Another vundo victim

By Budwhite501
Feb 7, 2008
  1. Hey, have been using the spyware/malware preliminary removal instructions on this site after being infected with a virtumonde virus which seemed to lead to a whole bunch of other nasties turning up on my cpu following various checks and scans.

    The cpu was behaving oddly during startup after the infection running commands I couldnt see in quickly opening DOS style command boxes (forgive me im not very computer literate) and was also performing a number of strange startup processes which I checked using MSCONFIG.

    A note, during the fixes I was unable to perform the antirootkit scan as the PAVARK programme ran, requested to startup and after startup didnt run.

    After running all of the fixes it seems to be a lot healthier although startup time is now slowed by adaware, avg, comodo firewall and spybot tea-timer all competing for memory. I ticked the boxes advised to stop the automatic shields opening on startup but they all seem to whether I deselect them in MSCONFIG or not. Before running any checks or scans though I disabled them or ran the computer in safe mode to attempt to make sure there were no conflictual issues.

    Although the system is much healthier many of the evil startup processes are still in the selective startup menu, although I know that before unchecking one of them it was trying to load but failing to find the required system file, which i hope is a good thing and symptomatic of the others too.

    Another alarming note, on startup spybot teatimer gives me alarming messages about items being added to the registry which look very suspicious. Unsure of what to do and cautious of allowing these changes and mucking the thing up further Ive been denying them. I hope this was the right thing to do.

    Anyway Id be genuinely eternally grateful if some expert could take a look at the logs and give me some feedback. It'd also be great to know how to speed the system up at startup and generally as at the moment, startup is taking a seemingly long time.

    One more thing, I ran the avgantispyware tool before doing the whole process in a vain attempt to see if that would work alone. Upon using it again as part of the removal process it only recovered one threat compared to the 17 it had before that, so I have included both logs, which are dated, first was yesterday, second was today UK time.

    Thanks again in advance .
  2. Budwhite501

    Budwhite501 TS Rookie Topic Starter

    I just realised that after looking at the avg antispyware log it refers to all actions being taken as being ignored. I understand that this is specifically reiterated as undesirable by the author of the removal process, but I remember clearly sending the results to quarantine! Im worried now that I thought that this was the same thing as setting avg to quarantine anything that it finds. I really am hoping I dont have to go through the whole 15 steps again!! I suspect I do now looking at that logfile. ARRRRGGHGHHHGHGHGHGH lol
  3. Budwhite501

    Budwhite501 TS Rookie Topic Starter

    Update. This time I ran spybot search and destroy and it didnt find any virtumonde or outerinfo which it has been doing every other time i used it. However I think the virus might still be there as the tea-timer keeps on informing me that a registry change is attempting to happen. It says this from the log:

    ???A????08/02/2008 01:13:42 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    ???A????08/02/2008 04:15:03 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *

    ") changed in Session manager!
    08/02/2008 04:15:09 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *

    ") changed in Session manager!
    08/02/2008 14:32:40 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    ") changed in Session manager!
    08/02/2008 14:32:59 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    ") changed in Session manager! Should i allow this change or is this the vundo trying to sneak back in? It seems odd as the last time I used the cpu I made no real changes at all, just came on to this site.
  4. Budwhite501

    Budwhite501 TS Rookie Topic Starter

    Hi,a generous person is helping me out at bleeping computer for now. Thanks anyway
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...