VirtuMonde.c, alias Adware-Virtumondo, TrojanSpy.Win32.Agent.I, is an extremely nasty virus and I’m going to tell you exactly how to remove it! VirtuMonde was discovered on my wife’s laptop after running Windows Defender, a free spyware and virtumonde removal tool (detected but did not remove) located at http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
How the laptop became infected is unknown, but I spent hours searching for any information on VirtuMonde.c and ended up empty. Actually, there were tons of posts on this virus and some incredibly long posts on how to fix the problem, but not one of them worked!
Let me explain what I know about this virus before I talk about the fix; of course, you can skip this part and jump right to the bottom, but it’s worth the read.
VirtuMonde.c is rumored to have been first reported in May of 2004 to Panda Antivirus which surprised me. It’s May of 2006 and I have the latest antivirus and spyware detection installed on the laptop and still, it became infected.
This virus is reported to record your keystrokes and randomly displays advertisements. This virtumonde.c Trojan will create a DLL (Dynamic Link Library) to facilitate the recording of your keystrokes and communicates with a website located on the internet.
Virtumonde.C attaches to explorer.exe, goes memory resident and verifies that it’s running (the virus that is). If for some reason Virtumonde.c is stopped, the memory resident program will fire it back up.
The virus also writes to cookies on the infected computer and may visit more than one internet site. The part that makes VirtuMonde.c tricky is that it’s a memory resident and writes to a file that spyware removal programs can’t erase.
I tried a number of programs, including HijackThis, Trend’s online virus scanner, Panda Software’s online virus scanner, Symantec’s FixVundo.exe and manual instructions to no avail! I though I had it when I ran SpyBot Search and Destroy’s software, but it only discovered 4 occurrences of the VirtuMonde.c when actually there were 6.
Of all the programs, only Microsoft’s Live Safety Center (Beta) was able to detect all the infected files! The online virus scan site is located at:
Live Safety Center and is a new free services designed to help you detect and keep your computer clean. It very cool, speeds up your pc and is worth checking out!
Having a full list of objects infected with VirtuMonde.C, I compared them to the ones discovered by the other antispyware packages and was left with two. Those two infected objects pointed to c:\windows\help\mui\accas.dll
I should note here that Microsoft’s Windows Defender was unable to remove the files or detect all infected files.
I found the solution by inserting a Windows XP CD into the drive and booting from it. I then chose the repair option which landed me at a command prompt. From here, I navigated to c:\windows\help\mui\accas.dll and renamed the file. Commands:
ren accas.dll accas.old
I then rebooted the computer and used Windows Defender to remove the remaining files infected by VirtuMondo which in the end was an easy solution, but nowhere to be found!
I hope this works for you as well and if not, perhaps the process of finding a solution to VirtuMonde.c will help.
VirtuMon.c is often thought of as VirtuMonde.C which is not correct. At this time, there is no indication that Virtumon.c is considered to be a virus.