Vundo infection... nearly fixed.

[Teneo]

After spending 2 days fixing vundo infection, spybot and malwarebytes helped
clean it.

Both give a clean bill of health but I have a little issue in MSCONFIG.

There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in
msconfig.

When I try to untick it and save settings in msconfig I get access denied
must be a member of administrator when I am member of administrator. I
searched google and there are posts about HP software and Mcafee. I dont
have HP software, I have mcafee which was uninstalled but didn't make a
difference. I still cannot change settings in msconfig... ANY IDEAS ?

Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry
is back. I even went into regedit and deleted it here but again 30 seconds
its back. Malwarebytes was successful in deleting the siyipino.dll file
after about 5 scans and of course on pc startup I get the error that startup
cant find the dll. There must be something else on the pc generating it but
I am now at a loss where to go from here.

I also downloaded Hijackthis and it too shows reference to the dll and when
you delete it 30 seconds later its back. There must be another file /
process running putting this entry back.

I am posting this incase anyone else gets a similar infection and can see
what I used to fix but any ideas what I can use to find what is putting the
entry back into msconfig / startup.

TIA

 

[nass]

RE: Vundo infection... nearly fixed.



"Teneo" wrote:

> After spending 2 days fixing vundo infection, spybot and malwarebytes helped
> clean it.
>
> Both give a clean bill of health but I have a little issue in MSCONFIG.
>
> There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in
> msconfig.
>
> When I try to untick it and save settings in msconfig I get access denied
> must be a member of administrator when I am member of administrator. I
> searched google and there are posts about HP software and Mcafee. I dont
> have HP software, I have mcafee which was uninstalled but didn't make a
> difference. I still cannot change settings in msconfig... ANY IDEAS ?
>
> Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry
> is back. I even went into regedit and deleted it here but again 30 seconds
> its back. Malwarebytes was successful in deleting the siyipino.dll file
> after about 5 scans and of course on pc startup I get the error that startup
> cant find the dll. There must be something else on the pc generating it but
> I am now at a loss where to go from here.
>
> I also downloaded Hijackthis and it too shows reference to the dll and when
> you delete it 30 seconds later its back. There must be another file /
> process running putting this entry back.
>
> I am posting this incase anyone else gets a similar infection and can see
> what I used to fix but any ideas what I can use to find what is putting the
> entry back into msconfig / startup.
>
> TIA

You still infected and you need to run a thorough scan.
See other thread below yours just started!
Thread title: ewgmfxd.dll
HTH,
nass
---
http://www.nasstec.co.uk

 

[Mick Murphy]

RE: Vundo infection... nearly fixed.

Go into Safe Mode, and rerun your scans:

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

Keys to find remnants of spyware

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It could be in one or the other.
Go into Run>regedit

--
Mad Mike


"Teneo" wrote:

> After spending 2 days fixing vundo infection, spybot and malwarebytes helped
> clean it.
>
> Both give a clean bill of health but I have a little issue in MSCONFIG.
>
> There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in
> msconfig.
>
> When I try to untick it and save settings in msconfig I get access denied
> must be a member of administrator when I am member of administrator. I
> searched google and there are posts about HP software and Mcafee. I dont
> have HP software, I have mcafee which was uninstalled but didn't make a
> difference. I still cannot change settings in msconfig... ANY IDEAS ?
>
> Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry
> is back. I even went into regedit and deleted it here but again 30 seconds
> its back. Malwarebytes was successful in deleting the siyipino.dll file
> after about 5 scans and of course on pc startup I get the error that startup
> cant find the dll. There must be something else on the pc generating it but
> I am now at a loss where to go from here.
>
> I also downloaded Hijackthis and it too shows reference to the dll and when
> you delete it 30 seconds later its back. There must be another file /
> process running putting this entry back.
>
> I am posting this incase anyone else gets a similar infection and can see
> what I used to fix but any ideas what I can use to find what is putting the
> entry back into msconfig / startup.
>
> TIA
>
>
>

 

[Elmo]

Re: Vundo infection... nearly fixed.

Teneo wrote:
> After spending 2 days fixing vundo infection, spybot and malwarebytes helped
> clean it.
>
> Both give a clean bill of health but I have a little issue in MSCONFIG.
>
> There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in
> msconfig.
>
> When I try to untick it and save settings in msconfig I get access denied
> must be a member of administrator when I am member of administrator. I
> searched google and there are posts about HP software and Mcafee. I dont
> have HP software, I have mcafee which was uninstalled but didn't make a
> difference. I still cannot change settings in msconfig... ANY IDEAS ?
>
> Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry
> is back. I even went into regedit and deleted it here but again 30 seconds
> its back. Malwarebytes was successful in deleting the siyipino.dll file
> after about 5 scans and of course on pc startup I get the error that startup
> cant find the dll. There must be something else on the pc generating it but
> I am now at a loss where to go from here.
>
> I also downloaded Hijackthis and it too shows reference to the dll and when
> you delete it 30 seconds later its back. There must be another file /
> process running putting this entry back.
>
> I am posting this in case anyone else gets a similar infection and can see
> what I used to fix but any ideas what I can use to find what is putting the
> entry back into msconfig / startup.

- ZA and some other software will block changes using MSCONFIG. Try
running from Safe Mode and you might not get that error message.

- This will get rid of the entry in the registry. That way you won't
have to run MSCONFIG in Diagnostic Mode to continue blocking the entry:

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when located, delete the reference to the file. Press F3 to continue
the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

- Look for what others have suggested with this Google Groups search:

http://groups.google.com/groups/search?q=access+denied+msconfig&qt_s=Search

Don't click on a "post" with a random "Group" name, such as

"Group: nd16o"

They contain spyware.

--
Joe =o)