Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have something with the symptoms of Virtumundo that apparently stops HiJackThis and Malwarebytes from running, and is invisible to Vundofix and


  • Please log in to reply
3 replies to this topic

#1 vtsd

vtsd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 12 August 2009 - 09:20 PM

I now have something with the symptoms of Virtumundo (pop-up windows trying to sell me bogus programs) that apparently stops HiJackThis and Malwarebytes from running, and is invisible to Vundofix and VirtumundoBeGone.

I also ran Trend Micro's RootkitBuster, which found nothing.

Another symptom is that text files seem to take a bit too long to open.

Windows Defender finds "Trojan: Win32/Vundo.gen!AN", says it removes it, then wants a reboot... but is ineffective in removing the infection.

Some programs I have in the Startup folder (PrintKey, FreeClip, TaskMgr) don't start on boot, and another auto-start, DVD43, sometimes doesn't start. "Cleverkeys" loads on boot as it should.

I usually get a system error soon after startup - "Services and Controller app has encountered a problem and needs to close. (etc.)". and today, for the first time, that error forced a reboot.

The system has strange behavior when booting into Safe Mode with no networking: The window that advises you that you're going into Safe Mode keeps re-appearing. After clicking it, the icons display, then shortly thereafter they disappear and that dialog box re-appears. This happens ad-nauseam. When Safe Mode booting WITH networking, this doesn't happen.

RootKitRevealer found one reg entry with a data mismatch and one with access denied.

My system is WinXP Pro SP3, fully updated.

Thanks for any help.

Edited by vtsd, 12 August 2009 - 09:44 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 13 August 2009 - 05:31 PM

Try this:

Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices
Scroll to Non-plug and Play Drivers and expand that.
Look for TDSSserv.sys
If there Disable ,not delete or uninstall.
Reboot immediately.
Try MBAM.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 vtsd

vtsd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 13 August 2009 - 09:51 PM

Thanks for the idea, Budapest. I came back to the forum now to report that my system seems to be completely fixed. I came across SuperAntiSpyware Professional (from the SuperAntiSpyware.com web site), and it found - and removed - a ton of stuff.

My system is now working as it did before it was infected.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 13 August 2009 - 09:56 PM

Good to hear that you solved your problem.

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users