Jump to content

valurolafsson

Members
  • Content Count

    6
  • Joined

  • Last visited

About valurolafsson

  • Rank
    Newbie
  • Birthday 01/01/1970

Profile Information

  • Interests
    SUPERANTISPYWARE
  1. yes it did....thank you very much. Antivir rescue disc did detect the main .dll-file and renamed it. It also detected other things and it seemed like it renamed most of the things that it detected as threats. After the rescue disk scan was done, I rebooted into normal mode without problems. There I ran CrapCleaner and was able to remove the registry key that referred to the original .dll file name. I then rebooted into safe mode, ran SAS there and lo and behold it detected the RENAMED .dll file and was finally able to remove it completely since it was not loaded in memory. So everything is finally good with the computer So, could it be that SAS needs to be updated to better handle that particular version of Vundo? Do you need any further help from me on that? Anyway, I'm a happy camper right now, and I can finally start to use my computer for more productive things than spyware/virus scanners, like watching DVD's and such Thanks for all your help, Valur P.S. Even though SAS was not able to completely remove the spyware, it was the only one that lead me to the mother .dll-file, so expect a donation from me
  2. Thanks, I'll try this later today. I have some questions though, I downloaded procmon to check out what processes where running on my computer, and I noticed that lsass.exe was running periodically. That process seemed to be reading keys in the registry that referenced wvukhfxy.dll, which is the vundo trojan that's causing all the problems. So, does winlogon.exe have anything to do with starting lsass.exe or is it vice verse? Or do these registry keys cause all the problem and also need to be removed prior to me rebooting the machine from safe mode to normal mode? One other thing, I did downgrade back to SP2, since I thought if winlogon.exe is contaminated the old winlogon would be ok. However, after the downgrade and running Superantispyware in safe mode and rebooting into normal mode, I still hit the never ending reboot loop *sigh* this is getting very tiring indeed. Thanks for all your help, Valur
  3. I don't have any system restore points ... must have disabled it at some point ... not very bright am I Anyway, would it be OK to change the winlogon.exe file in rescue mode if I boot from my XP CD?
  4. Yeah, it reboots just before the welcome screen is supposed to show up. Thanks for that tip. I'm currently at work, but I'll try this stuff when I get home later this evening. Thanks again. - Valur
  5. Thanks for the reply, I ran the 2nd scan in safe mode and after the scan was done I rebooted into normal mode where the computer went into this reboot loop. I could try to scan in safe mode and then boot into safe mode and see if windows removes the files then. Do you know if it will, or is the normal mode boot proceedure needed to remove files at bootup time in windows? - Valur
  6. hello all, after I scanned my computer using SUPERantispyware, it found a few vundo variants on my computer. I removed them all and the program promptly asked me to reboot the computer. After rebooting, the computer would reboot after showing the windows logo with the progress bar. This process looped several times until I gave up and chose to boot into safe mode, which it was able to do, and restore all the files that I had quarantined. After that, I rebooted from safe mode to normal mode and now the computer got all the way into windows, but the Vundo spyware was still there of course. Next I tried to run SUPERantispyware in safe mode, it detected the same Vundo variant (or just about, I don't know if the other spyware programs that I used removed some of them), and again after removing all detected spyware I rebooted and again this reboot loop started until I went to safe mode and restored the files from quarantine. Then I ran it for the third time and I only chose to remove one of the detected spyware. This was: Adware.Vundo Variant/Resident and again after reboot I went into the reboot loop. So now I don't know what to do, since even though this variant of Vundo has been detected by other anti-spyware programs they have not been successful in removing it. Please, some help would be much appreciated. The 3 logs are shown below: 1. scan: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 07/24/2008 at 10:37 PM Application Version : 4.15.1000 Core Rules Database Version : 3514 Trace Rules Database Version: 1505 Scan type : Quick Scan Total Scan Time : 00:14:21 Memory items scanned : 605 Memory threats detected : 1 Registry items scanned : 464 Registry threats detected : 8 File items scanned : 6777 File threats detected : 1 Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL Trojan.Vundo-Variant/Small-GEN HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA} HKCR\CLSID\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA} HKCR\CLSID\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA}\InprocServer32 HKCR\CLSID\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA}\InprocServer32#ThreadingModel Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\aoprndtws HKLM\SOFTWARE\Microsoft\FCOVM HKLM\SOFTWARE\Microsoft\RemoveRP HKU\S-1-5-21-583907252-651377827-839522115-1003\Software\Microsoft\rdfa 2. scan: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 07/23/2008 at 08:43 PM Application Version : 4.15.1000 Core Rules Database Version : 3513 Trace Rules Database Version: 1504 Scan type : Quick Scan Total Scan Time : 00:12:21 Memory items scanned : 201 Memory threats detected : 1 Registry items scanned : 475 Registry threats detected : 4 File items scanned : 6754 File threats detected : 1 Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL Trojan.Vundo-Variant/Small-GEN HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8C5EEF4-8748-4AE1-878C-9160B287E13B} HKCR\CLSID\{D8C5EEF4-8748-4AE1-878C-9160B287E13B} HKCR\CLSID\{D8C5EEF4-8748-4AE1-878C-9160B287E13B}\InprocServer32 HKCR\CLSID\{D8C5EEF4-8748-4AE1-878C-9160B287E13B}\InprocServer32#ThreadingModel 3. scan: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 07/23/2008 at 01:20 AM Application Version : 4.15.1000 Core Rules Database Version : 3512 Trace Rules Database Version: 1503 Scan type : Quick Scan Total Scan Time : 00:13:27 Memory items scanned : 637 Memory threats detected : 1 Registry items scanned : 461 Registry threats detected : 5 File items scanned : 6781 File threats detected : 9 Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL Trojan.Vundo-Variant/Small-GEN HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E} HKCR\CLSID\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E} HKCR\CLSID\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E}\InprocServer32 HKCR\CLSID\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E}\InprocServer32#ThreadingModel Adware.Tracking Cookie C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@www.incentaclick[2].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@incentaclick[2].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@mediaresponder[2].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@winanonymous[1].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@systemerrorfixer[2].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@adnetserver[2].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@directtrack[1].txt C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@angleinteractive.directtrack[1].txt Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\RemoveRP Thanks, -Valur
×
×
  • Create New...