Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Hi space

Can you please try running Malwarebytes and let us know the results. Thanks!

PS Be sure to update the definitions after downloading and do a full system scan.

After running a setup, there was rundii32.exe in temp folder. Now it created a new BHO in IE7

 vwdtlb.dll

Norton Antivirus does not detect anything.

This dll attached to almost every running process. IE permanently opened different advertising pages. The BHO could not be disabled in IE.

Hi Dieselman and Johna,

thanks for your replies!

I am sorry, I cannot reproduce this virus or trojan, as it took me about 3 hours to clean my system completely by hand. There were about 19 new dlls created and some Registry keys. The dlls hooked themselves into winlogon and explorer. The system crashed when stopping. As Norton does not protect, if I open the setup again, the trojan will infect my machine immediately!!!!

The cause is a DOS file

rundii32.exe

that runs in the temp folder and terminates with an access violation. But within milliseconds all malicious files and changes are created. I have looked up, this file is known as

infostealer.avisa

but I wonder why NAV (latest virus updates) cannot detect it. I had run the virus scan first on the setup.exe and then on the rundii32.exe - all O.K. If this helps, I could send the setup.exe file. The cause could also be any other file, it is only my conclusion from what I have observed.

Did you run Malwarebytes', and what were the results?

If this fails to detect or solve, we can investigate further, possibly by PM so as to not fill too much space here with logs etc.

John

Hi Johna,

yes quick scan found 46 infected objects, including those deleted or renamed already. This is much more than NAV did detect. The file I posted before

vwdtlb.dll

is in folder :C:\Windows\System32 (note the ":" before C!!!) and is infected with Trojan.Vundo.H

Thank you for the advise to use Malwarebyte. I am deeply impressed!!!

Try running SUperAntiSpyware. Sounds like malwaer and not a virus. ALso use Furefox and not IE. Firefox is proven a lot safe.

 http://www.superantispyware.com/

 http://en-us.www.mozilla.com/en-US/firefox/

You can upload the file here.