Home > Please Help > Please Help :Problem With Vundo Variant Resident

Please Help :Problem With Vundo Variant Resident

Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [20/07/2007 18:57:16] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 02:19:50] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoBandCustomize"=0 (0x0) "NoMovingBands"=0 (0x0) "NoCloseDragDropBands"=0 (0x0) "NoSetTaskbar"=0 (0x0) "NoToolbarsOnTaskbar"=0 (0x0) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cb4db9e (Trojan.Vundo) -> Quarantined and deleted successfully. And one more thing.....when does windows reboot? Back to top #6 Potticus Potticus Members 15 posts OFFLINE Gender:Male Location:Oklahoma Local time:10:44 AM Posted 02 June 2008 - 04:22 PM I have had this exact same problem...

Back to top Back to Am I infected? If still the problem is not solved, then create a rescue disk using PEBuilder, and replace the winlogon.exe file in system32 folder with the original one. Click here to Register a free account now! Failure to reboot will prevent MBAM from removing all the malware. http://www.techsupportforum.com/forums/f284/please-help-problem-with-vundo-variant-resident-239599.html

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. yes it did....thank you very much. BTW welcome to BC>Please download VundoFix to your desktop.Double-click VundoFix.exe to run it.

I removed them all and the program promptly asked me to reboot the computer. Or do these registry keys cause all the problem and also need to be removed prior to me rebooting the machine from safe mode to normal mode? Web Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, Click here to join today!

DO NOT enable terminating memory threats. Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL O3 - Toolbar: vnbptxlf - {273127BD-6681-45C8-A0FB-205BE4AEFBF8} Update vulnerable applications This threat may be distributed through exploits. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Open the extracted SDFix folder and double click RunThis.bat to start the script. Stay logged in Sign up now! Avast and AVG.Never install more than one Antivirus and Firewall! now after all those scans that has been sorted but the computer is extremely slow unless i terminate explorer.exe which now always has a 100% usage.

I also did a full system scan with the Avira free version from harddisk. I did install IE7, but that didn't help. C:\WINDOWS\system32\clbinit.dll (Trojan.Vundo) -> Quarantined and deleted successfully. I have some questions though, I downloaded procmon to check out what processes where running on my computer, and I noticed that lsass.exe was running periodically.

Short URL to this thread: https://techguy.org/679186 Log in with Facebook Log in with Twitter Log in with Google Your name or email address: Do you already have an account? Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvukjywp -> Delete on reboot. One it does, it goes into a reboot loop. Rename and delete the detected trojans.

After removing this threat, make sure that you install all available updates for your PC. Please, some help would be much appreciated. I could try to scan in safe mode and then boot into safe mode and see if windows removes the files then. After that, I rebooted from safe mode to normal mode and now the computer got all the way into windows, but the Vundo spyware was still there of course.

You know that right? ............. scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:a6,94,35,90,77,74,d6,f8,60,0e,f7,b4,43,13,35,5d,b5,0a,ed,0b,ff,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,d3,b6,4b,4e,78,ad,f3,8f,8f,45,d9,82,e5,fa,c5,d4,55,.. "khjeh"=hex:09,54,d1,af,34,57,c7,51,08,c7,02,ee,80,3d,a4,e3,90,80,61,a6,c2,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:bc,a2,1c,3d,ad,9b,50,4c,a1,2d,f1,8d,9c,f1,16,5e,42,1d,d9,c3,b6,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:ed,ba,4d,60,32,74,6d,6c,9d,73,cc,7a,a7,c9,45,12,95,c4,7d,14,8c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:a6,94,35,90,77,74,d6,f8,60,0e,f7,b4,43,13,35,5d,b5,0a,ed,0b,ff,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,d3,b6,4b,4e,78,ad,f3,8f,8f,45,d9,82,e5,fa,c5,d4,55,.. "khjeh"=hex:09,54,d1,af,34,57,c7,51,08,c7,02,ee,80,3d,a4,e3,90,80,61,a6,c2,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:bc,a2,1c,3d,ad,9b,50,4c,a1,2d,f1,8d,9c,f1,16,5e,42,1d,d9,c3,b6,.. To view the full version with more information, formatting and images, please click here.

or another?Then run Part 1 of 2 of S!Ri's SmitfraudFix Please download SmitfraudFixDouble-click SmitfraudFix.exeSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists

Antivir rescue disc did detect the main .dll-file and renamed it. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root Win32/Vundo may also inject its code into the following processes if they are found to be running on your computer, possibly to stop or alter the functionality of the process, which may Mail Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast!

Perform a system restore, prior to the infection state. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Share this post Link to post Share on other sites jammer09 Newbie Members 9 posts Posted August 8, 2008 · Report post Heilsa! Any suggestions??

Style Default Style Contact Us Help Home Top RSS Terms and Rules Copyright © TechGuy, Inc. Is this Avira Free AV on the rescue CD that you provided?. Perform a system restore, prior to the infection state. You should change your passwords after you've removed this threat:   Create strong passwords   Recovering from recurring infections on a network You might need to take the following steps to completely

Have run Anti-Malware, AdWare 2007, Spybot, and combo fix. As far as the surfing limitation is concerned....i think your host file has been hacked. One it does, it goes into a reboot loop. Discussion in 'Virus & Other Malware Removal' started by shannenp, Feb 3, 2008.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7d7db869-3021-4cd2-af0a-b3cad75ece31} (Trojan.Vundo) -> Quarantined and deleted successfully. AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! Edited by boopme, 03 June 2008 - 02:25 PM. Back to top #3 miekiemoes miekiemoes Malware Expert Global Moderator 20,026 posts Posted 25 May 2008 - 03:34 PM Due to the lack of feedback this Topic is closed.If you need

What do I do? 0 user(s) are reading this topic 0 members, 0 guests, 0 anonymous users Reply to quoted postsClear BleepingComputer.com → Security → Am I infected? Then you CLEARLY know that NO PROCESSES would be running that would need to be terminated! C:\Documents and Settings\Paul Clark\Local Settings\Temporary Internet Files\Content.IE5\RJEBU9G1\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully. If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Back to top #8 boopme boopme To Insanity and Beyond Global Moderator 67,019 posts OFFLINE Gender:Male Location:NJ USA Local time:10:44 AM Posted 03 June 2008 - 12:33 PM OK having As soon as the welcome screen appears? i scanned my whole system with kaspersky 2009 internet security but it was all in vain. cheers in advance.