We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

产品

安全产品
Premium Protection Internet Security 2013 Antivirus 2013 Mobile Security Spamfilter 10
备份产品
Mobile Backup 12 Online Backup 2013
下载

热门下载
Premium Protection Internet Security 2013 Mobile Backup 12
其他下载
Antivirus 2013 Spamfilter Online Backup 2013
商店

最畅销产品
Premium Protection Internet Security 2013 Antivirus 2013 Mobile Backup 12 Mobile Security
其他产品
Online Backup 2013
博客
最新张贴
支持
客户支持产品指南 FAQ
我的帐户

Dansk German English Español Français Nederlands Norsk Português do Brasil Svenska 中文中文（繁體）

支持 Tech Guides How to remove Adware.Virtumonde.WY

隐私和 Cookie

全年无休的支持服务

我们随时准备帮助您解决任何互联网安全问题。

无论您选择即时聊天还是电子邮件，都可以确信我们的专家团队将迅速解答您的问题。

开始即时聊天发送电子邮件

向我們查詢

How to remove Adware.Virtumonde.WY

THREAT NAME

Adware.Virtumonde.WY

CLEAN INSTRUCTIONS

1. Go to Start > Run type regedit and press OK.

2. Go to Edit > Find type:

{85DED05D-2EC2-4E04-9406-AB25F577F706} and press OK.

3. You should encounter a key like this:

HKEY_CLASSES_ROOT\CLSID\{85DED05D-2EC2-4E04-9406-AB25F577F706}

Go to InProcServer32\Default and copy the value. It should be something like this:

C:\Windows\System32\nnnooopp.dll

4. Open Notepad and write:

del C:\Windows\System32\nnnoopp.dll

(replace this with the name of the file that you have written down earlier)

Go to File > Save, and for File type select All files. Save it in the root of the C:\ drive with the name remove.bat.

5. Open regedit, navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Double-click on System and write the value C:\remove.bat.

6. Now restart the computer.

When Windows starts, open Windows Explorer and see if the file was deleted.

If it was, open regedit, go to Edit > Find and run a search for the key:

{85DED05D-2EC2-4E04-9406-AB25F577F706}

Delete any entry that is found.

7. Delete the file:

C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

Note: User stands for your Windows account username.

8. Run a full system scan with BullGuard.

SYMPTOMS

1. Presence of the file removalfile.bat in the current user temporary folder:

C:\Documents and Settings\User\Local settings\Temp\

2. Increased network activity.

3. Unknown processes may appear in the Task Manager.

DESCRIPTION

1. Drops a .dll file with a random name in the system folder (e.q: C:\Windows\System32\nnnoopp.dll).

2. It "injects" itself in explorer.exe and winlogon.exe.

3. Creates a .bat file with a hidden attribute set, in the current user's temp folder in order to delete itself:

C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

4. Adds several registry keys that are pointing to the registry key below, in order to ensure that the malware will run at startup:

HKEY_CLASSES_ROOT\CLSID\{85DED05D-2EC2-4E04-9406-AB25F577F706}

5. It tries to establish a connection to download and execute a file from 82.98.235.70 and 65.243.103.80.

Author:
The BullGuard Team

全年无休的支持

我们拥有专业的支持团队，可为您提供全年无休的标准英语专家建议，同时按指定时间段提供其他语言的专家建议。

立即获得帮助

升级 / 续订

已经是 BullGuard 的用户？

我们希望您尽情享受我们的产品！

升级续订


Tweet	更多