Windows 7 - Memscan:Trojan.Virtumonde.IF

Asked By Nick Cumberbatch on 18-Jun-07 07:15 AM
I am using BitDefender, Spyware Doctor and Ad-Aware, XP Pro

Recently I tried downloaded a P2P file sharing Mp3 program called WinMX.
Unfortunately I was not aware of the threats that this program posed.

I have since uninstalled it and ran the above programs to scan and delete

However there is one persistent threat:  MemScan:Trojan.Virtumonde.IF that
seems to persist.

It appears to infect the following files:

Any assistance will be appreciated

Leythos replied on 18-Jun-07 07:25 AM

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --

AdAwareSE can be found here:

SpyBot Search and Destroy can be found here:


- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist" (remove 999 for proper email address)
David H. Lipman replied on 18-Jun-07 04:54 PM
From: "Nick Cumberbatch" <>

Two phase answer...

Perform Part 1 then perform Part 2

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0 update 1 (jre 6u1)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_01


Part 1
Download Adware-Virtumundo Removal Tool --

Information on the Adware-Virtumundo Removal Tool:

Part 2
Download Atribune's VUNDOFIX.EXE

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

* * *  Please report back your results  * * *

Lord Maximus replied on 26-Jun-07 10:22 PM
Nick Cumberbatch aka,after much thought,came up
with this jewel:

File sharing must be done with care.
After you get your mess cleaned up,try LimeWire.
My Pages:
Virus Removal Instructions:
Keeping Windows Clean:
Change to to reply. is
specifically setup for USENET.Feel free to use it yourself.
Nick Cumberbatch replied on 18-Jun-07 09:33 PM
Hi Dave:
I tried your solution

Part 1 results:

[06/18/2007, 21:44:29] - VirtumundoBeGone v1.5 (
[06/18/2007, 21:44:46] - Detected System Information:
[06/18/2007, 21:44:46] -  Windows Version: 5.1.2600, Service Pack 2
[06/18/2007, 21:44:46] -  Current Username: Nick Cumberbatch (Admin)
[06/18/2007, 21:44:46] -  Windows is in NORMAL mode.
[06/18/2007, 21:44:46] - Searching for Browser Helper Objects:
[06/18/2007, 21:44:46] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670}
(&Yahoo! Toolbar Helper)
[06/18/2007, 21:44:46] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(Adobe PDF Reader Link Helper)
[06/18/2007, 21:44:46] -  BHO 3: {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(bho2gr Class)
[06/18/2007, 21:44:46] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(Yahoo! IE Services Button)
[06/18/2007, 21:44:46] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(SSVHelper Class)
[06/18/2007, 21:44:46] -  BHO 6: {AE7CD045-E861-484f-8273-0445EE161910}
(Adobe PDF Conversion Toolbar Helper)
[06/18/2007, 21:44:46] -  BHO 7: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(Windows Live Toolbar Helper)
[06/18/2007, 21:44:46] - Finished Searching Browser Helper Objects
[06/18/2007, 21:44:46] - Finishing up...
[06/18/2007, 21:44:46] - Nothing found! Exiting...

Then Part 2
VundoFix V6.5.1

Checking Java version...

Java version is
Old versions of java are exploitable and should be removed.

Scan started at 9:54:47 PM 18-Jun-07

Listing files found while scanning....


Beginning removal...

Attempting to delete C:\windows\system32\vtsqnkh.dll
C:\windows\system32\vtsqnkh.dll Could not be deleted.

Performing Repairs to the registry.

Beginning removal...

Attempting to delete C:\windows\system32\vtsqnkh.dll
C:\windows\system32\vtsqnkh.dll Could not be deleted.

Performing Repairs to the registry.

Beginning removal...

At this point I began to get a Blue Screen whenever I try booting into SAFE
MODE.  Tried it 6 times with the same blue screen.  However I could boot
into Normal Mode.  Now I am not sure what to do next.  Something is
preventing me from booting in Safe Mode.   Did I get rid of threat??
David H. Lipman replied on 19-Jun-07 05:39 PM
From: "Nick Cumberbatch" <>

Hi Nick:

Nothing but legitimate items were found by VBG.

However VundoFix found you had a very vulnerable and often exploited version Sun Java which
MAY be the reason you got infected with the Virtumonde Adware/Vundo Trojan.

Please go back to my original reply and follow my directions to remove v1.4.x and replace it
v6 update 1.

We need to verify that %windir%\system32\vtsqnkh.dll  has indeed been removed.
Another scan in Normal Mode is indicated and we'll then see if it was removed based upon the
VundoFix log.

if not, There are "other" steps we can take to remove the DLL, vtsqnkh.dll.

We can deal with the BSoD in Safe Mode after removing the DLL.

Nick Cumberbatch replied on 21-Jun-07 06:42 AM
After trying to solve this problem, I was still left with the Blue Screens
in both Normal and Safe Mode.  So unfortunately I have no choice but to
re-install windows.
David H. Lipman replied on 21-Jun-07 07:31 AM
Did the BSoD happen ONLY when using VundoFix or every boot ?