Nagging Asymptomatic Infection

Hi,
Here is my first post about my ongoing troubles with the vundo/virtumonde/zlob virus. I attached my logs, and below is my long story. I don't know what's relevant, so I tried to be as thorough as possible. The short version is, I had a problem with pop-ups, a professional fixed it for about 10 days, then my registry scanner and anti-virus programs detected more problems, although I have had no pop-ups since the pro fix.

So, long version: bBack at the end of March I got infected with vundo/virtumonde/zlob. Because of a problem with using an ISP with very limited bandwidth allowances I missed some Windows updates. I have since updated Windows (and done all the other things in the RUN FIRST thread). (I have also cleaned up my desktop this evening, as I saw in another thread that keeping it tidy is recommended.) I knew I was infected because random pop-up ads for fake security programs started appearing.

Anyway, I tried to remove the infection myself with Norton, PCTools, and SypHunter, but though they all found some files, they didn't find all files. They also called the bug by different names (zlob, vundo, virtumonde). I'm only able enough to type in "regedit," but I tried manually deleting the "bad" registry keys that PCTools found, and they kept coming back. So after 2.5 days of this I gave up and sought professional help through an online computer repair company, which deleted all the software they used after fixing the infection. For about 10 days after things were fine. No pop-ups, and my computer seemed normal.

Then Registry Mechanic popped up a message saying my registry had been changed and Norton popped up saying it had detected and quarantined a threat...called vundo. Boy was that a bummer! However, I haven't had a single pop-up ad since the professional cleaning. The only reason I knew my computer still had bad files on it was because of Registry Mechanic and Norton. I downloaded and ran Malawarebytes and it deleted 4 dll files. Norton had trouble reporting and repairing the files it found, but it did delete them when I viewed them in the quarantine window. I thought I was OK. Then the same thing happened, twice. RM alerted me, I ran scans, I found infections. I wrote down the names of the dlls.

4/11/09
saw registry changed, repaired, ran Malaware; deleted
C:\WINDOWS\system32\sizugomu.dll
C:\WINDOWS\system32\pedanawe.dll
C:\WINDOWS\system32\besohaki.dll
C:\WINDOWS\system32\ruperapi.dll

4/19/09
saw registry changed, repaired, ran Malaware; deleted
C:\\WINDOWS\system32\kiduruka.dll
C:\\WINDOWS\system32\jijivafo.dll

4/20/09
saw registry changed, repaired, ran Malaware; deleted
C:\\WINDOWS\system32\gavewuwu.dll

I decided to try to do some kind of a cleaning on my computer myself, so I found this forum and the READ & RUN ME FIRST instructions. I completed these (see logs; no viruses were found except by ComboFix) and ran a Norton scan after I completed the RUN ME FIRST instructions. It found 7 "virus threats." I'll attach the Norton log in a second post. Norton recommended "repair" and failed at that. I don't see them in the "Quarantine and Restore" area. I don't understand why they're in a SUPERAntiSpyware folder.

I deleted SUPERAntiSpyware after saving its log because it kept trying to run on start-up, and I thought after going through the forum's instructions I would be free of the virus. Silly me! Anyway, I can easily re-install it if needed.

Since Norton hasn't worked in the past, I strongly suspect I still have a virus knocking around my computer even though it hasn't had pop-up ads and it hasn't had poor performance.

Final note: My "my computer" is named "liam." In case that causes any confusion.

Okay, sorry this is so long. Thanks in advance!

 

Re: Nagging Asymptomatic (Vundo) Infection

Technically this is a bump, but here are the Norton logs too.

 

After the R&R process I noticed several changes to the way my computer functions. I worried that they could be indicators of a more serious problem and after hemming and hawing I tried system restore. I had had it turned off since getting the virus (based on other advice) but since ComboFix had turned it back on and made a restore point I gave it a try. (I know now that this was dumb, my bad.) Anyway, it ran and rebooted and said no changes had been made to my computer. Sorry again, and I've learned my lesson!

To list the changes I have noticed:

1. Booting up: Instead of just starting Windows, it displays a choice of OS's to load for three seconds. Microsoft Windows Recovery Console or Windows XP Home Edition. XP HE is my operating system. BOOT.INI identifes the path that leads to it as invalid when you click the "Check All Boot Paths" button, but it won't boot in Normal with XP HE selected, only in Selective mode. When I choose Normal, the recovery module choice appears again and is selected. This is how the display looks in BOOT.INI

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating system]
C:\CMDCONS\BOOTSECT.DAT="Miscrosoft Windows Recovery Console" /cmdcons
multi(0)disk(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /no execute=optin /fastdetect

2. Auto-run: When I put in a flash card, flash drive, or CD/DVD, it used to be that a window would pop up to ask what I wanted to do (flash card and drives) or play the CD/DVD automatically. Now that doesn't happen.

3. Return sometimes no longer = save: I noticed in Adobe Elements and in Word, sometimes when I click "save as" and type in the new file name and hit return, hitting return does nothing. The save button still looks highlighted (the light blue outline) but nothing happens. Before, when I hit return, it would be the same as if I had clicked "save" with the mouse cursor. It seems like this is happening less often now, so I'm sorry I can't be more specific about it.

4. Display of IE7 address icons: The incorrect icon often appears in the address toolbar. It's disconcerting, and at first I thought my browser was being hijacked, but I checked with Firefox, and it worked fine. Now some of the websites that had incorrect icons are showing correct ones.

On the 25th I had Registry Mechanic randomly pop up and say it had detected changes to my registry. I wasn't installing a program. I was reading an e-mail. I ran a scan with Registry Mechanic, it found 12 problems, and I repaired them. This had happened from time to time since the initial infection.

Okay, I hope it's all right that I added this information to the thread. I didn't want to wait too long to post about it, but I didn't want to bump. I just don't know what's important for you to know or not, so decided I'd better err on the side of telling more than less. Thanks again, and I hope I'm not too trying a forum poster.

 

Hi and thank you, dr.moriarty!

I followed the steps as directed, and everything went smoothly except that upon reboot following ComboFix's running, Norton tried to start its real-time security, although I had told it to disable itself for 4 hours. ComboFix finished running anyway and generated a log. Both logs are attached.

I opened IE7 and Firefox, and they seem normal and IE7's icons are back to normal. Upon start up my computer still gives me the option of running the Microsoft Recovery Console or Windows XP Home Edition, and I still don't have the auto-play occurring when I put in a CD/DVD, flash card, or flash drive (these changes appeared after the first running of ComboFix). Some time will have to pass, as I use my computer, to see if Registry Mechanic unexpectedly reports a change to the registry. This was not a daily occurrance.

Thanks again!

 

Hi, and thanks again for all your work on my computer's problem. I'm sorry to hear about your bad weather!

First, I followed the final steps (removed ComboFix and toggled system restore), and things seem fine.

Yep, I meant auto-run, so now I understand what was going on with that. Two more quick questions now, which if I need to research them elsewhere, no problem.

1. With the Recovery Console, is there any way to make it stop asking me which OS I want to run upon bootup? Should I uninstall it somehow?

2. The other thing that started after I first ran Combo Fix was that when I would go to save a file in some circumstances, where before I could hit "return" and that would be the same as clicking "save" with the mouse, now though the "save" button has the blue border to indicate it's selected, hitting return does nothing. I don't know if this is connected with auto-run or what the proper term is for it, but was was a new wrinkle in how programs like Word and Photoshop Elements worked.

Thanks again!