I have been infected three times by Crypto-fou, Vundo-gy, Refpron-aw, and Alureon-em since 11/28. I did a boot scan and moved the infected files found to the chest or deleted them, according to the options avast gave me. Now after my last infection removal via boot scan, I am getting “hekomundo.dll” module not found when I boot up. What is the best course of action because I keep getting infected again and again? I always do a registry clean up with Uniblue Registry Booster2 to finish.
Well this is a registry key that is trying to run a file, which is no doubt malicious as the name looks randomly generated and the only reference in a google search are for this topic effectively.
So it looks like this file has been removed but its registry entry remains.
Try these tools as they may well clean the suspect registry entry.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
-
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
My question is this: Why is avast not working as it should to prevent trojans from infecting my machine? How many anti-virus programs do I need to purchase in order to get the protection that I need? Is there something better to use? Boost scans take around 12 hours to run on my machine because of the amount of storage I have.
This is the warnings text file for your review.
The problem with the question is I have no information to work with, like your OS, firewall, other security applications, etc. ?
If any are out of date they are vulnerable to exploit.
This one can be a real pig to remove (Alureon) and is a rootkit and its task is to hide malware from your security software. So I believe you may have remnants of the previous infection still active, as although one single application will provide 100% protection, the continual re-infection to me points to remnants or hidden malware.
Whilst I didn’t ask you to do a boot-time scan, it is possible when scheduling the boot-time to use the advanced options to limit the area to scan.
Both of the options I suggested are free (as I mentioned), though they both have resident protection as opposed to on-demand only in their paid option (you should only ever have one resident anti-spyware).
Presumably you sent these detections to the chest when asked for an action ?
There is a legit file name in this location C:\WINDOWS\system32\drivers\atapi.sys, so we need to confirm that this one isn’t being incorrectly detected, see ### below, or if it is being reinfected.
Also check this one CSHelper.exe, as there was a false positive on that malware signature around the date of the detection in your log:
12/3/2009 2:39:41 AM SYSTEM 1640 Sign of “Win32:Delf-MZG [Trj]” has been found in “C:\WINDOWS\system32\CSHelper.exe” file.
Vundo is one that is now commonly hidden by rootkit also depending on varient, whils avast may be able to find the file, what it isn’t finding is the file that is restoring it. That is why I gave the other tools to see if the combined detections will pick this up.
This file name (randomly generated file name) vipukeyu.dll fits with the vundo malware, so the detection is likely to be correct, now we have to find what is creating/restoring it.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Here is the log from SUPERantispyware for your review. Please bear with me as I work on following your additional instructions.
Looks like SUPERAntiSpyware (SAS) removed the infection.
Don’t worry about the cookies removed.
Download CCleaner and run it before SAS to remove the junk it finds.
CCleaner v2.26.1050 - Slim
- No Toolbar
http://www.ccleaner.com/download/builds
As YoKenny said, it looks like SAS removed some remnants of the Vundo infection, this may also allow for other files to be found.
You should run MBAM next and post the report, then it wouldn’t hurt to run another avast scan, Standard Sensitivity and without Archives selected.
Let us know the results of the VirusTotal scans of the two files I suggested you check.
I think the only way forward with this infection is Combofix, as it will replace the infected Atapi.sys driver with a clean copy from sevicepackfiles folder
I cannot get the VirusTotal site to scan C:\WINDOWS\system32\drivers\atapi.sys and C:\WINDOWS\system32\CSHelper.exe, but avast scans them with no warnings. VT site appears to be asking to reanalyze these files, then gets stuck with no response from the server.
I am getting warnings again from avast. I am attaching the warning text file for your review. I believe it is avast advising a Web site warning rather than an infection, if I am reading the log correctly.
Yes, they are alerts from the Web Shield, you will know that as the only option is ‘Abort Connection.’ You will see that the location is a web URL and not your computer, so the web shield is preventing it getting into your system.
You shouldn’t have to read the log, the first thing to read is the alert window and the information on it.
VirusTotal over that last few days has had some problems, I don’t know what it is as it isn’t consistent, with some links failing whilst others succeed.