Jump to content


  • Content Count

  • Joined

  • Last visited

About Grumpy

  • Rank
  • Birthday 01/01/1970

Profile Information

  • Interests
  1. I tried out a free checker that was recommended by some folks. It found some old files related to Vundo I think, but I believe they were from one of the original infections and cut off from being active. However, it did list possible problematic registry entries. I'd had the Zbot problem and so I knew that dxdss.sys entries were references were to it. I went into my registry and searched for them and deleted the two I found. It was only later that I considered trying the Internet Options again and voila! Fixed! I'm pretty sure that's what fixed the problem. If anyone else has the problem, that might be another thing to add to the list of things to try to fix it. I'm sorry that I can't recall the locations of the entries, but I was more intent on getting rid of the references. They were 'safe' in that the rootkit was removed a while back, but I hated having them there. Thanks again for all of the help. It's greatly appreciated!
  2. I assumed you meant the "Internet Options" from the Control Panel, which does work. I restored the Advanced Settings. This didn't let me back into the IE menu link to Internet Options, though. It still has the 'contact your admin' warning. I also assumed by 'reset IE settings' that you mean to make sure security and privacy were back to their safe levels, which I did just do. Thanks again for the advice. Hopefully we'll figure it out. For now it's still doing the same thing though.
  3. Thanks for all of those options, Seth. Unfortunately, none of them have helped. It's good to be reminded of the SaS repair section, certainly! I'm not sure the security console had an option to restore the settings. The registry entries provided in the third link were interesting and gave me more things to look at, but the one pertaining to IE was the one I'd already made sure was set correctly. It did help point out some new registry areas to at least check, though. I've not found anything yet though. Thanks again for the response. I still wonder if I've just messed something up by getting gung-ho with cleaning.
  4. Firstly, YES I have tried the registry edit. I have cleared the infestation. At some point I lost the ability to go into the "Internet Options" on the IE tool menu. It's the usual 'talk to your admin' message. The problem is that when I went to: HKEY_CURRENT_USER/Software/Policies/Microsoft there wasn't even an entry for IE there. I downloaded IE7 from Microsoft and installed it again, and the problem is still there. I have no idea if this was something I did in being over-zealous in trying to TRULY clear my system of even the debris of previous infections or if this was something new. Currently, all software says I'm clean. I've manually looked for new files in various usual directories and feel confident it's all dealt with. Being confident this is some sort of left-over issue doesn't help me fix it sadly. Could there be a re-mapping of the "Internet Options" command from the menu and THAT is what's locked? There's nothing else in the Policies directory other than 'System Certficiates'. "Internet Options" IS available from the control panel, so that's something at least. Anyone have any ideas?
  5. Ok, I think this will be the final update. Sorry for spamming this thread with so many tiny updates. SAS scans without BSoD now. I'm glad to be rid of the infection, but wish I could help you fight that particular bit of nastiness in a way too. To finish on a more positive note, I decided to run SmitFraud to make CERTAIN my host files were ok. It said under the Rustock section that it had detected an xpdx infection. I know that the SYS file for that wasn't around, but decided to run SAS. It turned up an INI file that goes with it that the other checks had missed. Go SAS. All software seems to agree that I'm clear again. I think my lesson is to not 'go chasing waterfalls'. Guess it's just the lakes and ponds that I'm used to. Thanks again for the responses.
  6. Thanks for the replies. I didn't expect any today, honestly. I did grab the most recent VundFix prior to running it. It just probably wasn't a Vundo infection was all. The issue of the infection has been resolved, though it involved another piece of software. I bought the 'lifetime' update version of SAS, so I don't plan on ditching it or badmouthing it. I am still confident that it did prevent some of the worst system hacks by the malware so that I could more easily get rid of it. The only major changes I've made recently to my system are to upgrade my video card and also update my BIOS. At some point in the future I may well put in a ticket if the BSoD hasn't been resolved by cleaning out the infections, but for now I'm in 'twitchy mode' and don't want to touch anything. Thanks again for the responses.
  7. VundoFix failed to find any files. The registry IS the problem. When I hit pause, a bare second before the most recent BSoD, it was in the TypeLib area mentioned above. I don't know which entry is bugged now though. The two bogus EXE files are not being re-created, but my infected computer isn't on the network, which is probably why. I'm continuing to try and locate the installer that SAS is failing to find and find some way to reliably locate the BSoD entry in the registry
  8. I'm fairly confident that this is a Vundo Variant. There were some bogus EXE files in the Windows directory. I am no longer confident that the BSoD is happening during registry scan, as mentioned above. Right now, though I am running VundoFix V6.7.7 and hoping this removes the ability of some of the installers to hide from SAS.
  9. Actually, I am not certain this was the problem now. After the reboot from the scan, I am back to hitting a blue screen of death while scanning the registry. It gets into the CSLID and then something else. Entries are blurring by so quickly that I can't see precisely. I hit Pause and Reume, but don't know. It was probably removing a few CDF files from the Windows directory. One of the programs running I have to kill is called X-Spruce.exe I'm a bit frustrated now What I see inside this one remaining file is a reference to Creative Tech. Yes, I have a Creative Labs audio card. CTHELPER.EXE is running and I can't kill it. I can't delete this other file because some program that's running is using it. It looks like they have used a developer hack into Creative's entries to make it difficulty to remove this file. Maybe it's just the lack of sleep speaking, though.
  10. The problematic registry entries were in: HKEY_CLASSES_ROOT->TypeLib there was nothing inside of: 1.0->0->win32 or in the FLAGS or HELPDIR directories.
  11. At first I was going to ask what to do, but as I managed to figure it out, I'll share what I did instead. SAS caught a trojan attack today. As you can imagine, a few things did get through, although it seems to have prevented the worst of the damage, namely a root hack. This is going to make cleanup much simpler. The problem came when I tried to run a system scan. As SAS was running through my registry, my system hit a blue screen of death and rebooted. I could never manage to complete the scan. Using a REG edit tool, it provided the answer. Obviously, there was a faulty entry in the registry most likely specifically designed to crash the search. I found an invalid entry using a REG edit tool. It was a PSCCX library entry, whee. I deleted it along with the one next to it and my next scan got past the registry and is working through the last of my Windows directory as I type. I wish I had taken a screenshot of what the entry looked like, but I was mostly just glad to find the probable answer. Hopefully this current scan will wipe the remains of the infection so that I can plug the system back into the network. Gotta say THANKS to SAS for making this much easier for me to clean by preventing the majority of the infection. EDIT: While I spell-checked, the scan completed, but sadly it's still infected. It's not finding some of the files.
  • Create New...