Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

**melbeach** · 2008-11-28, 22:42

Everything is still running fast. No popups or redirects. Only a couple of things I noticed that are probably nothing:

After rebooting, when it's coming back up - the part where the screen says something like "Please select an operating system..." I think you have the choice of selecting operating system options. It's too quick to really see. But anyway, it seems to hold for an extra full second at this screen - where it was quicker before all of this.

This probably doesn't qualify, but the startup item I mentioned earlier is kind of strange. Now I don't see it. But earlier for this particular line item, both the Startup Item and Command were a face - followed by a dot, followed by a question mark. This face was kind of like a smiley icon ;<) I forgot what you call these. But it was more complex, looked kind of like a cat face - obviously mand-made. Before that, the cat face was a cross with a circle at the top - kind of like the Blue Oyster Cult cross. Yeah, that's a stretch. But it's all I can come up with!

**pskelley** · 2008-11-28, 23:37

Update your antivirus program and scan the complete system, post the results.

**melbeach** · 2008-11-29, 04:37

Okay, I ran a full Norton scan and that was clean. Thanks.

**pskelley** · 2008-11-29, 13:49

I suggest you ask the other question here...post only at one.
http://www.techsupportforum.com/micr...ws-xp-support/
http://www.geekstogo.com/forum/Windo...003-NT-f5.html

I am thinking that is a Windows issue and not a malware issue.

Thanks

**melbeach** · 2008-11-29, 15:58

Well I'm not worried about those issues if you're not (from #31). But thanks for the links. All of this has me in computer maintain mode. I have other issues to handle. So they look like good places to start.

**melbeach** · 2008-11-30, 23:40

pskelley, what do you think? Are we done? Before we wrap this up, can you tell me what these lines mean from the Combofix report from post #25?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These were under the "Reg Loading Points" section. I don't understand what that means. Is this a current threat? Or just harmless remnants of the past threat?

Thanks alot for the help! Everything really feels like it's back to normal. I can even get into Windows Update now. I haven't updated yet though. I wanted to make sure we were done first.

**pskelley** · 2008-12-01, 00:06

Those are old registry entries, the executables have been deleted so they can not harm you. I could probably come up with a CFScript to remove the information from the registry, but I don't see a reason for installing combofix again just to do that.

I believe I have done about all I can do, safe surfing

**melbeach** · 2008-12-01, 02:26

Thanks! You saved me alot of work. I left a deposit on the way out. See ya!

Thread: Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

Thread Tools

Display

Posting Permissions