[mattov]

I need help fixing a Windows XP Pro SP2 system that is infected.
IE v7

I have spend several hours trying to revive a computer that I believe has a Vundo variant. I have found these files in the msconfig startup list -
pisesiro
fepayaji
zavituwe

Under Services - Automatic were "disabled" and so the Updates weren't getting installed. I was able to get that going and I believe I have most of the current MS security Updates installed now. however, I do not want to install SP3 until I get this issue resolved.

Also installed is Trend Micro's Internet Security with the latest definition files.

The malware would not allow IE to go to the MS Windows Update Site so I had to install Apple's Safari browser and install many of the Updates manually. Also, I could not install FireFox so that's why I went to Safari...

I've read the instructions in the Malware Removal Guide (by evilfantasy) and I am having an issue installing the (3) programs you have recommended.

SUPERAntiSpyware
Malwarebytes' Anti-Malware
HijackThis

ccCleaner did download and install.

What do you recommend?

[evilfantasy]

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys
- clbdriver.sys
- TDSSserv.sys

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can run the scans that would not run.

[mattov]

Hi Sorry for the delay, I am back on this issue now.

Did NOT find any of these under the Non-PLug and Play Drivers -

- Seneka.sys
- clbdriver.sys
- TDSSserv.sys

DO you have any other recommendations?

[evilfantasy]

Try this please.

Download SDFix by AndyManchesta and save it to your desktop.

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.


When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply.