VirtuMonde

An adware program that downloads and displays popup advertisements. It installs one or two .exe files into the root directory. It is recognisable by any of the following entries in a HJT log. The WindowsUpd file name sometimes contains a number.
	O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WindowsUpd.exe
Removal Instructions:
	Using HijackThis, close all browser windows, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked': The O4 Startup(s) Reboot into Safe Mode, find and delete the .exe file(s) to remove the infection.

A new variant has emerged that is a little more difficult to remove. It installs a random named master .exe that stays static through reboots - this is recognisable as the reverse spelling of the BHO that is also installed. It constantly monitors its registry keys and will recreate them if they are missing. On exit, it calls itself so the process launches again and also calls the c:\windows\system32\hostx.exe file that will reinstate its entry as well. If the hostx file does not exist it will download it from updates.virtumonde.com on reboot and when you kill the process. When hostx starts it connects to www.virtumonde.com. If you delete the hostx.exe file, it will be recreated by the master .exe. Another random named file is always present with whose purpose appears to be to protect the master .exe. This file has a start-up name [MS Setup], often other randomly named files are present, prefixed by It can be recognised in HJT logs by the following entries:
	O2 - BHO: CATLEvents Object - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - C:\DOCUME~1\sinead\LOCALS~1\Temp\abcde.dat O4 - HKLM\..\Run: [pqrstuv] C:\WINDOWS\msagent\CHARS\pqrstuv.exe O4 - HKLM\..\Run: [klmno] C:\WINDOWS\Cursors\klmno.exe O4 - HKLM\..\RunOnce: [edcba] C:\WINDOWS\Config\edcba.exe rerun O4 - HKCU\..\RunOnce: [MS Setup] C:\WINDOWS\Fonts\wxyz.exe ren	< - master
Removal Instructions:
	Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Paste Full Path of File to Delete' box, copy and paste this entry: The O2 BHO (CATLEvents Object) Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The file should show up in the window. Then repeat the process, this time adding: The O4 master exe (reverse spelling of the BHO) If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well: *The O4 protecting exe (MS Setup) All other O4 entries associated with this pest C:\Windows\System32\hostx.exe When they are all there (and double check!), in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again. Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked': The O2 BHO (CATLEvents Object) The O4 master exe (reverse spelling of the BHO) The O4 protecting exe (MS Setup)* All other O4 entries associated with this pest Reboot when done. Check Ad-aware for an update and scan. Rescan with HJT and check the log.

A new variant has emerged that is a little more difficult to remove. It installs a random named master .exe that stays static through reboots - this is recognisable as the reverse spelling of the BHO that is also installed. It constantly monitors its registry keys and will recreate them if they are missing. On exit, it calls itself so the process launches again and also calls the c:\windows\system32\hostx.exe file that will reinstate its entry as well. If the hostx file does not exist it will download it from updates.virtumonde.com on reboot and when you kill the process. When hostx starts it connects to www.virtumonde.com. If you delete the hostx.exe file, it will be recreated by the master .exe. Another random named file is always present with whose purpose appears to be to protect the master .exe. This file has a start-up name [MS Setup], often other randomly named files are present, prefixed by It can be recognised in HJT logs by the following entries:
	O2 - BHO: CATLEvents Object - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - C:\DOCUME~1\sinead\LOCALS~1\Temp\abcde.dat O4 - HKLM\..\Run: [pqrstuv] C:\WINDOWS\msagent\CHARS\pqrstuv.exe O4 - HKLM\..\Run: [klmno] C:\WINDOWS\Cursors\klmno.exe O4 - HKLM\..\RunOnce: [edcba] C:\WINDOWS\Config\edcba.exe rerun O4 - HKCU\..\RunOnce: [MS Setup] C:\WINDOWS\Fonts\wxyz.exe ren	< - master
Removal Instructions:
	Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Paste Full Path of File to Delete' box, copy and paste this entry: The O2 BHO (CATLEvents Object) Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The file should show up in the window. Then repeat the process, this time adding: The O4 master exe (reverse spelling of the BHO) If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well: *The O4 protecting exe (MS Setup) All other O4 entries associated with this pest C:\Windows\System32\hostx.exe When they are all there (and double check!), in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again. Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked': The O2 BHO (CATLEvents Object) The O4 master exe (reverse spelling of the BHO) The O4 protecting exe (MS Setup)* All other O4 entries associated with this pest Reboot when done. Check Ad-aware for an update and scan. Rescan with HJT and check the log.