Home > Infected With > Infected With A Trojan Infection.Maybe? Vundo.A1?

Infected With A Trojan Infection.Maybe? Vundo.A1?

Completion time: 2009-03-09 10:29:05 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-09 15:29:01 Pre-Run: 12,493,586,432 bytes free Post-Run: 12,832,100,352 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons Contents of the 'Scheduled Tasks' folder 2009-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4067109724-245733308-1790967868-1006.job - c:\documents and settings\Davis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 21:39] 2009-03-09 c:\windows\Tasks\wrSpySweeper20060215133100.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 18:11] 2009-03-09 c:\windows\Tasks\wrSpySweeper20060215133100.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 Click this link to see a list of such programs and how to disable them. I think I covered everything. http://tagnabit.net/infected-with/infected-with-trojan-vundo-adware-vundo-varient-rel.php

Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Malwarebytes' Anti-Malware 1.34 Database version: 1827 Windows 5.1.2600 Service Pack 2 3/8/2009 1:13:05 PM mbam-log-2009-03-08 (13-13-05).txt Scan type: Quick Scan Objects scanned: 69414 Time elapsed: 4 minute(s), 18 second(s) Memory Processes Do not start a new topic. The screensaver may be changed to the Blue Screen of Death. https://www.bleepingcomputer.com/forums/t/349686/slow-computer-only-half-a-year-old/?view=getnextunread

c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\Crypserv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\CDBurnerXP\NMSAccessU.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\hpzipm12.exe c:\program files\Webroot\Spy Sweeper\SpySweeper.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Compact I also downloaded and ran ERUNT and HijackThis. Sign In Sign Up Browse Back Browse Forums Guidelines Staff Online Users Members Activity Back Activity All Activity My Activity Streams Unread Content Content I Started Search Malwarebytes.com Back Malwarebytes.com Malwarebytes

Please re-enable javascript to access full functionality. Did the new user profile cmd thing, then ran FRST, both scans came back HOWEVER...I went to locate the New User Profile to copy paste and am unable to locate it, It is known to be distributed through spam email, peer-to-peer file sharing, drive-by downloads, and by other malware. Malwarebytes is the only anti-malware program I have and I don't think it has real-time protection - but I'm not sure.

I've run Avast boot scans, Comodo scans, Comodo with a very restrictive firewall on, I have Symantec Antivirus monitoring the system, and I've even tried RegMechanic and TweakNow RegCleaner to clean Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from Some variants attempt to disable antivirus programs. Contents of the 'Scheduled Tasks' folder 2009-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4067109724-245733308-1790967868-1006.job - c:\documents and settings\Davis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 21:39] 2009-03-09 c:\windows\Tasks\wrSpySweeper20060215133100.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 18:11] 2009-03-09 c:\windows\Tasks\wrSpySweeper20060215133100.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13

Computers infected exhibit some or all of the following symptoms: Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix And so here I am. Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. Tomk ------------------------------------------------------------ Topics are closed after 5 days without response Back to top #7 kunrod3 kunrod3 Authentic Member Authentic Member 23 posts Posted 09 March 2009 - 09:12 PM Tom -

McAfee users, please refer to these instructions.If using Windows Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.When http://newwikipost.org/topic/qMeP7uDlAItKqrpnJ6RffGDPCdmB38YG/Vundo-gen-m.html As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. I am running Windows XP Home Edition. Register a free account to unlock additional features at BleepingComputer.com Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers.

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal check my blog If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. First a little update. Notes: 1.

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: If not installed first, Combofix will not attempt to fix some serious infections. Vundo may cause many websites to be inaccessible. http://tagnabit.net/infected-with/infected-with-trojan-vundo-and-trojan-vundo-h.php Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.

The Recovery Console will allow you to boot into a special repair mode should your computer encounter any problems during the disinfection process.Very Important! Below is the ComboFix log. Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast!

GaryIf I do not reply within 24 hours please send me a Personal Message."Lord, to whom would we go?

Click here to Register a free account now! The system grinded to a halt. Symantec. Please re-enable javascript to access full functionality. [Resolved]Infected by TR/Crypt.XPack.Gen Started by kunrod3 , Mar 08 2009 08:17 PM Page 1 of 3 1 2 3 Next This topic is locked

Do not mouse-click Combofix's window while it is running. The Avast Boot-scan found one virus/rootkit thing in the system volume information folder on the C drive. If we have ever helped you in the past, please consider helping us. have a peek at these guys No sound, no modem/router, Google Voice being used out of the Philippines, progr Started by Pei , Dec 06 2016 12:15 AM « Prev Page 5 of 5 3 4 5

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, You have the words that give eternal life. When this happens any programs may also fail to start and it may become impossible to use windows shutdown. The icon just sits constantly telling me that it is in the middle of connecting.

There were three files associated with these pop-ups; meyizate.dll, sezadowi.dll and hexydzy.dll - all located in the C:\Windows\System32 folder. PREVALANCE Symantec has observed the following following infection levels of this threat worldwide. Please include the C:\ComboFix.txt in your next reply. You do it the same as you did to run ComboFix the first time.

I tried deleting them manually but got an "access denied". Renaming the program executable can work around this. Entering safe mode after attempting to use HijackThis results in a true blue screen of death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Many of the popups advertise fraudulent programs such as AntiSpywareMaster, WinFixer, and MS Antivirus|AntiVirus 2009. Virtumonde.dll consists of two main components, Browser Helper Objects and Class ID. One of them was an IDE/SCSI Raid controller (I think) with a weird name and I didn't recall having ever seen this before; plus its a single Hard Drive and so CONTRIBUTE TO OUR LEGAL DEFENSE All unused funds will be donated to the Electronic Frontier Foundation (EFF).

Advertisements for adult Web sites and services may also be displayed by the threat. The desktop background may be changed to the image of an installation window saying there is adware on the computer. WE'RE SURE THAT YOU'LL LOVE US! Tomk ------------------------------------------------------------ Topics are closed after 5 days without response Back to top #5 kunrod3 kunrod3 Authentic Member Authentic Member 23 posts Posted 09 March 2009 - 02:07 PM Tom -

HKEY_CLASSES_ROOT\CLSID\{a57ecb0d-518c-4aff-9bfd-08d17530fe86} (Trojan.Vundo.H) -> Quarantined and deleted successfully. As part of it's routine, ComboFix will check to see if the Recovery Console is installed before attempting to remove any malware. Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-08 114768] R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-08 20560] R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-03-01 2560] R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe The second time was nill, the third time it came up with more stuff.Malwarebytes' Anti-Malware 1.39Database version: 2474Windows 5.1.2600 Service Pack 37/21/2009 5:07:59 PMmbam-log-2009-07-21 (17-07-59).txtScan type: Full Scan (C:\|)Objects scanned: 166009Time