bilelovi.dll not valid windows image, win32:rootkit-gen, vundo variant problems

Viruses and worms
1

Hello everybody,
yesterday while using avast I got a prompt saying there was a trojan in my temp files and I choose to move it to chest and when I did that my computer froze. So I restarted my computer and when windows booted up I got a BSOD. this happened in everymode that I started up in so I did a repair install of windows.

During and after I did the repair install I kept getting an error when a program would run saying …/system/bilelovi.dll is not a valid windows xp image. doing a google search it seems to be related to the vundo/Virtumonde virus.

after the repair install completed I did a boot scan with avast and avast found 10 infected files. I don’t know if they’re all related to vondo or what. I’m sorry I don’t have the log but here are the virus reports I wrote down

…\drivers\4DW4R3.sys
win32:Agent-AJDG

system32\runuvozo.dll
win32: jifas-DZ

temp\000067e3.sys
win32:malware.gen

RP294\A0077716.exe
win32:rootkit-gen

RP294\A0077730.exe
win32:jifas-dz

so I quarantined all of the files with avast but when I started up I kept getting the invalid windows xp image with bilelovi.dll so I decided just to do a reformat and reinstall windows.

After doing a fresh install I installed the trial of nod32, anti-malware and spybot S&D. I scanned my system drive and they all said it was clean. So I reconnected my archival drive and scanned that. both malware bytes and nod32 found infected files.

Nod32 said that an ebook was infected with a variant of Win32/Adware.Virtumode.NBT application and NOD32 reported it was able to delete it and quarantine it sucessfully

and from malwarebytes


Malwarebytes' Anti-Malware 1.44
Database version: 3769
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2/21/2010 1:35:19 PM
mbam-log-2010-02-21 (13-35-19).txt

Scan type: Full Scan (G:\|)
Objects scanned: 213375
Time elapsed: 14 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
G:\Programs\Adobe Photoshop CS2\MSVCP60.DLL (Malware.Packer.Gen) -> Quarantined and deleted successfully.
G:\Programs\Adobe Photoshop CS2\Msvcrt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
G:\Programs\Adobe Photoshop CS2\Shfolder.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

now they are all saying that I am clean however after reading about how stubborn viruses can be I am paranoid that I might have something still lurking somewhere on my harddrive. is there anyway I can be sure that I am indeed clean? I have attached the OTL scan results. If anybody can please help me out I would appreciate it. I’m scared to use my comp because I read that vondo and rootkits can come packed with keyloggers and other things. I changed all my passwords on another system but I’m afraid to use this computer for anything sensitive until I’m sure my system is clean.

2

Hi Monte

You need update your Windows to Service Pack 3. I would also accept option to update to IE8 when asked as well as join Microsoft Update to test if Windows can update automatically. This process is a good indication how malware free is the computer.

3

thanks for the response, mkis. I was able to update everything successfully.

4

Your welcome Monte.

If any malware is still makes presence on desktop I would advise change to avast as resident antivirus. you would have to uninstall Nod32 (in Add/Remove Programs) to do this, so you should also make sure to run the correct removal utility for Nod from the following lineup

http://www.askvg.com/ultimate-collection-of-uninstallers-removal-tools-for-all-popular-anti-virus-software/

This is what I would do but possibly the removal utility would do the job well enough by itself.

5

ok i will do that but as of right now does my computer appear to be ok? is there anything else I can do to see if my computer if virus free? this is the only computer I have and I need it to perform sensitive tasks like online banking and bill pay. thank you.

EDIT: based on my scan results should I be afraid that I was infected with a keylogger? i don’t know if i should call my bank and have my credit card canceled.

6

Well change yr password - make sure you replace with a strong password.

Malwarebytes is good- you should update each time before you run a scan and run quick scan is okay.

I use Sophos anti-rootkit - free - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Follow the advice Sophos provides after the scan.

and I protect my hosts file - http://www.mvps.org/winhelp2002/hosts.htm

I have avast 5 free - I run a boot scan when I need to check if any infections on my computer, but I dont really need to scan much anymore - once a month, if that, nowdays. If I think perhaps something might be wrong.

Boot scan guide - Start → My Computer → Program Files → Alwil Software → Avast 5 → 1033 → avast! 5 Help → Search - enter ‘boot time scan’ (without quotations) - select this option and click display

If no malware is found by the scan, I would be pretty confident that your computer is clean,

7

do i do a boot time scan of all my drives or just the system drive?

8

Might as well do all drives regardless. It doesn’t have to be a thorough scan.

Sorry I’m on a computer using avast 4.8 at the moment. I can’t recall id you have option of thorough and quick in avast 5.