Barry said:
Windows XP SP2 - 1 user account and 1 admin account
The user account was infected on 2 April, probably with virtumonde.
Between Norton and SpyBot it seems to have been fixed. In the course
of working the problem, I manually deleted numerous files from various
temporary folders, especially exe and dll files modified at the time
of infection.
Now when I log on to that account, I get three small pop-up windows
alerting me that files
C:\Docume~1\Barry\LOCALS~1\Temp\hgGyWOFu.dll
C:\Docume~1\Barry\LOCALS~1\Temp\Yjgldenv.dll
C:\Docume~1\Barry\LOCALS~1\Temp\awtutUNh.dll
could not be found. I assume no real system file is ever stored in a
user's temporary folder.
Everything seems to work after acknowledging the alerts so I'm hoping
these files were part of the virus. I assume the alerts are the
result of some residual crap in the registry.
Can someone tell me how to get rid of the alerts?
It is highly unlikely that this computer is clean if all you used to remove
Virtumonde was Norton and Spybot. Current variants of Virtumonde are
extremely difficult to remove. I strongly suggest that you get guided help
as detailed below. If you are resistant to doing the work necessary (not
recommended), then see the "managing Startup matrix" information at the end
of this post.
A. Malware removal - Check to see if there are targeted removal steps for
your malware in the Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html
When all else fails, get guided help. Choose one of the specialty HijackThis
forums listed at:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
or simply register at BleepingComputer since you will be there anyway.
Register and read its posting FAQ. You will generally be asked to:
1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word
wrap"
3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe
4. Save the scan results (Main.txt and Extra.txt)
5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.
B. Manage Startup Matrix
It is always better to stop programs from starting with Windows from within
the programs themselves, so look in their Options before changing anything
with msconfig - you're just examining things at this stage. If a program
doesn't offer any way to control startup from its Preferences, then use
msconfig to uncheck the box next to its name, Apply and OK out.
Start>Run>msconfig [enter]
This brings up the System Configuration Utility. Look on the Startup tab and
find the probable culprit. Uncheck the box next to its name, Apply and OK
out. You don't need to restart immediately, but the next time you do you'll
get a dialog saying you've used the Utility. Just tick the box that says in
effect, "don't bother me about this again".
Important - Do not use the System Configuration Utility to stop processes.
Instead, use Start>Run>services.msc [enter] and do not stop any services
unless you really, really know what you're doing.
How to Troubleshoot By Using the Msconfig Utility in Windows XP -
http://support.microsoft.com/?id=310560
The free Autoruns program is very useful for managing your Startup -
http://www.microsoft.com/technet/sysinternals/default.mspx - Autoruns
Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech;
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.
Malke
