For the past few days, my husband's computer has been showing incontrovertible evidence of persistent malware infection. I've googled several of the symptoms and it would appear to be a variant of Vundo/Virtumonde, apparently one of the most aggravatingly persistent malware monsters of all the malware monsters in the world . . . however, read on for more details.
- Upon almost every reboot, Norton Antivirus has come up with a warning box indicating that Adware.Ezula has been blocked as a potential threat. Tonight, Downloader.MisleadApp has also appeared as a blocked threat.
- Two desktop shortcuts, "Live Safety Center" and "Online Security Guide", both of which appear to direct to a "htepo.com" website, have been repeatedly deleted and return almost immediately.
- There have been pop-ups in the systray that mimic Windows alerts, warning of various virus infections and directing the user to click the "baloon" (yes, there are usually multiple typos) to obtain "protection" against these supposed infections.
- There have been pop-ups in the middle of the screen that mimic Windows system warning messages, also claiming to report bogus infections and instructing the user to click a Yes button to install supposed malware protection software.
- Internet Explorer pop-ups, also warning of supposed infections and directing the user to install some variety of protection software, have also been appearing tonight. Additionally, "Security Toolbar 7.1" has begun appearing in these pop-ups, and opening Internet Explorer shows that the browser has been hijacked to htepo.com. (My husband's usual browser is Mozilla Firefox; it does not appear to have been similarly hijacked or infiltrated.)
Scans with Spybot Search & Destroy have shown infections of Virtumonde and Virtumonde.rtk. Spybot reports success in cleaning these, but another scan always returns the same infections along with MicrosoftWindowsSecurityCenterDisabled. I have repeatedly run FixEzula.exe and FixVundo.exe from Symantec, and have only received messages that no infection was found.
Tonight, I finally remembered to turn off the Windows System Restore, then rebooted. I first ran FixVundo, which once again reported no infection. Ironically, the entire time the scan was running, the fake Windows errors and the pop-ups in systray and IE appeared repeatedly.
I ran a scan with Ad-Aware and removed tracking cookies, followed by a Spybot S&D scan which again returned Virtumonde, Virtumonde.rtk, and for the first time, Virtumonde.generic. Once again, Spybot was seemingly able to remove the infections, but the above-noted pop-ups continued to appear. I then ran a full system scan with Norton Antivirus. Just like the FixVundo result, NAV showed no problems found--while the three types of pop-up/fake errors noted continued to appear at intervals.
The computer was restarted again. While NAV has not reported Adware.Ezula, Downloader.MisleadApp, or any other previously noted "blocked threat", the aforementioned pop-ups/fake errors have continued to appear, and the two desktop shortcuts are back again.
Please help me to remove whatever garbage has invaded my husband's computer before I either take the system for professional repair, or heave the hard drive into a cement mixer so it can be permanently entombed. I am a technical support agent with roughly seven years' experience working with Windows; this infection's maddening persistence stings me on a professional level as well as digging right into my personal irritation button.