After a scan, infected files are in chest, but computer is still infected

[akay]

I'm using Avast Home Edition 4.8 on a machine running Windows XP.

Yesterday morning, I started receiving odd pop up windows and noticed that my computer was running quite slowly, so I set Avast to do a scan overnight.

I put the following files into my Virus Chest:

• halihupe.dll located in C:\WINDOWS\system32
• kxro76nx.tmp located in C:\Documents and Settings\akay\Local Settings\Temp
• lumiwoyo.dll located in C:\WINDOWS\system32
• SURIKUJO.DLL located in C:\WINDOWS\system32

However, I'm still receiving the same pop up windows today and it's clear that a virus is still infecting my computer.
After a thorough scan already seemed to work, how can I find the virus my Avast scanner appears to have missed?


On a side note, I don't know if this could possibly be related, but yesterday afternoon my web hosting provider migrated my server without giving me proper notice. Amongst other things, this caused my outgoing email to stop working and my personal website was replaced with a seven-year-old version of itself.

I never click on suspicious links or emails, and even if one does pop up, Avast always catches it for me, so I'm very curious how this virus slipped in.
I know incredibly little about computer viruses, but is it possible that this server migration could have made my computer susceptible in some way?

Thank you!

[Rednose]

Hi akay, welcome to the forum

It looks like Vundo/Virtumonde related, and that is a nasty infection I already PMed essexboy about it because he is the most qualified person here to help you

Maybe you can follow the steps from this topic in the mean time :

http://forum.avast.com/index.php?topic=53253.0

...and post the logs here

Greetz, Red.

[akay]

Thank you, I'll look into that post right now

[akay]

Hi Rednose,

My MBAB log follows, and the two OTL text files are attached.


Malwarebytes' Anti-Malware 1.44
Database version: 3730
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/12/2010 11:00:34 AM
mbam-log-2010-02-12 (11-00-34).txt

Scan type: Quick Scan
Objects scanned: 158017
Time elapsed: 17 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\jomibeyo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{90a9d856-1498-4b77-81c0-135d06b5e992} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dahosodiw (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{90a9d856-1498-4b77-81c0-135d06b5e992} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zogawojuh (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jomibeyo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jomibeyo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\galoreze.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gogaroho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gudasene.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\himapote.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jomibeyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jotejiho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jubamibi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kuvalepi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nodedeje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rijarifa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\risasere.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vorefifa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\webaduba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wenijalu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zizavamu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kopimedo.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wosiposi.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yenonoje.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[essexboy]

Looks like MBAM got it all - are you having any problems ?

[akay]

Yep, it seems like everything is fine now.

Thanks so much for your help! It's incredibly appreciated

[essexboy]

No problem - within the sticky thread is a link to the main malware infections with the instructions and tools to do the removal.