Over 1 million tech questions and answers.

Vundo.CEH Infection - Cannot Delete DLL Responsible

Q: Vundo.CEH Infection - Cannot Delete DLL Responsible

Well, this is the first time that I have had to post here despite the numerous virus and malware infections I have had to deal with. For the first time the combination of CA AntiVirus and MalwareBytes has failed to clear a problem. CA Antivirus reports an infection of Vundo.CEH in a file "C:\Windows\system32\cyzystno.dll", and I cannot get this file deleted. CA-AV cannot quarintine the file, MWB cannot deal with it, Killbox cannot touch it (Rename function over-ridden by a system process), etc. There are no other viruses detected by the antivirus scan. I come waving my white flag and posting my log file. I consider myself an expert PC user, programmer and system builder, but I confess I am beat. I'm planning on having a backup boot partition from now on to better facilitate the deletion of such files in the future. <sigh>...I remember when Vundo was easy.

Here is the log - I suspect a link with the unnamed BHO entry:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Greg at 22:43:52.20 on Tue 05/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2710 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\NetDrive\wdService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CRW\shwicon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Greg\Desktop\Virus Tools\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {40154271-d33b-445d-a1cd-931052162279} - c:\windows\system32\cwvdxah.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [Timezone] "c:\program files\microsoft time zone\TimeZone.exe"
uRun: [system tool]
mRun: [USRpdA] "c:\windows\system32\usrmlnka.exe" runservices \device\3cpipe-USRpdA
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Mirabilis ICQ] "d:\progra~1\icq\ICQNet.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [ShowIcon_Apacer_CRW Series Driver v1.17r016] "c:\program files\crw\shwicon.exe" -t"apacer\CRW Series Driver v1.17r016"
mRun: [WebDriveTray] c:\program files\netdrive\webdrive.exe /trayicon
mRun: [OSSelectorReinstall] "c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [CAPPActiveProtection] "c:\program files\ca\ca internet security suite\ca anti-spyware\CAPPActiveProtection.exe"
mRunOnce: [UninstallLockedSOSFiles] c:\docume~1\greg\locals~1\temp\UninstallLockedSOSFiles.lnk
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {6224f700-cba3-4071-b251-47cb894244cd} - d:\progra~1\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://www.yougamers.com/systeminfo/MSC3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: hmbdkint - cwvdxah.dll
Notify: PFW - UmxWnp.Dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-1-5 107512]
R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-8-4 23424]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-11-18 72696]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-4-27 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-4-27 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-4-27 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-4-27 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-4-27 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-4-27 144696]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-4-27 128240]
R2 ceagovhn;Software Bus Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-12-12 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-12-10 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-12-19 297464]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-4-27 292080]
R2 WebDriveFSD;WebDrive File System Driver;c:\program files\netdrive\rffsd.sys [2007-8-6 67032]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-12-12 205304]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-4-27 222448]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-4-27 108368]
RUnknown ssfs0bbc;ssfs0bbc; [x]
S3 bDMusicb;bDMusicb;c:\docume~1\greg\locals~1\temp\bDMusicb.sys [2004-6-7 29696]
S3 Inmddsystc;Inmddsystc; [x]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-8-3 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2007-8-3 13532]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\program files\unlocker\UnlockerDriver4.sys [2005-4-24 3584]
S4 RFNP32;WebDrive Provider; [x]
S4 Stifdn4tauc;Stifdn4tauc; [x]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-05 22:00 <DIR> --d----- c:\program files\Trend Micro
2009-05-05 15:23 <DIR> --d----- c:\program files\MSSOAP
2009-05-05 15:23 1,563,008 a------- c:\windows\WRSetup.dll
2009-05-05 15:23 <DIR> --d----- c:\program files\Webroot
2009-05-05 15:23 164 a------- c:\windows\install.dat
2009-05-04 19:01 <DIR> --d----- c:\program files\Western Digital Corporation
2009-05-03 22:01 <DIR> --d----- c:\docume~1\greg\applic~1\dcumwcsi
2009-05-01 23:12 92,672 a------- c:\windows\system32\KillBox.exe
2009-04-30 13:10 <DIR> --d----- C:\!KillBox
2009-04-29 08:56 292,880 a------- c:\windows\sysguard.exe
2009-04-29 08:56 <DIR> --dsh--- c:\windows\system32\lowsec
2009-04-27 17:20 <DIR> --d----- c:\windows\CAVTemp
2009-04-27 17:13 250,544 a------- c:\windows\system32\KeyHelp.ocx
2009-04-27 17:13 <DIR> --d----- c:\program files\common files\Scanner
2009-04-27 17:13 880,560 a------- c:\windows\system32\drivers\vetefile.sys
2009-04-27 17:13 161,008 a------- c:\windows\system32\drivers\vetmonnt.sys
2009-04-27 17:13 111,856 a------- c:\windows\system32\isafprod.dll
2009-04-27 17:13 108,368 a------- c:\windows\system32\drivers\veteboot.sys
2009-04-27 17:13 99,568 a------- c:\windows\system32\isafeif.dll
2009-04-27 17:13 83,256 a------- c:\windows\system32\vetredir.dll
2009-04-27 17:13 26,352 a------- c:\windows\system32\drivers\vet-filt.sys
2009-04-27 17:13 21,488 a------- c:\windows\system32\drivers\vetfddnt.sys
2009-04-27 17:13 21,104 a------- c:\windows\system32\drivers\vet-rec.sys
2009-04-27 17:13 6,904 a------- c:\windows\system32\entitlement.xml
2009-04-27 16:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2009-04-25 01:21 <DIR> --d----- c:\docume~1\greg\applic~1\Microsoft Games
2009-04-22 00:20 14,311,680 a------- c:\windows\system32\xlive.dll
2009-04-22 00:20 13,642,496 a------- c:\windows\system32\xlivefnt.dll
2009-04-22 00:19 172,173 a------- c:\windows\system32\xlive.dll.cat

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-28 22:28 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 22:28 8,010 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-20 22:13 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-16 23:17 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2007-11-16 11:40 22,328 a------- c:\docume~1\greg\applic~1\PnkBstrK.sys
2007-08-04 02:39 866 a------- c:\program files\INSTALL.LOG
2008-07-07 23:30 1,377 a--sh--- c:\windows\system32\gMlkQqss.ini2
2008-11-20 11:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat

============= FINISH: 22:44:34.62 ===============

RELEVANCY SCORE 200
Preferred Solution: Vundo.CEH Infection - Cannot Delete DLL Responsible

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Vundo.CEH Infection - Cannot Delete DLL Responsible

Hi,* Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Read other 6 answers
RELEVANCY SCORE 62.8

Hello, and thanks for your time! I had A huge problem with every virus known to man. Spyware, malware, Trojans, bho, the works!!!!!I got it mostly under control!!! Here is a list of the things that I have done to fix the problems.1. windows defender2. windows sp23. Java updated4. Spy bot s&d5. Norton 3606. every available update from Microsoft.7. Countless Hours of frustration, Swearing, and I almost cried, twice....Please help me fix this thing for good!!!!!!!!!!!!!!!!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:48:02 AM, on 4/1/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\... Read more

A:Vundo Infection, Bho Delete Problem

Hello AlittleFrustrated,

Welcome to the BleepingComputer Forums.
Since it has been a few days, please post a new HijackThis log.
Thank you for your patience.

Read other 10 answers
RELEVANCY SCORE 61.2

Hello,
My computer crashed less than a half hour ago. Just turned itself off. I was able to reboot and didn't lose anything. After some searching I discovered the source of the problem: US Tech Support Framework which is a partner company with My Clean PC which is a scam. I started to download My Clean PC months ago, but discovered before I finished that it was a scam and quickly aborted the download and deleted everything. Apparently, this US Tech Support Framework downloaded itself on my computer October 14th, long after the near run in with My Clean PC. And my computer didn't have any problems until today. Needless to say, I quickly ran my anti-malware program and anti-virus program, as well as deleted US Tech Support Framework. Then I began the task of thoroughly searching my computer to delete every single file, anything related to US Tech Support Framework. The last thing I found of it was in this folder: Config.msi. in OS [C:]. I deleted everything related to US Tech inside the folder, and then tried to delete the folder itself. By the way, the folder was created the same day that US Tech found its way on my computer. But I'm not able to delete the folder. I've tried everything. I've claimed ownership on the folder, made sure I had all the permissions. I am the administrator, but every time I try to delete I get an error message that says I require permission from the administrators to make changes to this folder.

I'm at a complete loss and I want all traces of t... Read more

A:Computer Crash. Found Virus Responsible. Can't delete source folder.

You should've try to uninstall it first before deleting it with an anti-virus. But if you already deleted mostly everything already except the locked folder, i suggest getting Unlocker.

UNLOCKER 1.9.1 BY CEDRICK 'NITCH' COLLOMB

Read other 1 answers
RELEVANCY SCORE 61.2

Hello,

This is my first time on your forums. I have tried everything, but my DIY has reached its wit's end. I am running a Windows XP (using Mozilla Firefox as my browers) system with a wireless DSL connection. I have been plagued by issues and I am left unable connect to the internet while still had an IP address . . . When I logged into Windows, I got a dialog box warning that mmwnd.exe was unable to load. I searched online for solutions and was lead to the spyware removal software PREVX 1.

I installed this and it found several infections, which it was able to isolate and remove. However, I was still unable to connect. Occasionally PREVX would trip on a piece of malware it called TOTOUR.EXE, upon finding this and isolating it (although it never showed in up as isolated) I was able to connect to the internet. However, when PREVX was unable to locate it on a restart I still had no connection.

So I again searched online, and saw that i should remove TOTOUR.EXE with killbox. This didn't work, apparently.

Further searching lead me to another virus checker called Superantispyware Pro. I installed this and ran it. It found, around 200 of pieces of malware/tracking cookies on my machine that it removed without incident. (To be extra sure, I ran it in safe mode too. It found a couple of hundred more(!). I scanned another time, and I actually think that it's finding the same pieces of malware but unable to remove them.

So this is where I am at. I have no internet... Read more

A:Large infection; No internet connection, possible TOTOUR.EXE responsible.

Hi, thorubos

Welcome!

Ty the following options:

First run SFC /Scannow

In the event there is a missing file it will be restored.
Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL, or AOL Connection.

Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Press OK twice to get out of the properties screen
Restart the computer
Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
Exit

Restart the computer and Test

If that does not resolve the issue follow these steps:

Reset the Internet Protocol (TCP/IP)

Go to Start->Run, type CMD and click Ok. The MSDOS window will be displayed. At the prompt type the following and press Enter after each line:

netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
Exit
Restart the computer.

Warning Programs that access or monitor the Internet such as antivirus, firewall or proxy clients may be negatively affected when you run the netsh winsock reset command. If you have a program that no longer functions correctly after you use this resolution, reinstall the program to restore functionality.

Run the following commands:

regsvr32 netshell.dll
regsvr32 netcfgx.dll
regsvr... Read more

Read other 1 answers
RELEVANCY SCORE 48.8

Hello, I read your rules and tried running everything you said. I removed viewpoint media player myself and installed the ie spyad.txt file as described. Pandascan and Deckard however wouldn't work for me. Panda's site wasn't responding and dss.exe crashes when it tries to clean my temporary files. I made sure nothing else was running when running DSS as well. As for the updates, unless they're critical to removing this virus, I can't even download them in a timely manner to keep up with you as I'm on 56k. Enough rambling, I ran your Vundo removal tool and it DID remove the Vundo virus, but I still have random popups in Firefox linking back to adult sites. It's not creating the IDKFA file it was before since I ran your Vundo tool, only popups are left. Sorry for rambling so much, here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 1:38:55 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Co... Read more

A:[SOLVED] Another Vundo Infection, Vundo.N variant

Just wanted to be sure you've intentionally marked this as solved.

If you still need help, or just want to be sure....

To run DSS, do this:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Please run Deckard's System Scanner once again, this time using these instructions (this assumes dss.exe is on your desktop):

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config UnTick Temp Cleanup on the left side, UnTick Event Logs on the right side.

Click Scan!

When finished, it shall produce a log for you. Post that log in your next reply.

Read other 2 answers
RELEVANCY SCORE 48.8

Over the past few weeks I keep getting a recurring Antivirus Pro 2010 infection. I've "cleaned" it with Malwarebytes, AdAware, and SpyBot. It keeps coming back! I subsequently ran StopZilla and was alerted to the additional infections of Vundo.A1, Vundo.A2, and PWS.ABD. I didn't want to purchase StopZilla to clean it due to my unsuccessful attempts with 3 other scanners, but it was interesting that the Vundo and PWS.ABD had not been founds with the former scanners and only StopZilla. I have run ComboFix and HijackThis logs and have attached them in the event you may find them useful. Thanks in advance for your assistance.

A:Antivirus Pro 2010, Vundo.A1, Vundo.A2, PWS.ABD Infection!

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

Read other 2 answers
RELEVANCY SCORE 48.8

I just noticed today that I was getting strange popups on sites where their are none such as facebook and youtube. I scanned with Malawarebytes and it found a couple trojans. It restarted to delete them and on restart I got a RUNDLL error about the file that was just deleted and then a barrage of Avira warnings about the same DLL. When ever I try to delete it it just comes back.Thank you in advance,NecoLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:25:25 PM, on 11/15/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16915)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\IntelDH\CCU\AlertService.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHo... Read more

A:Vundo.H and Vundo infection / Random Popups

Hello Neco,Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. Do not attach your log, as that makes it hard to read. **********************Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply. Do not attach your log, as that makes it hard to read.**********************Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 3 monthsClick Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
info.txt can also be found at c:\RSIT\info.txt
Do not attach your logs, as that makes it hard to read.

Read other 2 answers
RELEVANCY SCORE 47.2

Have worked at least 24 hours over the past few days to rid computer of multiple Trojans. Cannot get rid of Vundo. Have run Webroot Spy Sweeper, Lavasoft AdAware, SuperAntiSpyware, and McAfee. Only SuperAntiSpyware detects anything, but even after cleaning, it comes back with a vengeance. At this point, I'm getting multiple popus/security alerts/and such decreased performance that this post is difficult to type as it doesn't take all letters entered. I also ran Hijack This and Combofix. I failed to save the Combofix log, but I'll be glad to run it again, if need be. Any help would be GREATLY appreciated!!!!!!!Hijack this (ran moments ago) . . . Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:22, on 2007-10-16Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\Microsoft SQL Server\MSSQL$MI... Read more

A:Vundo/vundo Variant Infection

Welcome to the BleepingComputer HijackThis Logs and Analysis forum dgm My name is Richie and i'll be helping you to fix your problems.If you have previously downloaded ComboFix,please delete that version now.Now download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.Now go to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exeRight click on Hijackthis.exe and select 'Rename', rename it to abc.batDouble click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Read other 22 answers
RELEVANCY SCORE 47.2

I've had minor infections in the past, usually solved by following the instructions of other fixed threads. This is a bad one and I really need help.

It started when I downloaded an episode of criminal minds over bit torrent that required a "content license" that turned out to be the Vundo Trojan. My google search results were being redirected to ad.yieldmanager.com and searchfindsite and AVG Free/Spybot Search & Destroy detected infections in the Windows/Temp/ directory but they kept coming back after being removed. I also tried Malwarebytes and Combofix, but the registry keys seem familiar enough to me. Two were out of place, but there must be more because I'm still having problems.

I can't boot to Safe Mode. Upon loading the DOS libraries, the system restarts. Also, Root Repeal crashes my computer when I try to run a report. Here is my DDS log:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Heikkila at 1:50:51.25 on Tue 12/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1356 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsv... Read more

A:Trojan Vundo PL, Vundo H Infection

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

Read other 7 answers
RELEVANCY SCORE 44.4

shalom from israel,
hi everyone, im a newbie here and im seriously needing a help since i got this nasty trojan virus TR/VUNDO.GEN since yesterday, i try to delete it in my anti-virus ( avira ) but still it keeps coming back, i did a complete scan in superantisyware and ad-aware already and i juz scan it with hijackthis v2.0.2 today, i dunno what to do with the log file so im hoping anybody out here can help me fix my problem.

thank u in advance and im patiently waiting here.

A:need to delete TR/VUNDO.gen

some1 is willing to help me plllllsss???

Read other 19 answers
RELEVANCY SCORE 44.4

I am fortunate enough to have Vundo. Have been trying to rid my system of this for a few hours. I seem to be having the same problems with Norton as everyone else: C:\WINDOWS\system32\ssttu.dll.

Here is my log

Logfile of HijackThis v1.99.1
Scan saved at 1:21:50 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTserv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.... Read more

A:Can not delete Vundo

Read other 7 answers
RELEVANCY SCORE 44

Hi all,
I have had incredimail for the past few weeks and suddenly my pc is having big problems. Sometimes it will not load everything when it is booting up, sometimes it just freezes completely. Also when I run windows media player it freezes too. Any ideas of whether it could be incredimail or anything else? Have scanned with AVG and also symantec scanner, and nothing found.
Many thanks in anticipation.
 

A:Could incredimail be responsible??

Read other 16 answers
RELEVANCY SCORE 44

Have been besieged with popups for about a week. IE7 launches unpredictably with some kind of ad (my default browser is FireFox). XP-Home, SP2, updates are current.Mcafee finds nothing. AdAware found stuff early in the week, but it's gone now. SpywareBot finds a lot of VUNDO items: it deletes them, but they come back immediately (if I run another scan without doing anything else). Vundofix found a lot of items and removed them, but SpywareBot still finds it and I still get popups. AVG found a lot of stuff (several Downloaders, none of which were VUNDO) and deleted them; one of the items deleted was j6291937.dll, and Windows now complains that it's missing now when it boots. Stinger found nothing. I'm concerned that SpywareBot seems incapable of eradicating VUNDO. Any advice is appreciated. Hijackthis log follows.Thanks,Elizabeth and EdwardLogfile of HijackThis v1.99.1Scan saved at 4:35:46 PM, on 6/15/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\winlogon.exeC:\windows\system\hpsysdrv.exeC:\Program Fil... Read more

A:Can't Delete Vundo And Friends

Hello,I see you are running AdWatch. I suggest you disable it because it can interfere with the fixes.To disable AdWatch:Open AdAware SE.Go to AdWatch User Interface.Go to Tools and Preferences.At the bottom of the screen you will see 2 options Active and Automatic.Active: This will turn Ad-Watch On\Off without closing itAutomatic: Suspicious activity will be blocked automaticallyUncheck both options. You can enable these after resolving your problemThen uninstall SpywareBot, because it has a questionable reputation. Note: Do not confuse this one with Spybot Search & destroy. That one is ok.Then, * Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply together with a new hijackthislog.Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Read other 8 answers
RELEVANCY SCORE 44

Symptoms - cannot double, click can't scroll, now I am getting redirected on searches with google. I need help a.s.a.p to get my laptop back as I use it for school and work. It's been down for a week now. Also, if you happen to notice anything I can remove that is not needed that would be awesome too. Trying to figure out how I even got this trojan in the first place. I want to thank you in advance for your time and help! It is much appreciated.

My Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:42 AM, on 11/29/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1203831485\ee\aolsoftware.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtr... Read more

A:Vundo trojan - won't delete, please help!

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new thread, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

------------------------------------------------------

Read other 1 answers
RELEVANCY SCORE 44

[Windows XP Professional Version 2002, SP 2] Norton Antivirus detected but cannot fix or delete trojan.vundo in c:\windows\system32\pmkjk.dll. I downloaded and ran the fix vundo tool from symantec, but it won't fix or remove the file either. When I attempt to manually delete the file, I receive this error: "Cannot delete pmkjk. It is being used by another person or program."
 

A:vundo: pmkjk.dll cannot delete

Read other 7 answers
RELEVANCY SCORE 43.6

Judging by this and this, you folks are magical, even with vundo. Computer's symptoms: popup windows in firefox after new searches, significantly worse performance than yesterday, long hard drive read/writes, and McAfee and ad aware both pick up files that they recognize as Vundo or Vundo!grb. I could make an attempt at a fix on my own, but I'd really like some help.Thanks very much for the help. DDS follows.DDS (Ver_09-02-01.01) - NTFSx86 Run by Owner at 23:42:53.98 on Sun 02/15/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.370 [GMT -8:00]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Digital Media Reader\shwicon2k.exe... Read more

A:vundo!grb / vundo infection

Never mind all that. I've reinstalled windows - couldn't take the wait. Nevertheless, it's good to know that ya'll are out there, putting up with fools like me.

Peace,
Peter

Read other 2 answers
RELEVANCY SCORE 43.6

Part of our strategy to do the right thing for our teenage offspring is to try and limit the amount of time they spend glued to the computer screen playing online games etc. We've tried parental management functions in our router to put time limits on IP leases but it turns out our isp has disabled those functions in the router. So I've tried setting up user accounts with password access. Waste of time because a 2 second search of Google finds 15 ways to circumvent account passwords. I know there must be a way to lock it down so the devious little blighters can't discover the passwords. I also want to know how to block access to a certain IP address so they can't log in to the router and find or change the Wi-Fi password. Can somebody give me some pointers at all?
Thanks in advance
Pete

A:Struggling to be a responsible parent

K9 parental control
 
Block web sites in more than 70 categories, including pornography, gambling, drugs, violence/hate/racism, malware/spyware, phishing
Force SafeSearch on all major search engines
Set time restrictions to block web access during designated times
Configure custom lists for "always allow" and "always block"
Override a web page block with password
Trust the enhanced anti-tampering, even children can't break
View easy reports to monitor and control web activity
Real-time categorization of new adult and malicious sites
Best free parental controls software/internet filter available
Compatible with Windows or Mac machines
Edit: Or use Windows 7 parental controls.  The parental controls do not have a setting for time restrictions on internet access. It only restricts time the computer can be used.

Read other 1 answers
RELEVANCY SCORE 43.6

Hi
I'm trying to make my own advanced theme (Custom window textures and stuff) but I can not find the .dll and .exe files that contain the graphics I wish to change. Any help on the subject would be greatly appreciated.

P.S. I do not want a program to do this for me like windowblindes.

A:Where are the .dll and .exe files responsible for the look of windows?

Welcome to the Seven Forums

There are many .dll, .exe, etc. that control the look of Windows, post some screenshots of the areas you would like to change either highlighting them or use arrows to point at the areas.

Use these tutorials for posting screenshots.
Screenshot with Paint
How to Use the Snipping Tool in Vista - Vista Forums
Screenshots and Files - Upload and Post in Seven Forums

Jerry

Read other 5 answers
RELEVANCY SCORE 43.6

Hello,

I've had a number of issues the past two weeks and my most recent one is CPU spiking. At first it seemed to be Firefox because it was floating from 80 - 90 and using almost 100%. When I closed and reopened its stopped, but I then I had random spikes from 30 - 100, but cannot figure out what the cause is; even after 20 minutes of watching the processes. Any know what that might be?

Thanks
 

A:CPU Spike but I don't see the process responsible

Might try this program. http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
 

Read other 2 answers
RELEVANCY SCORE 43.6

Hello....

...Perhaps you are copying a 14 GIG file (not actually applicable) ....more or less.... within/on the same hard drive. That will take some effort and time. What component is responsible for its speed in doing so.

My guess is the GHtz of the motherboard.

Hey...I had to find out from our wonderful group that the upload of attached files in e-mails was a function of your ISP.......

Somehow I do not think that I am getting any better.....ANY useful links would be greatly appreciated........

As always.....Thanks!!!!!

A:What Component Of The System Is Responsible.........

Since this sounds very much like a school type question. You also ask for links to support the answer so you can add them as resource when you answer this question.

I'll answer it this way. There are multiple factors that control the speed of file transfer. Processor speed is not the major factor. But I'll say this, one of the major factors that affects file transfer speed on a HDD is the quantity of HDD cache.

The rest you'll have to google. And you'll find a lot of information and some links you can honestly say you found on your own.

Read other 5 answers
RELEVANCY SCORE 43.2

NAV is picking the backups as viruses themselves, so should i delete them?
 

A:should i delete any HJT backups containing the vundo virus?

Yes
 

Read other 2 answers
RELEVANCY SCORE 43.2

Hi, im new to this forum, and I've searched this forum and google for answers on the problems im getting and I stumbled opon winetn32.dll. I tried to delete it but i coudn't T_T. I'm guessing you will need my HiJackThis log so I will be posting that. If you need anything else to help me, please tell. Thanks, Ken.
 

A:Help!! can't delete winetn32.dll. Need help with Trojan.Vundo!!

Post hijack
 

Read other 2 answers
RELEVANCY SCORE 43.2

I am running winxp and keep getting a warning from Norton that I have this virus:
Object Name: C:\Windows\system32\geebx.dll
Virus Name Trojan.Vundo
Action Taken Unable to repair this file.

I have run Norton twice plus used their removal tool, tried to even do a manual removal as instructed on the Symantec web site and none of the files they said to remove in the registry were there.

Can someone help me with this problem?

Thanks in advance.
Maddie
 

A:Solved: Cannot delete Trojan.Vundo

Read other 16 answers
RELEVANCY SCORE 43.2

Hi,
This is the one great site which is helping for a long time, My PC is affected by Trojan Vundo,,My Norton always finds and delete it, but once i restart the computer it comes again, I also tried FIX VUNDO from norton but no result, I am just since my PC , has some inportant files and I may end up Formatting it, Please help admin, here is my Hijack this log file
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:08:38 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Progr... Read more

A:Trojan Vundo----- Norotn Cant Delete

Read other 10 answers
RELEVANCY SCORE 43.2

please can anyone give me the right advise to finally delete this trojan from my pc, my pc is being over run by mulitple infections and i just dont know how to get rid of it !

i am using windows vista, and my antivirus is bitdefender
 

A:Solved: Cant delete trojan vundo

Read other 16 answers
RELEVANCY SCORE 43.2

Here is my log file. Already scanned with Hijack This. Norton Antivirus detects it in only one location, in the windows/system32 folder, and the file is called "mllml.dll". I looked through the log file, and there are 2 entries that have to do with that name. Im not sure how to remove it, because when i navigate to the windows/system32 directory, it says that the file cannot be removed because it is currently in use by another person/program. I used a program to find out which process was using the file, and it turned out to be winlogon.exe. I also tried the removal tool made specifically for removing this trojan by Symantec AND Microsoft, but when it scans it says the computer is not infected. Thats all the info I have to offer, Thanks ahead of time. Below is the log of the Hijack This scan.

Logfile of HijackThis v1.99.1
Scan saved at 4:43:42 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\... Read more

A:Cant delete Trojan.Vundo virus

Please print these instructions out for use in Safe Mode.
Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and double click on KillVundo.bat
You will first be presented with a warning.
It should look like this
VundoFix V2.xx by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue.... Click to expand...
At this point press enter one time.
Next you will see:
Type in the file path as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.Click to expand...
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\mllml.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
Next you will see:
Please type in the second file path as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.Click to expand...
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\lmllm.*

Press Enter, then press the F6 key, then press En... Read more

Read other 1 answers
RELEVANCY SCORE 43.2

I am having problems with Vundo Virus. This looks like a common thread, but I realize that there are different files to remove. Any help that you can offer is greatly appreciated.

Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 5:12:24 PM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\... Read more

A:Solved: Can't Delete Vundo Virus!

Read other 9 answers
RELEVANCY SCORE 43.2

Hello, I'm new here but in need of drastic help. Here's the problem:

After several name changes, ect, I was finally able to run Malwarebytes Anti-malware. It found the vundo trojan and 2 registry keys. I however didn't keep the log. I told it to remove these, it asked for a restart and I proceded. Everything restarted fine, and I ran the program again. Again it found the same 3 things so it never deleted it. Repeated this 2 more times without it deleting it.

I then ran Combo-fix, I shouldn't of done this because I didn't have someone helping me with assistance. It also downloaded and installed the Windows recovery program that comes with it. Combo-fix found the following:

windows\system32\drivers\H8SRTbwkypqjcvj.sys
windows\system32\H8SRTdxodgsmfdc.dll
windows\system32\H8SRTbaomntisqh.dll
windows\system32\H8SRTdgnkvptkdv.dll

After restart, nothing came up at all except for the blue box that says AutoScan. I can also get to the task manager using CTRL-ALT-Delete.

What should my next steps be?

Thank you very much,

Jeff

A:Can't delete Vundo with mbam, and combofix

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.You have a bad one aboard that requires tools specific to the HiJack This forum. Please follow the instructions in ==>This Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==If you cannot produce the DDS logs, then post back here and we will provide you with further instructions.Orange Blossom

Read other 1 answers
RELEVANCY SCORE 43.2

Malwarebytes' Anti-Malware 1.31 says this in my MBAM log-

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac72c2b1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

in RunAlyzer it looks like this- ac72c2b1 rundll32.exe "C:\WINDOWS\system32\osjmftcp.dll"b

Everytime I run Malwarebytes it is still there. How can I get rid of or fix this?

Also I have two entries that I believe that I should also destroy. Should I? (listed below)

the entries are xsjfn83jkemfofght C:\DOCUME~1PIMPDA~1.SLI\LOCALS~1\Temp\winloggn.exe

and they are located at

HKEY_USERS\S-1-5-21-3363428076-2443140938-2662183693-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.

I have tried the jump to the path option to delete all three of these through Malwarebytes and RunAlyzer with no success.

Please help.

I also just discovered that when Windows first load I get a box that says

RUNDLL
Error loading C:\WINDOW|system32\osjmftcp.dll
The specified module could not be found.

I would really appreciate any information/help.

A:I can't delete Trojan.Vundo.H and winloggn. Please help.

I ran Vundo fix and it stated that I had no infections. Then I ran malwarebytes and it found the Vundo. H. I then hit remove button. I confirmed that it was removed with runalyzer. Not sure why it worked this time. Hopefully it stays that way.

Read other 3 answers
RELEVANCY SCORE 43.2

Hi, I am new here but really need help. I've had alot of problems since 07/30/07 when my computer got the Trojan.vundo virus. I was on the phone with Symantec for about 8 hours and thought the problem was solved but it wasn't. :( If I run in normal mode there are all kinds of .tmp files that come up in Norton either as removed or unable to repair.. like every few seconds. I have used Vundofix.exe but there is one pesky file that will not go away, c:\windows\system32\vtstr.dll I have rebooted as instructed by Vundofix.exe but it still won't delete. When I connect to the internet I get crazy popups and my system is extremely slow. Help :(

A:Trojan.vundo cannot delete vtstr.dll help

Please follow MicroBell's 5 Step process outlined here:

http://www.techsupportforum.com/secu...tml#post342651

After running through all the steps, please post the requested logs.

Read other 1 answers
RELEVANCY SCORE 43.2

Norton, Super anti spyware and ad-aware removed a bunch of files but Norton was unable to remove one trojan vundo dll. My compter still boots up a little slow and I am unable to get into control panel, add/remove programs and my clock. Every time I double click these 3 it says "the operation has been cancelled due to restrictions, please contact your system admin." I was having problems with popups prior to running these 3 programs but I'm still not sure if there completely gone. I'll post my hi-jack this log again.

The trojan Source: C:\WINDOWS\System32\ljjgfde.dll
Click for more information about this threat : Trojan.Vundo

Logfile of HijackThis v1.99.1
Scan saved at 9:39:53 AM, on 10/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Syste... Read more

A:I have a trojan vundo that Norton can't delete!

Read other 6 answers
RELEVANCY SCORE 42.8

My Computer:

Dell XPS 400 with DataSafe hard drive, which is supposed to be a combination of
Norton Ghost and a hidden second hard drive (RAID 1), but I do not have Norton
Ghost on my PC, by choice
Intel Pentium D 830 (3GHz)
1GB DDR2 SDRAM at 533MHz
256MB ATI Hyper Memory
DataSafe 160GB (Secured Storage and Data Recovery Solution)

Intel(R)
Pentium(R) D CPU 3.00Ghz
2.99 GHz, 1.00 GB of RAM

My System:

Microsoft Windows XP
Media Center Edition
Version 2002
Service Pack 3

My Anti-virus: McAfee SecurityCenter

My Anti-spyware: Webroot Spy Sweeper

Hi.

I do not have Java on my PC because in the past, I caught a very bad virus
or trojan via a fake Java update. Also, I have Adobe Acrobat Reader 6.0,
with JavaScript disabled by choice, because I heard somewhere that that
version is less prone to trojan infection and that turning off JavaScript
in Adobe Acrobat is said to be safer.

For about six months, I've had this thing where my PC freezes for between
3 and 20 seconds while I hear a distant high beady sound, like that of the
PC quickly processing something.

For about a month, I've encountered the situation where I sometimes have
to click on something two (and sometimes three or four times) to get it
go. Also, when I click on a folder icon once, in order to rename it, it
opens the folder instead, which is supposed to only happen if I double-click.
And another odd thing is that highlighting text is often tricky, with the... Read more

Read other answers
RELEVANCY SCORE 42.8

Hi all,

i have some trouble on my machine with Windows 8.1 (non pro version) - let's call it "server". I just bought new antivirus program with firewall (BitDefender Total Security 2017). On "server" side i have few shares with WebDAV protocol
(on SSL). With firewall off i can easy connect via SSL and map network drives via WebDAV protocol on clients machines. Problem occurs when i turn on firewall from BitDefender. Then i can't connect. So i need to create rule that will pass WebDAV traffic. And
here is a problem - BitDefender software can create rules only for specific *.exe file. I talked with BitdDefender staff about this problem for few weeks for now, but they solve (for now, only 1!) doesn't work and they told me that in that AV i can't open
port for non *.exe file... 

So this is my question - which file (specific exe, application) in Windows 8.1 x64 non pro are responsible for webdav communication on SSL, and where i can find it (path)?  I need to add firewall this exe file with 443 port to work ... I will be very
grateful for any answers ... :)

Read other answers
RELEVANCY SCORE 42.8

Firefox has been having sudden frequent crashes. Internet Explorer shuts down and gives me the message "runtime error." These crashes most often happen on the three main websites we use most frequently (Yahoo, Facebook, and a weather website). There is no warning when the crashes happen.

I've tried all the Firefox crash troubleshooting suggestions, with no satisfactory results. I regularly run scans with Malwarebytes, SUPERAntiSpyware Free, and AVG Free. AVG does pick up something called STDRT.EXE whenever I run a Super Mario game that we downloaded. AVG gives me the option of sending to virus vault, or "allowing". I've done both. I'm fairly sure that STDRT.EXE is not the culprit, since we've been playing Mario for a couple months, and the crashes have just happened in the last couple days. I'm no expert of course, which is why I'm here for help. Since the crashes started happening, I have dumped the Mario game onto a cd and uninstalled it from the computer.

I've also tried to do a system restore to a few dates previous to when this problem started, but it says "unable to restore" or something of that nature.....

Thanks for any help you can give.

Here are the scan logs you require:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:49:45 PM, on 8/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System3... Read more

A:Is STDRT.EXE responsible for recent crashes?

Windows are also very slow in opening.

When Firefox crashes, up comes Mozilla crash reporter which gives me the option of restarting Firefox or quitting. If I choose to restart then restore session, it brings me to the page that just crashed when I clicked on a link. If I click on the link it will crash again.

On the other hand, sometimes we can browse for quite some time before a crash happens. Very confusing
 

Read other 1 answers
RELEVANCY SCORE 42.8

although i have scanned like crazy and found nothing, recently my wife's yahoo profile was hacked/changed by someone else. i was concerned for trojan/keylogger (less likely phishing scam as my wife hasn't done anything like that) and have changed all my important pw's on another offsite computer. however, yesterday IE closed and a new browser window made to look like windows security alert for trojans popped up. it did imitate a win defender-like window which was in fact part of the html as well as a popup yellow box in lower left to imitate win msg popup. Suggestions? i have run malwarebytes, norton, adware, spybot. looked at my hijack log(though i am fairly novice to it, but uploaded for analysis).

i am dl;ing combofix. Any suggestions? i am now also concerned... about identity theft?!?>

A:malware responsible for yahoo hack?

Please note the message text in blue at the top of this forum. You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer. That's the decision by the creator and we will abide by that decision.Please post the results of your MBAM scan for review (even if nothing was found).To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.Click the Logs Tab at the top.The log will be named by the date of scan in the following format: mbam-log-date(time).txt
-- If you have previously used MBAM, there may be several logs showing in the list.Click on the log name to highlight it.Go to the bottom and click on Open.The log should automatically open in notepad as a text file.Go to Edit and choose Select all.Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.Come back to this thread, click Add Reply, then right-click and choose Paste.Be sure to post the complete log to include the top portion which shows MBAM's database version ... Read more

Read other 3 answers
RELEVANCY SCORE 42.8

Hello again,With this being the second time in a month and a half of being infected with a strain of Vundo, I'm starting to believe it's embedded in a website or something. Ugh. This go around, Malwarebytes' Anti-Malware alone did not do the trick as the infection seems to regenerate itself upon every re-boot. (I'm on XP, and had upgraded to Firefox 3.0 since my first infection because I had read somewhere that 3.0, at least at the time, was immune to the malware.)-EDITED TO INCLUDE THE INFORMATION BELOW (IN DIFFERENT COLOR)-Malwarebytes' Anti-Malware scan results:Malware.Trace -- Registry Key -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS JuanTrojan.Vundo -- Registry Key -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track SystemTrojan.Agent -- File -- C:\WINDOWS\system32\seneka.datTrojan.Agent -- File -- C:\WINDOWS\system32\senekadf.datTrojan.Agent -- File -- C:\WINDOWS\system32\senekalog.datDDS log:DDS (Version 1.1.0) - NTFSx86 Run by Maz at 20:00:09.15 on Thu 01/01/2009Internet Explorer: 6.0.2900.2180Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2037.1486 [GMT -5:00]AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated)FW: PC-cillin Internet Security - Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exe... Read more

A:Vundo Infection

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Read other 17 answers
RELEVANCY SCORE 42.8

XP:SP2. Causes blue screen upon removal by Malwarebytes in safe mode or regular. BHO files and registry keys do not show up when scanned in safe mode. Causes frequent Firefox crashes.

Logs:
Malwarebytes' Anti-Malware 1.30
Database version: 1371
Windows 5.1.2600 Service Pack 2
11/10/2008 12:16:10 AM
mbam-log-2008-11-10 (00-16-03).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 275030
Time elapsed: 2 hour(s), 4 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7add0330-d131-426d-baf7-1486c1ee901c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zetslyjw (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7add0330-d131-426d-baf7-1486c1ee901c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52755d0d-0f32-4307-b8d2-a6994c11df1d} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{52755d0d-0f32-4307-b8d2-a6994c11df1d} (Trojan.BHO.H) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Regis... Read more

A:BHO.H and Vundo.H infection

Read other 16 answers
RELEVANCY SCORE 42.8

A while back my computer got infected with the Vundo.B trojan, and all of a sudden I kept getting sent to a web page that said I should install WinFixer.It turns out my anti-virus subscription had lapsed, and I had been ignoring it (BIG mistake). I have now updated the anti-virus (Norton), and now I keep getting messages of the infection, related to file ssqrr.dll, which cannot be fixed by Norton.I have tried the Vundo removal tool from Symantec, and it says it removes the trojan, but doesn't really. The FixVundo.exe file is version 1.5.0.0I have downloaded and run Ad-Aware SE, with similar results. Likewise with Spybot S+D.I would appreciate assistance in removing this annoyance, and help clean my system.Thanks.RobertoSP.S. The HJT log I just ran follows:Logfile of HijackThis v1.99.1Scan saved at 01:11:54 a.m., on 14/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exeC:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exeC:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exeC:&... Read more

A:Help With Vundo.b Infection

Please print these instructions out for use in Safe Mode. Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to extract the files This will create a VundoFix folder on your desktop. After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.15 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter
At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\ssqrr.dll Press Enter,
Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\rrqss.*
If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

The fix will run then HijackThis will open. In HijackThis, please place a check next to the following item... Read more

Read other 6 answers
RELEVANCY SCORE 42.8

Hi,
i've been infected by trojan.vundo,and i can't get rid of this.I've done many times remooval through Vundofix,but always come back!!

Deckard's System Scanner v20071014.68
Run by user on 2007-12-31 11:05:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2007-12-31 09:05:23 UTC - RP230 - Deckard's System Scanner Restore Point
16: 2007-12-30 23:06:22 UTC - RP229 - Before uninstall Wyzo 0.5.3
15: 2007-12-30 23:03:24 UTC - RP228 - Before uninstall ΠΒΐΛΦ???
14: 2007-12-29 23:11:37 UTC - RP227 - Installed ESET Smart Security
13: 2007-12-29 23:11:17 UTC - RP226 - Removed ESET NOD32 Antivirus


-- First Restore Point --
1: 2007-12-26 22:40:45 UTC - RP214 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 4.21 GiB (less than 15%) free.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:41 πμ, on 31/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WIND... Read more

A:Vundo infection

Hi, welcome to TSF!

Download combofix.exeSave it to your desktop.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:In case you already used Combofix previously, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Do not post the ComboFix-quarantined-files.txt - unless I ask you to.
If your Antivirus software is detecting combofix or a part of it as a virus, please choose to ignore it as Antivirus products cannot determine the good/bad use of some softwares embedded in combofix.

Read other 10 answers
RELEVANCY SCORE 42.8

Hello,

I am having some problems with a PC. When I am connected to the internet, ads pop up in new IE windows at regular intervals. When this happens sometimes IE and the desktop freeze, and teh only way to getthings running again is to use task manager to stop explorer and then use task manager again to restart explorer through File, New Task (run).

I thunk this is Vundo and jhave tried to remove the program uisng vundofix, but it keeps coming back. Any help would be much appreciated.

I have taken the steps advised in the posting guide - run activescan online etc.

Thanks
Julie

Here is my log:

Deckard's System Scanner v20070411.38
Run by owner on 2007-04-22 at 08:40:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-04-22 07:40:22 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:42:30, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.e... Read more

A:Possible Vundo infection?

Bump.

Read other 3 answers
RELEVANCY SCORE 42.8

My microsoft automatic updates will not turn on and my security settings are being controlled by something. It turns my pop-up blocker off, and puts my security settings on the lowest level. I've detected the trojan..w32/trojan3.gv in c:documents and settings\doug\localsettings\temp\tdssa38e.tmp. any help would be greatly appreciated. Copy and pasted below is the dds text. thank you.


DDS (Version 1.0) - NTFSx86
Run by Doug at 14:54:56.76 on Sat 11/15/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.522 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Bell\Security Manager\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Pr... Read more

A:possible vundo infection and more!

Hi there firerooster

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Please copy and paste any requested logs into replies rather than add as attachments, this makes it easier for analysis.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

Download ComboFix from one of these locations:

Link 1
Link 2
Link ... Read more

Read other 3 answers
RELEVANCY SCORE 42.8

Mmk so... I got infected pretty bad, normally i can take care of things pretty well but this one just has me stumped This is from my AVG -"C:\Documents and Settings\Bobbert\Local Settings\Temporary Internet Files\Content.IE5\E9SU8IS6\load[1].php";"Trojan horse Vundo.GH";"Moved to Virus Vault""C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe";"Trojan horse PSW.Ldpinch.WVN";"Moved to Virus Vault""C:\Program Files\sfx\sfx.sys";"Trojan horse Rootkit-Agent.EA";"Moved to Virus Vault""C:\WINDOWS\system32\bivayuye.dll";"Trojan horse Vundo.GH";"Moved to Virus Vault""C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HYNKDQV\pdrv[1].exe";"Trojan horse Rootkit-Agent.EA";"Moved to Virus Vault""C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OTYRGHYJ\pp.10[1].exe";"Trojan horse Generic13.BTTZ";"Moved to Virus Vault""C:\WINDOWS\system32\giruwili.dll";"Trojan horse Vundo.GH";"Moved to Virus Vault""C:\WINDOWS\system32\gokegubo.exe";"Trojan horse Vundo.GM";"Moved to V... Read more

A:Vundo Infection?

Just an update...I have no access to uninstall programs prior to today. Any old programs, it just says the details and I cannot remove/uninstall/modify or anything with any of the old programs installed. Some of the submenus are still missing like Open With... and other items. Uhh... Some programs cant connect to the internet to update... but im on the internet right now, on the infected computer. I can't restore, I have no restore points... Uhh.. Some previous settings, like on AIM, it got rid of some settings and saved information.---------------Malwarebytes' Anti-Malware 1.38Database version: 2397Windows 5.1.2600 Service Pack 27/8/2009 10:24:11 PMmbam-log-2009-07-08 (22-24-11).txtScan type: Quick ScanObjects scanned: 93873Time elapsed: 3 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 5Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\program files\sfx\sfx.dll (Rootkit.Agent) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sfx (Rootkit.Agent) -> Quara... Read more

Read other 21 answers
RELEVANCY SCORE 42.8

My computer is a Dell Precision M60 (laptop) running WindowsXP PRO SP2. Pentium M 1.7GHz, 512 MB RAM, 55 GB HD with 3 partitions: 20GB (OS), 30GB (data), 5GB (other data). I have McAfee VirusScan Enterprise on my system. It has begun detecting various items in the past few days, but the most frequent was Vundo. When it was found in the System32 directory as <random_name>.dll, McAfee could delete the file; however when it was in the Temporary Internet Files folder, McAfee choked and said "move failed". When I looked at that location, the file was still there. I could delete the files manually, but they kept coming back. I found this forum, and followed the instructions in topic 34773; the preparation guide. Since I have done the first 8 steps and rebooted, McAfee has stopped complaining, but I want to make sure the problem is gone. Logfile of HijackThis v1.99.1 Scan saved at 7:15:30 PM, on 8/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS&#... Read more

A:Vundo Infection

Looks like you got Vundo but not sure about anotherPlease download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We?ll get them next step.Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm============================Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)? Install ewido.? Run the application? Clickon scanner? then select the "Settings" tab.? Once in the Settings screen click on "Recommended actions" and then select "Delete".? Select "Automatically generate report after every scan"? Un-Select "Only if threats were found"? Click Complete System Scan and the scan will begin.? When the scan is finished, Set all items to delete? Apply all actions? look at the bottom of the screen and click the Save report button.? Save the report to your C: Drive... Read more

Read other 5 answers
RELEVANCY SCORE 42.8

Hi,

My computer has been infected by the Vundo!grb trojan. It was detected by McAfee. I have the same symptoms as other users (pop-up windows, automatic windows updates turned off)

I am not very technical with computers, but I researched the forums for the Vundo trojan, which gave me pretty detailed instructions of what to do.

Here is what I have done so far:

I disabled McAfee, and ran the ComboFix file following the instructions on http://www.bleepingcomputer.com/comb...to-usecombofix. Below, please find the ComboFix log file.

I need a helper to analyze the file and tell me what to do next. I highly appreciate the help.

Do I need to run any other programs such as Hijackthis? In addition to other programs are there any files such as "Viewpoint Manager, Viewpoint Media Player, InternetSpeedMonitor" or others that need to be uninstalled?

I also understand that once everything is fixed I should update my Java but that is a later step.

Once again, I really appreciate the help. Thank you very much!

Here is the ComboFix Log:

ComboFix 09-02-21.01 - Maritza Gutierrez 2009-02-22 21:14:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.548 [GMT -7:00]
Running from: c:\documents and settings\Maritza Gutierrez\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( ... Read more

A:Vundo!grb Infection: Please help me

After running combofix, my computer appears to be running good. The pop-ups have stoppped and I am no longer seeing the automatic windows update alert.

I still have McAfee disabled and I have not done anything.

Read other 3 answers
RELEVANCY SCORE 42.8

Please help. ZoneAlarm quarantines it ("Trojan-Clicker.Win32.Delf.cbe was found in C:\WINDOWS\SYSTEM32\iaiifhuh.dll on 6/5/2009 9:53:50") every time a browser window is opened but MBAM does not remove it. Thanks so much!

DDS:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Bodhisattva at 9:36:15.04 on Fri 06/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1507 [GMT -8:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\... Read more

A:Vundo infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 42.8

Hello all,I am currently experiencing issues with my computer. I believe that these are caused by some sort of infection and any help to remove them would be greatly appreciated. The issues are:1. Svchost.exe and winlogon.exe sometimes utilize 50% of my CPU. This is what lead me to believe it was a Vundo infection. EDIT: lsass.exe has just joined in on the fun.2. On startup, a receive a message saying that "The memory at 0x000000 could not be written". The error is from explorer.exe. I am not sure if they are the exact words. Will update when I next receive the error.3. From All Programs on the Start Menu, I cannot select any of the programs. Eg. When I mouse over them, they do not become highlighted.4. Sometimes, random tabs open up while browsing the internet leading to random sites. Eg "How to earn 40k from home" etc.I also cannot get a log from GMER.exe as it keeps crashing, but I will try again later tonight. As I thought problem 2 was caused by faulty memory, I ran memtest overnight but it passed all tests.If anyone can in anyway offer advice, it would be much appreciated.Thank You,Taomech

A:Vundo infection, maybe more

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 9 answers