We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

產品

安全產品
Premium Protection Internet Security 2013 Antivirus 2013 Mobile Security Spamfilter 10
備份產品
Mobile Backup 12 Online Backup 2013
下載

熱門下載
Premium Protection Internet Security 2013 Mobile Backup 12
其他下載
Antivirus 2013 Spamfilter Online Backup 2013
商店

最暢銷產品
Premium Protection Internet Security 2013 Antivirus 2013 Mobile Backup 12 Mobile Security
其他產品
Online Backup 2013
部落格
最新貼文
支援
客戶支援產品指南 FAQ
我的帳戶

Dansk German English Español Français Nederlands Norsk Português do Brasil Svenska 中文中文（繁體）

Support Tech Guides How to remove Adware.Virtumonde.WY

隱私和 Cookie

全天候無假日支援服務

我們準備隨時幫助您解決任何網際網路安全問題。

無論您選擇即時聊天或電子郵件，您都可以向我們的專家團隊求助並將迅速得到有關您問題的答覆。

啟動即時聊天傳送電子郵件

How to remove Adware.Virtumonde.WY

THREAT NAME

Adware.Virtumonde.WY

CLEAN INSTRUCTIONS

1. Go to Start > Run type regedit and press OK.

2. Go to Edit > Find type:

{85DED05D-2EC2-4E04-9406-AB25F577F706} and press OK.

3. You should encounter a key like this:

HKEY_CLASSES_ROOT\CLSID\{85DED05D-2EC2-4E04-9406-AB25F577F706}

Go to InProcServer32\Default and copy the value. It should be something like this:

C:\Windows\System32\nnnooopp.dll

4. Open Notepad and write:

del C:\Windows\System32\nnnoopp.dll

(replace this with the name of the file that you have written down earlier)

Go to File > Save, and for File type select All files. Save it in the root of the C:\ drive with the name remove.bat.

5. Open regedit, navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Double-click on System and write the value C:\remove.bat.

6. Now restart the computer.

When Windows starts, open Windows Explorer and see if the file was deleted.

If it was, open regedit, go to Edit > Find and run a search for the key:

{85DED05D-2EC2-4E04-9406-AB25F577F706}

Delete any entry that is found.

7. Delete the file:

C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

Note: User stands for your Windows account username.

8. Run a full system scan with BullGuard.

SYMPTOMS

1. Presence of the file removalfile.bat in the current user temporary folder:

C:\Documents and Settings\User\Local settings\Temp\

2. Increased network activity.

3. Unknown processes may appear in the Task Manager.

DESCRIPTION

1. Drops a .dll file with a random name in the system folder (e.q: C:\Windows\System32\nnnoopp.dll).

2. It "injects" itself in explorer.exe and winlogon.exe.

3. Creates a .bat file with a hidden attribute set, in the current user's temp folder in order to delete itself:

C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

4. Adds several registry keys that are pointing to the registry key below, in order to ensure that the malware will run at startup:

HKEY_CLASSES_ROOT\CLSID\{85DED05D-2EC2-4E04-9406-AB25F577F706}

5. It tries to establish a connection to download and execute a file from 82.98.235.70 and 65.243.103.80.

Author:
The BullGuard Team

全天候無假日支援

我們專門的支援團隊全天候無假日以簡單易懂的英語提供專家建議，並在特定時間內提供其他語言服務。

立即獲得幫助

升級/續訂

已經在使用 BullGuard 嗎？

我們希望您盡情地享用我們的產品！

僅需執行幾個簡單的步驟，您即可免費升級至我們最新的版本或續訂您訂購的產品。

升級續訂


Tweet	More