyare.
The Trojan will proceed to cause severely poor system performance and cause erratic system behavior. It will generate fake security pop up messages which will inform the user that he needs to purchase the proffered rogue antispyware application. It will also make the system more vulnerable to other malware infections, as Virtumonde opens up security holes in the infected system.
Through many evolutions over time, Virtumonde has evolved so much that it has become much more difficult to get rid of Virtumonde. Methods that Virtumonde uses to avoid detection and removal range from using random names, burying itself in random autorun locations, random CLSIDs and the use of rootkits in order to hide itself on the system. This makes it increasingly more difficult for users to manually remove Virtumonde.
Do not allow this harmful and seditious Trojan to cause permanent damage to your system. Use a genuine and powerful security tool to destroy Virtumonde and protect your PC against similar attacks in future.
*The Spyhunter scanner download on this site is intended to be used as a detection tool. If you want to use its a removal function, you will need to purchase the full version of SpyHunter.
Virtumonde technical info for manual removal:
Files Modified/Created on the system:
| # | File Name | File Size (Bytes) | File Hash |
|---|---|---|---|
| 1 | castlecops[1].exe | 151174 bytes | MD5: 5b8577deb819495ffa0c1e03501eab77 |
| 2 | rqron.dll | 228960 bytes | MD5: e15ce7b4780ad9f40d1a440b8ef2f060 |
| 3 | hgggdbx.dll | 37376 bytes | MD5: 5b6e77af55dce55ff64eeeb0a3ac7266 |
| 4 | ddcabya.dll | 38400 bytes | |
| 5 | khfcdaw.dll | 31254 bytes | |
| 6 | tuvutus.dll | 36352 bytes | |
| 7 | mljgf.dll | 327168 bytes | |
| 8 | ddcca.dll | 243296 bytes | MD5: a8c3bb2a95e2c0c28b309bf4f0ff66cd |
| 9 | mljiggd.dll | 346112 bytes | MD5: 03971499d8b1a48e59945a0a06ce0aed |
| 10 | vljdgnh.dll | 139264 bytes | MD5: 57c9bb2e12f131344b617a012854276b |
| 11 | yayxuus.dll | 38912 bytes | |
| 12 | ssttr.dll | 262708 bytes | MD5: 10b582828eaf28c34d23de94fb0f7c1b |
| 13 | jkkll.dll | 228960 bytes | MD5: 1485ef1e7c28347c418409b4fee869a3 |
| 14 | tuvwuss.dll | 31254 bytes | |
| 15 | ivrrwfps.dll | 70208 bytes | MD5: 2fb9509f1b9134ae56fd535d4c4634f8 |
| 16 | ces005dr.exe | 30737 bytes | |
| 17 | dvigdtgi.dll | 70208 bytes | MD5: 4865a39fe1e6a148eb85a3a3918ba005 |
| 18 | xxyvspp.dll | 351744 bytes | MD5: 2ed1c1e93b3917a587fa762ee5258d6c |
| 19 | khffefd.dll | 36352 bytes | |
| 20 | lemaba.dll | 129024 bytes | |
| 21 | vtuts.dll | 320608 bytes | MD5: d4453218a781af7ec2a0c7153d8e4109 |
| 22 | ssqopqo.dll | 24288 bytes | MD5: cb722ba8cd0b5ff62dc98d634fe6d5cc |
| 23 | mljjk.dll | 285273 bytes | MD5: 6319e1c59d531d82e9f17c1261d29626 |
| 24 | kadpbbdr.dll | 80000 bytes | |
| 25 | ssqpono.dll | 24336 bytes | MD5: b783e387dd3b7921493c8cdfc4d0b6de |
| 26 | jkhhf.dll | 298080 bytes | MD5: da67e9a5676c0381c7d696011608a587 |
| 27 | vturspo.dll | 26694 bytes | MD5: f5236876d4cd7c1f430b8de50b250701 |
| 28 | wspxxtfw.dll | 114688 bytes | MD5: f45372d3b83cd7e9f8c153b335406724 |
| 29 | temlxopqgdk.dll | 212992 bytes | |
| 30 | xxyxwxv.dll | 43542 bytes | |
| 31 | iifdcdb.dll | 35328 bytes | MD5: 56f180294d5d47128936f9a34318a83b |
| 32 | ddcbabx.dll | 26678 bytes | MD5: 19fb333000f260fd534c63945483994d |
| 33 | awtttqr.dll | 44054 bytes | MD5: 67f2bcd4263ff4f61764f600aeca8047 |
| 34 | mljgd.dll | 322656 bytes | MD5: e7e4384da19a8cea4bdb7c96a48ad0e1 |
| 35 | ddcyx.dll | 285273 bytes | MD5: 13a4630f5928d9380a668bdccf69286b |
| 36 | xxywxxy.dll | 38400 bytes | MD5: a8df1d39ea45217d4acffaab9f012a84 |
| 37 | mljighf.dll | 36864 bytes | |
| 38 | ykiijcvp.dll | 110336 bytes | MD5: b615679e45460500fd640d07d8821f30 |
| 39 | mljkkhf.dll | 31254 bytes | MD5: 3eba5d5ee0d0833b75babc403c46f764 |
| 40 | vumer.dll | 199698 bytes | |
| 41 | ssqrp.dll | 307808 bytes | MD5: 0f90394deda6937ac102fecb79745a7b |
| 42 | wvwxv.dll | 273920 bytes | |
| 43 | bndsrsqo.dll | 245760 bytes | MD5: 1d5f61d151fcbb699c5d3e51312fbecb |
| 44 | vtsss.dll | 298080 bytes | MD5: 57a476f763feb384f5272d441fab4597 |
| 45 | mllmm.dll | 244832 bytes | MD5: 22a9274ca7e69511cc29bec01a66894c |
| 46 | ssqnolm.dll | 37376 bytes | MD5: fabe066bc103c1b61015ada58e781153 |
| 47 | ljjgedc.dll | 43542 bytes | |
| 48 | hggdefc.dll | 34304 bytes | MD5: ef8f2da9fa62e4624e643c429e7ee34d |
| 49 | pmnlk.dll | 307296 bytes | MD5: 371b61b663d7b1ca0c69d5e4f320d013 |
| 50 | EliStarA 1965.exe | 629771 bytes | MD5: e4a1080cef208be3122e08ca56365e02 |
| 51 | opnnljj.dll | 33302 bytes | MD5: 29a0dbb047ea5167b5c0897902045718 |
| 52 | mljhghe.dll | 31254 bytes | MD5: c7a272c553efe200e928310537a7a728 |
| 53 | gebabcd.dll | 40448 bytes | |
| 54 | vtutron.dll | 23696 bytes | |
| 55 | opnnlmn.dll | 38912 bytes | MD5: 76b37794a974e5fbcc08c9713d83dd17 |
| 56 | mljgh.dll | 320096 bytes | MD5: 9f5d77a8f8b769b1621a7a573f8911c9 |
| 57 | odgkhiaq.dll | 11840 bytes | MD5: 4c176113da7eb0700f2bd9a2b59a9e52 |
| 58 | rqrppon.dll | 43542 bytes | |
| 59 | pmnlmnk.dll | 39424 bytes | |
| 60 | ssqrs.dll | 266336 bytes | MD5: 2f73da71f31c691081a8b08ccad4e81c |
| 61 | sstts.dll | 313440 bytes | MD5: fcb4bd697964018ecb3d025db568118f |
| 62 | nnlif.dll | 320096 bytes | |
| 63 | xxyyxur.dll | 26048 bytes | MD5: 362768e6afd97a288b4a0bebdb4efda9 |
| 64 | geeby.dll | 244832 bytes | MD5: c7ed881353a0e902de96aaaef4b08cf1 |
| 65 | iowrrqbs.dll | 70208 bytes | MD5: cef13d112246a02b01fdf20a5bbb7ec8 |
| 66 | urstr.dll | 228960 bytes | MD5: fead1b9c31e22cd68fcce42ce891722a |
| 67 | ssqpq.dll | 336384 bytes | MD5: 2535658e4f1a5103ef18676d8d791694 |
| 68 | byxxy.dll | 335968 bytes | MD5: ca4b16645b62f767a183a2a848d9706d |
| 69 | rqrssro.dll | 44054 bytes | |
| 70 | awtqqnl.dll | 26694 bytes | MD5: a235f52ad905ec89f9c9632f9a94dbe8 |
| 71 | EliStarA 20.20.exe | 679947 bytes | MD5: 66b5f0d0a9af1c9b39dbf14ffa378f16 |
| 72 | Nero_Burning_Rom_Ultra_Edition_6.6.0.6_serial_number.txt[1].exe | 168589 bytes | MD5: 0c0cecac345a6e41309e6d65489753dc |
| 73 | vtuspmn.dll | 26637 bytes | MD5: 59aef3b861b7a2a74ae97454628cfee9 |
| 74 | SbCIe02b.dll | 208896 bytes | MD5: 908388713dc2e96068e2591ac67c54b7 |
| 75 | iifcyab.dll | 38912 bytes | |
| 76 | efcbbcc.dll | 38912 bytes | |
| 77 | hrj6051se.dll | 233555 bytes | |
| 78 | jtr0079me.dll | 233652 bytes | |
| 79 | dsnltn.dll | 120960 bytes | |
| 80 | awtqomn.dll | 36352 bytes | MD5: 00e6269b8a8de5276c67230c96b29a3e |
| 81 | mljijhi.dll | 41472 bytes | MD5: 5f40045792cd83b671e054a42404dd36 |
| 82 | sstrs.dll | 266336 bytes | MD5: 0c053e21700e83a163b50c18108268e1 |
| 83 | pmkjj.dll | 298080 bytes | MD5: 8bed6e305b017adb1a662f2abed6d503 |
| 84 | ssqqomk.dll | 31254 bytes | |
| 85 | keycpl.dll | 92730 bytes | MD5: 4e2054ae08dced53e3f493afba8212b8 |
| 86 | byxurqq.dll | 44054 bytes | MD5: 275cbcbe24a20a1b5f89c16b3cad8907 |
| 87 | jkhfe.dll | 328704 bytes | MD5: 7134e38e457520099c36e1b073481f95 |
| 88 | sstur.dll | 231520 bytes | MD5: a8806fbb9a26110e9e67f7160f573c70 |
| 89 | opnkjjg.dll | 39424 bytes | |
| 90 | iifddby.dll, yaywttq.dll | 26694 bytes | MD5: 2f287e9392c950158148779c9364e6a0 |
| 91 | bunwhhmo.dll | 69184 bytes | MD5: 40ed74ae9ec8a6c305f4fddd43a888bb |
| 92 | iifddby.dll | 26694 bytes | |
| 93 | urqrpqp.dll | 35328 bytes | MD5: 3c353965b47f91219f44014ef5938a22 |
| 94 | ssqpn.dll | 326752 bytes | MD5: 30b62459049d5309673058f14b971ecb |
| 95 | cmutils.dll | 120576 bytes | |
| 96 | nnlmn.dll | 321120 bytes | MD5: ba23772716a35953cceb8d5534253f47 |
| 97 | qwmehqhv.dll | 70208 bytes | MD5: 2cd528092aca61315c6fe75e3da88ac4 |
| 98 | pmnlj.dll | 308832 bytes | MD5: 305f95d475d271f59f97a61fca20309b |
| 99 | gebyxuu.dll | 36352 bytes | |
| 100 | cbkllosv.dll | 70208 bytes | MD5: 75f86a0ccd4845cfa74b3ea9183278b5 |
| 101 | EliStarA.exe | 645131 bytes | MD5: 6ddcb20704d7be4fa40e50a3e5625244 |
| 102 | khfcdba.dll | 43542 bytes | |
| 103 | efcdaab.dll | 36352 bytes | |
| 104 | opnnopq.dll | 38400 bytes | |
| 105 | pmnnn.dll | 263168 bytes | |
| 106 | EliStarA 20 dic 2009.exe | 639499 bytes | MD5: 084eeafec5e366eb4e7b7d9acf35e57e |
| 107 | ssqqn.dll | 319584 bytes | MD5: 80301c9557dfdbd74485762e052e59ea |
| 108 | winsrc.dll | 311816 bytes | MD5: 6dc59cd4a45f96cc27b2a9d710f7abc2 |
| 109 | rldmmyyb.dll | 69184 bytes | MD5: 4eb00dbd11d001b635ec0d4a2ac50bec |
| 110 | ddcaaxu.dll | 38912 bytes | MD5: 569d8140191d5a454ff665140ea6e30d |
| 111 | nnnmmlk.dll | 31254 bytes | MD5: cbe9e81aa9d4ff26dde8c35839c55fd0 |
| 112 | gebya.dll | 331360 bytes | MD5: 0bc9b5120a80483f868572632a6810fa |
| 113 | iiffgfd.dll | 39424 bytes | |
| 114 | mllkk.dll | 266336 bytes | MD5: 0b04c48ec47c70bba5d173bcaa61f58c |
| 115 | drvkuk.dll | 103936 bytes | MD5: 32bea5969a6e057042aa40a849478ded |
| 116 | hggfged.dll | 34304 bytes | MD5: 60a1e02a5ec8707405bd07d0f244de83 |
| 117 | ddaya.dll | 340480 bytes | MD5: 46fb3acceb4c34d1d13a89f821505c7c |
| 118 | tmpidamd.dll | 70208 bytes | MD5: efaf3e853f800d5897d2cda807c423b3 |
| 119 | tuvvsrp.dll | 36352 bytes | MD5: 68bfcc5833616bcccdb4e6d3bfdb0c4f |
| 120 | khfcdba.dll, ljjgedc.dll, rqrppon.dll, wvursqn.dll, xxyxwxv.dll | 43542 bytes | MD5: 02fb66ff2648fb497a3a1998f4d0b844 |
| 121 | rulesak.dll | 110592 bytes | |
| 122 | awtqo.dll | 320096 bytes | MD5: 3e65d4d37199f6eb1ff5bfe64e455218 |
| 123 | ljjhgee.dll | 40960 bytes | |
| 124 | cbxussr.dll | 44054 bytes | |
| 125 | pmnno.dll | 262708 bytes | MD5: fe192ced601812e3f46825b3a094e729 |
| 126 | fccdbab.dll | 40448 bytes | |
| 127 | ljiijj.dll | 90112 bytes | MD5: 71a371a6c8e9f3cca00da9f0cc41830f |
| 128 | keygen.exe | 53773 bytes | MD5: b29d7eec069ad3bb874a99d3737e5b60 |
| 129 | urqollm.dll | 24336 bytes | MD5: 0fe566a5beaa37bdb39dff82299d4913 |
| 130 | opnlifg.dll | 40448 bytes | |
| 131 | geebc.dll | 263220 bytes | MD5: a78dcf34c93869b46d13f1abb7e1ca09 |
| 132 | uynltcou.dll | 77376 bytes | MD5: b024c806349071b38e47254e81f87abe |
| 133 | vtsts.dll | 298080 bytes | MD5: c61a58b9b88999f40550bf6efd3a9a91 |
| 134 | lspak.dll | 196608 bytes | |
| 135 | opnlm.dll | 321120 bytes | MD5: fda553a5a55f9b2315761ff37f446dcc |
| 136 | jiinhuyb.dll | 77376 bytes | MD5: 48513f985265cf515be1fafdb46f4158 |
| 137 | sstqq.dll | 266336 bytes | MD5: 7d745eb8c24ebd05f8357b452e095d28 |
| 138 | nnx22011.exe | 116351 bytes | |
| 139 | pmnnm.dll | 298080 bytes | MD5: 1a622cba5a89518cf4a511492db9d4f7 |
| 140 | ddayy.dll | 332288 bytes | |
| 141 | cbxxywx.dll | 29206 bytes | MD5: 274007e7c2fef02eafd67c49f5f6bb56 |
| 142 | wvursqn.dll | 43542 bytes | |
| 143 | awtqopm.dll | 36352 bytes | MD5: 2b262799cd238f8e99101470f172d8c1 |
| 144 | Windows_XP_SP2_Professional_Edition_Corporate_serial_number.txt[2].exe | 168657 bytes | MD5: b8e0cf17674dc0d38320ce4d3dbe7c46 |
| 145 | ksljdsle.dll | 70208 bytes | MD5: 2b08afb83e8ae77050b063ef9c2ef0a3 |
| 146 | ddcawvv.dll | 37888 bytes | |
| 147 | byxvs.dll | 316512 bytes | MD5: 79b321ef5702201cda904a9a4e48bcf9 |
Memory Processes Created:
| # | Process Name | Process Filename | Main module size |
|---|---|---|---|
| 1 | castlecops[1].exe | castlecops[1].exe | 151174 bytes |
| 2 | ces005dr.exe | ces005dr.exe | 30737 bytes |
| 3 | EliStarA 1965.exe | EliStarA 1965.exe | 629771 bytes |
| 4 | EliStarA 20.20.exe | EliStarA 20.20.exe | 679947 bytes |
| 5 | Nero_Burning_Rom_Ultra_Edition_6.6.0.6_serial_number.txt[1].exe | Nero_Burning_Rom_Ultra_Edition_6.6.0.6_serial_number.txt[1].exe | 168589 bytes |
| 6 | EliStarA.exe | EliStarA.exe | 645131 bytes |
| 7 | EliStarA 20 dic 2009.exe | EliStarA 20 dic 2009.exe | 639499 bytes |
| 8 | keygen.exe | keygen.exe | 53773 bytes |
| 9 | nnx22011.exe | nnx22011.exe | 116351 bytes |
| 10 | Windows_XP_SP2_Professional_Edition_Corporate_serial_number.txt[2].exe | Windows_XP_SP2_Professional_Edition_Corporate_serial_number.txt[2].exe | 168657 bytes |
Registry Modifications:
The following Registry Keys were created:
- 904598c7
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {135B4804-7728-4137-B6D8-5CC590110C9D}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AFFCBA64-651F-43DD-97BC-684C179618A5}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}
- kopCFEWV.exe
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {D0DC2547-DF58-4CF2-8FA2-25DEE29426F6}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {837B45D6-BF85-457D-AABF-6D2E7815F791}
- Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {037C7B8A-151A-49E6-BAED-CC05FCB50328}
- SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad dtseqrxk
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AD72687B-CF83-4463-8E95-2CB3198CA5F6}
- Microsoft\Windows NT\CurrentVersion\Winlogon\Notify khfDtUno
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {E7683750-B89A-402F-8F22-EBF3DA3F70C2}
- 2chkdsk
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {A05DA7E0-383C-4E99-A72A-742050A152A2}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {5FCD13AC-B899-4EF7-BD3E-C959EFBFB753}
- gf1.0.0.2
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {6148028B-D532-4417-8C0B-5A4A0B745393}
- cbgzgdqt
- Software\Microsoft\Internet Explorer\Explorer Bars {83B28A74-640D-48F4-9F51-E80EED7CC7E0}
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {60EDCEE2-B6AF-4F2E-BB15-14F101364B47}