Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Personal Antivirus, Antivirus Pro, Antivirus XP 20009, etc

  • Please log in to reply
No replies to this topic

#1 macinslaw


  • Members
  • 1 posts
  • Local time:12:19 PM

Posted 08 July 2009 - 05:43 PM

I am new to your board and I must apologize already for recommending a change, however this new infection I have seen warrants at least the request. Your tutorial on removing this infection is very good and is very easy to find from google, that being said, I have been fighting an infection for 2 days now on a windows home xp machine. The infection
I'm seeing is antivirus aware. It intercepts the install of malwarebyte and every other type of antivirus/antimalware tht I've tried. It also will not allow IE, Firefox or Opera to load any antivirus web page or security sweep site.

I have created a bart pe disk in the hopes that I can qwell this infection, but thus far, it has been resilient against removal.

I should also mention that safe boot does not work, system restore states that it is disabled by gpo, though I suspect this is unavailable in XP home, though I need confirmation of this.

I was finally able to get something to install and begin removal of trojans from this unit. Most were unidentified, however there were 2 that were: Vundo and bat/delsys. I was able to install the T-R trojan remover. It identified the following files being hijacked and redirected to ones held in the following location:


win.exe, uninst.exe, rundll.exe, iexplore.exe as well as a few others. Also, the run32dll.exe in the c:\windows\system32 folder was also compromised. In addition, the install of any other tool resulted in corruption of either the install file in the temp directory, or the exe was reported as being a missing image file and would show the error C:\windows\system32\zabunego.exe.

After running T-R and 2 restarts later, the unit was uncrippled enough to install and run malwarebyte which found further infections, 18 to be exact. It also stated that the restore point as well as other items in the OS had been turned off including automatic updates. It offered to re-enable these items.

Once Malwarebyte had completed it also wanted a restart. I attempted to install avira at that time, however the install is still being compromised leading me to believe that something is still going on. I tried to look in the add/remove programs to see what may have happened, however any of the applications needing run32dll.exe are not working because it too was infected and neutralized by the T-R software. I am attempting to restore that file to see what further damage may have been done. As a side note, Stinger would not run and was being infected as it was copied to the hard drive.

Just thought someone may want to know.

Edited by macinslaw, 09 July 2009 - 06:34 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users