Vundo infection... nearly fixed.

[Guest Teneo]

After spending 2 days fixing vundo infection, spybot and malwarebytes helped

clean it.

 

Both give a clean bill of health but I have a little issue in MSCONFIG.

 

There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in

msconfig.

 

When I try to untick it and save settings in msconfig I get access denied

must be a member of administrator when I am member of administrator. I

searched google and there are posts about HP software and Mcafee. I dont

have HP software, I have mcafee which was uninstalled but didn't make a

difference. I still cannot change settings in msconfig... ANY IDEAS ?

 

Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry

is back. I even went into regedit and deleted it here but again 30 seconds

its back. Malwarebytes was successful in deleting the siyipino.dll file

after about 5 scans and of course on pc startup I get the error that startup

cant find the dll. There must be something else on the pc generating it but

I am now at a loss where to go from here.

 

I also downloaded Hijackthis and it too shows reference to the dll and when

you delete it 30 seconds later its back. There must be another file /

process running putting this entry back.

 

I am posting this incase anyone else gets a similar infection and can see

what I used to fix but any ideas what I can use to find what is putting the

entry back into msconfig / startup.

 

TIA

[Guest nass]

RE: Vundo infection... nearly fixed.

 

 

 

"Teneo" wrote:

> After spending 2 days fixing vundo infection, spybot and malwarebytes helped

> clean it.

>

> Both give a clean bill of health but I have a little issue in MSCONFIG.

>

> There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in

> msconfig.

>

> When I try to untick it and save settings in msconfig I get access denied

> must be a member of administrator when I am member of administrator. I

> searched google and there are posts about HP software and Mcafee. I dont

> have HP software, I have mcafee which was uninstalled but didn't make a

> difference. I still cannot change settings in msconfig... ANY IDEAS ?

>

> Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry

> is back. I even went into regedit and deleted it here but again 30 seconds

> its back. Malwarebytes was successful in deleting the siyipino.dll file

> after about 5 scans and of course on pc startup I get the error that startup

> cant find the dll. There must be something else on the pc generating it but

> I am now at a loss where to go from here.

>

> I also downloaded Hijackthis and it too shows reference to the dll and when

> you delete it 30 seconds later its back. There must be another file /

> process running putting this entry back.

>

> I am posting this incase anyone else gets a similar infection and can see

> what I used to fix but any ideas what I can use to find what is putting the

> entry back into msconfig / startup.

>

> TIA

 

You still infected and you need to run a thorough scan.

See other thread below yours just started!

Thread title: ewgmfxd.dll

HTH,

nass

---

http://www.nasstec.co.uk

[Guest Mick Murphy]

RE: Vundo infection... nearly fixed.

 

Go into Safe Mode, and rerun your scans:

 

Important re: Safe Mode

If you happen to find a problem that you can’t uninstall / delete, reboot

the computer, and go into Safe Mode.

To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow

key to get to Safe Mode from list of options, then hit ENTER.

RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D

while in Safe Mode.

 

Keys to find remnants of spyware

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

It could be in one or the other.

Go into Run>regedit

 

--

Mad Mike

 

 

"Teneo" wrote:

> After spending 2 days fixing vundo infection, spybot and malwarebytes helped

> clean it.

>

> Both give a clean bill of health but I have a little issue in MSCONFIG.

>

> There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in

> msconfig.

>

> When I try to untick it and save settings in msconfig I get access denied

> must be a member of administrator when I am member of administrator. I

> searched google and there are posts about HP software and Mcafee. I dont

> have HP software, I have mcafee which was uninstalled but didn't make a

> difference. I still cannot change settings in msconfig... ANY IDEAS ?

>

> Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry

> is back. I even went into regedit and deleted it here but again 30 seconds

> its back. Malwarebytes was successful in deleting the siyipino.dll file

> after about 5 scans and of course on pc startup I get the error that startup

> cant find the dll. There must be something else on the pc generating it but

> I am now at a loss where to go from here.

>

> I also downloaded Hijackthis and it too shows reference to the dll and when

> you delete it 30 seconds later its back. There must be another file /

> process running putting this entry back.

>

> I am posting this incase anyone else gets a similar infection and can see

> what I used to fix but any ideas what I can use to find what is putting the

> entry back into msconfig / startup.

>

> TIA

>

>

>

[Guest Elmo]

Re: Vundo infection... nearly fixed.

 

Teneo wrote:

> After spending 2 days fixing vundo infection, spybot and malwarebytes helped

> clean it.

>

> Both give a clean bill of health but I have a little issue in MSCONFIG.

>

> There is an entry for Rundll.exe c:\windows\system32\siyipino.dll in

> msconfig.

>

> When I try to untick it and save settings in msconfig I get access denied

> must be a member of administrator when I am member of administrator. I

> searched google and there are posts about HP software and Mcafee. I dont

> have HP software, I have mcafee which was uninstalled but didn't make a

> difference. I still cannot change settings in msconfig... ANY IDEAS ?

>

> Ccleaner lets me delete entries in 'start up' but 30 seconds later the entry

> is back. I even went into regedit and deleted it here but again 30 seconds

> its back. Malwarebytes was successful in deleting the siyipino.dll file

> after about 5 scans and of course on pc startup I get the error that startup

> cant find the dll. There must be something else on the pc generating it but

> I am now at a loss where to go from here.

>

> I also downloaded Hijackthis and it too shows reference to the dll and when

> you delete it 30 seconds later its back. There must be another file /

> process running putting this entry back.

>

> I am posting this in case anyone else gets a similar infection and can see

> what I used to fix but any ideas what I can use to find what is putting the

> entry back into msconfig / startup.

 

- ZA and some other software will block changes using MSCONFIG. Try

running from Safe Mode and you might not get that error message.

 

- This will get rid of the entry in the registry. That way you won't

have to run MSCONFIG in Diagnostic Mode to continue blocking the entry:

 

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,

type the name of the file into the search pane. Click "Find Next", and

when located, delete the reference to the file. Press F3 to continue

the search.

 

You can click File, Export, and save the entry to the Desktop. If you

remove it and there's a problem, double-click the .reg file you exported

to the Desktop and it'll be added to the registry again. You can create

a restore point before editing the registry too.

 

You could click Start, Run, type MSCONFIG, click OK, click the StartUp

tab, and deselect the item(s). When you restart the computer, you will

be warned that you're running in the Diagnostic mode; click to not alert

you again, and OK out. You won't see the message again. But I think

it's best to just remove the references from the registry.

 

- Look for what others have suggested with this Google Groups search:

 

http://groups.google.com/groups/search?q=access+denied+msconfig&qt_s=Search

 

Don't click on a "post" with a random "Group" name, such as

 

"Group: nd16o"

 

They contain spyware.

 

--

Joe =o)