Friday
2009-02-25, 17:28
The following instructions have been created to help you to get rid of "Virtumonde.sci" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
Virtumonde.sci is another Virtumonde variant, it installs in background, registers itself to the Winlogon and as a Browser Helper Object (BHO). It also attaches itself to the explorer which can cause system instability.
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>.dll".
The file at "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>.dll".
The file at "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>.dll".
The file at "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>.dll".
The file at "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>.dll".
The file at "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>.dll".
The file at "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>.dll".
The file at "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>.dll".
The file at "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>.dll".
The file at "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>.dll".
The file at "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>.dll".
The file at "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>.dll".
The file at "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>.dll".
The file at "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>.dll".
The file at "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>.dll".
The file at "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>.dll".
Make sure you set your file manager to display hidden and system files. If Virtumonde.sci uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{19cd003b-d358-4e37-8a04-26bca59f8962}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{19cd003b-d358-4e37-8a04-26bca59f8962}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{24d514d9-f3a6-47ce-a466-648c7599345d}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{24d514d9-f3a6-47ce-a466-648c7599345d}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{39F913BC-378E-4EE6-B19E-A78495558526}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{39F913BC-378E-4EE6-B19E-A78495558526}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{3c9693be-d2dd-4e7e-8391-31e45f37de94}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3c9693be-d2dd-4e7e-8391-31e45f37de94}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{3f086d47-3283-4c19-8e39-e5db12051c45}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3f086d47-3283-4c19-8e39-e5db12051c45}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{4176feeb-6249-4429-b922-2046495c30ce}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4176feeb-6249-4429-b922-2046495c30ce}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{678bb911-e81c-4032-a7ad-d547c5974806}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{678bb911-e81c-4032-a7ad-d547c5974806}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{72660BE7-3296-4A1B-9ACC-3078C7081354}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{72660BE7-3296-4A1B-9ACC-3078C7081354}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{7CFCA028-F14A-4546-8D7A-E35333690F3C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7CFCA028-F14A-4546-8D7A-E35333690F3C}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{AE2183A9-F7E6-4990-B492-216C1DC23918}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{AE2183A9-F7E6-4990-B492-216C1DC23918}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{b0092b56-579f-4859-b775-d5090dfd7036}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{b0092b56-579f-4859-b775-d5090dfd7036}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{D662FD9E-1C0A-4743-908E-558F5333EBBE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D662FD9E-1C0A-4743-908E-558F5333EBBE}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "<$ENV(Virtumonde2{19cd003b-d358-4e37-8a04-26bca59f8962})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{24d514d9-f3a6-47ce-a466-648c7599345d})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{39F913BC-378E-4EE6-B19E-A78495558526})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{3f086d47-3283-4c19-8e39-e5db12051c45})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{4176feeb-6249-4429-b922-2046495c30ce})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{678bb911-e81c-4032-a7ad-d547c5974806})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{72660BE7-3296-4A1B-9ACC-3078C7081354})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{AE2183A9-F7E6-4990-B492-216C1DC23918})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{b0092b56-579f-4859-b775-d5090dfd7036})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "dslcnnct" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\".
Delete the registry value "{19cd003b-d358-4e37-8a04-26bca59f8962}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{24d514d9-f3a6-47ce-a466-648c7599345d}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{39F913BC-378E-4EE6-B19E-A78495558526}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{3c9693be-d2dd-4e7e-8391-31e45f37de94}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{3f086d47-3283-4c19-8e39-e5db12051c45}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{4176feeb-6249-4429-b922-2046495c30ce}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{678bb911-e81c-4032-a7ad-d547c5974806}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{72660BE7-3296-4A1B-9ACC-3078C7081354}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{7CFCA028-F14A-4546-8D7A-E35333690F3C}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{AE2183A9-F7E6-4990-B492-216C1DC23918}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{b0092b56-579f-4859-b775-d5090dfd7036}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{D662FD9E-1C0A-4743-908E-558F5333EBBE}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde2{19cd003b-d358-4e37-8a04-26bca59f8962})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{24d514d9-f3a6-47ce-a466-648c7599345d})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{39F913BC-378E-4EE6-B19E-A78495558526})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3c9693be-d2dd-4e7e-8391-31e45f37de94})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3f086d47-3283-4c19-8e39-e5db12051c45})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{4176feeb-6249-4429-b922-2046495c30ce})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{678bb911-e81c-4032-a7ad-d547c5974806})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{72660BE7-3296-4A1B-9ACC-3078C7081354})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{7CFCA028-F14A-4546-8D7A-E35333690F3C})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{AE2183A9-F7E6-4990-B492-216C1DC23918})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{b0092b56-579f-4859-b775-d5090dfd7036})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{D662FD9E-1C0A-4743-908E-558F5333EBBE})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{19cd003b-d358-4e37-8a04-26bca59f8962}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{24d514d9-f3a6-47ce-a466-648c7599345d}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{39F913BC-378E-4EE6-B19E-A78495558526}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{3c9693be-d2dd-4e7e-8391-31e45f37de94}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{3f086d47-3283-4c19-8e39-e5db12051c45}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{4176feeb-6249-4429-b922-2046495c30ce}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{678bb911-e81c-4032-a7ad-d547c5974806}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{72660BE7-3296-4A1B-9ACC-3078C7081354}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{7CFCA028-F14A-4546-8D7A-E35333690F3C}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{AE2183A9-F7E6-4990-B492-216C1DC23918}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{b0092b56-579f-4859-b775-d5090dfd7036}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{D662FD9E-1C0A-4743-908E-558F5333EBBE}\InprocServer32\".
If Virtumonde.sci uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
Virtumonde.sci is another Virtumonde variant, it installs in background, registers itself to the Winlogon and as a Browser Helper Object (BHO). It also attaches itself to the explorer which can cause system instability.
Removal Instructions:
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>.dll".
The file at "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>.dll".
The file at "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>.dll".
The file at "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>.dll".
The file at "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>.dll".
The file at "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>.dll".
The file at "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>.dll".
The file at "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>.dll".
The file at "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>.dll".
The file at "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>.dll".
The file at "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>.dll".
The file at "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>.dll".
The file at "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>.dll".
The file at "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>.dll".
The file at "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>.dll".
The file at "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>.dll".
Make sure you set your file manager to display hidden and system files. If Virtumonde.sci uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{19cd003b-d358-4e37-8a04-26bca59f8962}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{19cd003b-d358-4e37-8a04-26bca59f8962}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{24d514d9-f3a6-47ce-a466-648c7599345d}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{24d514d9-f3a6-47ce-a466-648c7599345d}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{39F913BC-378E-4EE6-B19E-A78495558526}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{39F913BC-378E-4EE6-B19E-A78495558526}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{3c9693be-d2dd-4e7e-8391-31e45f37de94}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3c9693be-d2dd-4e7e-8391-31e45f37de94}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{3f086d47-3283-4c19-8e39-e5db12051c45}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3f086d47-3283-4c19-8e39-e5db12051c45}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{4176feeb-6249-4429-b922-2046495c30ce}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4176feeb-6249-4429-b922-2046495c30ce}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{678bb911-e81c-4032-a7ad-d547c5974806}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{678bb911-e81c-4032-a7ad-d547c5974806}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{72660BE7-3296-4A1B-9ACC-3078C7081354}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{72660BE7-3296-4A1B-9ACC-3078C7081354}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{7CFCA028-F14A-4546-8D7A-E35333690F3C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7CFCA028-F14A-4546-8D7A-E35333690F3C}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{AE2183A9-F7E6-4990-B492-216C1DC23918}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{AE2183A9-F7E6-4990-B492-216C1DC23918}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{b0092b56-579f-4859-b775-d5090dfd7036}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{b0092b56-579f-4859-b775-d5090dfd7036}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{D662FD9E-1C0A-4743-908E-558F5333EBBE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D662FD9E-1C0A-4743-908E-558F5333EBBE}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "<$ENV(Virtumonde2{19cd003b-d358-4e37-8a04-26bca59f8962})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{24d514d9-f3a6-47ce-a466-648c7599345d})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{39F913BC-378E-4EE6-B19E-A78495558526})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{3f086d47-3283-4c19-8e39-e5db12051c45})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{4176feeb-6249-4429-b922-2046495c30ce})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{678bb911-e81c-4032-a7ad-d547c5974806})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{72660BE7-3296-4A1B-9ACC-3078C7081354})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{AE2183A9-F7E6-4990-B492-216C1DC23918})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{b0092b56-579f-4859-b775-d5090dfd7036})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "<$ENV(Virtumonde2{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
Delete the registry key "dslcnnct" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\".
Delete the registry value "{19cd003b-d358-4e37-8a04-26bca59f8962}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{24d514d9-f3a6-47ce-a466-648c7599345d}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{39F913BC-378E-4EE6-B19E-A78495558526}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{3c9693be-d2dd-4e7e-8391-31e45f37de94}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{3f086d47-3283-4c19-8e39-e5db12051c45}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{4176feeb-6249-4429-b922-2046495c30ce}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{678bb911-e81c-4032-a7ad-d547c5974806}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{72660BE7-3296-4A1B-9ACC-3078C7081354}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{7CFCA028-F14A-4546-8D7A-E35333690F3C}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{AE2183A9-F7E6-4990-B492-216C1DC23918}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{b0092b56-579f-4859-b775-d5090dfd7036}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry value "{D662FD9E-1C0A-4743-908E-558F5333EBBE}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>.dll" from registry value "Path" at "HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet001\Lsa\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet002\Lsa\".
Remove "<$ENV(Virtumonde1{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "Authentication Packages" at "HKEY_LOCAL_MACHINE\System\ControlSet003\Lsa\".
Remove "<$ENV(Virtumonde2{19cd003b-d358-4e37-8a04-26bca59f8962})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{19cd003b-d358-4e37-8a04-26bca59f8962})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{24d514d9-f3a6-47ce-a466-648c7599345d})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{24d514d9-f3a6-47ce-a466-648c7599345d})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{39F913BC-378E-4EE6-B19E-A78495558526})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{39F913BC-378E-4EE6-B19E-A78495558526})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3c9693be-d2dd-4e7e-8391-31e45f37de94})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3c9693be-d2dd-4e7e-8391-31e45f37de94})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3f086d47-3283-4c19-8e39-e5db12051c45})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{3f086d47-3283-4c19-8e39-e5db12051c45})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{4176feeb-6249-4429-b922-2046495c30ce})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{4176feeb-6249-4429-b922-2046495c30ce})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{56d6de79-7bfd-4e16-9c4f-b3b916a0c179})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{678bb911-e81c-4032-a7ad-d547c5974806})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{678bb911-e81c-4032-a7ad-d547c5974806})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{72660BE7-3296-4A1B-9ACC-3078C7081354})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{72660BE7-3296-4A1B-9ACC-3078C7081354})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{7CFCA028-F14A-4546-8D7A-E35333690F3C})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{7CFCA028-F14A-4546-8D7A-E35333690F3C})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{AE2183A9-F7E6-4990-B492-216C1DC23918})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{AE2183A9-F7E6-4990-B492-216C1DC23918})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{b0092b56-579f-4859-b775-d5090dfd7036})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{b0092b56-579f-4859-b775-d5090dfd7036})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{D662FD9E-1C0A-4743-908E-558F5333EBBE})>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<$ENV(Virtumonde2{D662FD9E-1C0A-4743-908E-558F5333EBBE})>" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{19cd003b-d358-4e37-8a04-26bca59f8962}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{24d514d9-f3a6-47ce-a466-648c7599345d}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{39F913BC-378E-4EE6-B19E-A78495558526}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{3c9693be-d2dd-4e7e-8391-31e45f37de94}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{3f086d47-3283-4c19-8e39-e5db12051c45}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{4176feeb-6249-4429-b922-2046495c30ce}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{56d6de79-7bfd-4e16-9c4f-b3b916a0c179}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{678bb911-e81c-4032-a7ad-d547c5974806}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{72660BE7-3296-4A1B-9ACC-3078C7081354}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{7CFCA028-F14A-4546-8D7A-E35333690F3C}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{95EFD7D6-558E-48BC-9A76-7A3EB4BFE359}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{AE2183A9-F7E6-4990-B492-216C1DC23918}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{b0092b56-579f-4859-b775-d5090dfd7036}\InprocServer32\".
Remove "<regexpr>(. \\(\S{3,8}))\.dll" from registry value "" at "HKEY_CLASSES_ROOT\CLSID\{D662FD9E-1C0A-4743-908E-558F5333EBBE}\InprocServer32\".
If Virtumonde.sci uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.