How to remove Adware.Virtumonde.WY



THREAT NAME

Adware.Virtumonde.WY

 

 

CLEAN INSTRUCTIONS

1. Go to Start > Run type regedit and press OK.


2. Go to Edit > Find type:


{85DED05D-2EC2-4E04-9406-AB25F577F706} and press OK.


3. You should encounter a key like this:


HKEY_CLASSES_ROOT\CLSID\{85DED05D-2EC2-4E04-9406-AB25F577F706}


Go to InProcServer32\Default and copy the value. It should be something like this:

C:\Windows\System32\nnnooopp.dll


4. Open Notepad and write:


del C:\Windows\System32\nnnoopp.dll

 

(replace this with the name of the file that you have written down earlier)

 

Go to File > Save, and for File type select All files. Save it in the root of the C:\ drive with the name remove.bat.


5. Open regedit, navigate to the key:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

 

Double-click on System and write the value C:\remove.bat.


6. Now restart the computer.


When Windows starts, open Windows Explorer and see if the file was deleted.


If it was, open regedit, go to EditFind and run a search for the key:


{85DED05D-2EC2-4E04-9406-AB25F577F706}

 

Delete any entry that is found.


7. Delete the file:


C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

 

Note: User stands for your Windows account username.

 

8. Run a full system scan with BullGuard.



SYMPTOMS

1. Presence of the file removalfile.bat in the current user temporary folder:


C:\Documents and Settings\User\Local settings\Temp\


2. Increased network activity.


3. Unknown processes may appear in the Task Manager.



DESCRIPTION

1. Drops a .dll file with a random name in the system folder (e.q: C:\Windows\System32\nnnoopp.dll).


2. It "injects" itself in explorer.exe and winlogon.exe.


3. Creates a .bat file with a hidden attribute set, in the current user's temp folder in order to delete itself:


C:\Documents and Settings\User\Local settings\Temp\removalfile.bat


4. Adds several registry keys that are pointing to the registry key below, in order to ensure that the malware will run at startup:

 

HKEY_CLASSES_ROOT\CLSID\{85DED05D-2EC2-4E04-9406-AB25F577F706}


5. It tries to establish a connection to download and execute a file from 82.98.235.70 and 65.243.103.80.

Author:
The BullGuard Team
Support 24/7

 


Vores dedikerede supportteam er til for dig, og giver ekspertråd på almindeligt engelsk 24/7 og på andre sprog i bestemte tidsrum.


Få hjælp nu


Opgrader / forny

 

Bruger du allerede BullGuard?


Vi ønsker, at du får mest muligt ud af vores produkter!


Opgrader Forny

 
Mere