TechSpot

Vundu - Spyware has detected CANT get rid of it - pls help

By HSN
Jun 6, 2007
  1. hi, i tried the vundu fix, which found some files but after restart it is still here
    spybot also has trouble with it
    i deleted some file from the HJT o2 files (files missing) but still nothing
    norton also finds, blocks and deletes the file but still nothing
    i also tried ending ipmon.exe in taskmanager, it wont allow to end (it's mentioned twice in TM)
    i have this annoyinhg red shield warning me of malware in my right hand lower corner of the screen
    how do i get rid of it?
    many thx!
    hjt file att.

    hjt beta v2 file att

    i also have the trojan.nebuler coming and going the whole time (norton deletes it and it's back a few min later
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello HSN and welcome to TechSpot.

    Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

    If you decide to clean your system after reading the above thread, do the following.

    Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of HSN only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. HSN

    HSN TS Rookie Topic Starter

    will do so shortly, thx
    avg is now running, waiting for it to end

    im going nuts, now my pc also reboots after 60 seconds
    trojan keeps appearing even norton blocks it
    i cant get the avg to run fully as it takes more then 1 hour and the pc reboots (even in safe mode)
    here are the combofix and hjt logs
    pls help
    thx
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Sorry, I'd check your logs, but I gotta go soon. I'll be back either tonight or tomorrow morning. Either Howard or Momok can take this if they feel like it.

    Regards :)
     
  5. HSN

    HSN TS Rookie Topic Starter

    sure, no problem
    many thx
    btw, avg found no rootkits
     
  6. ellyquim

    ellyquim TS Rookie

    Have you tried UBCD? its a Live CD which you can use with all the tools in removing viruses and spyware. The problem in removing some viruses and spyware without using a third party device is they get going back on and on.

    Hope it helps.
     
  7. HSN

    HSN TS Rookie Topic Starter

    thx for reply but what will it help me with?
     
  8. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hi ellyquim.

    That sounds cool, but I think we should be able to remove it manually and then put stuff in place to keep it from recurring.

    Please copy and paste the following instructions into a Notepad file (.txt) and save it to your desktop. Then you can have the file open in safe mode.

    Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

    Run HijackThis with no other programmes open except Notepad. Place a tick in the box next to the following entries (if there):

    Only fix the following R1 entry if you didn't set this proxy yourself or you don't know what it is.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.192.59.18:8080

    O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

    O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll

    O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

    Click the Fix Checked button. Close HJT.

    Now reboot into normal mode.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and ComboFix logs, and an AVG Anti-Spyware log if you can.

    Regards :)

    This thread is for the use of HNS only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  9. HSN

    HSN TS Rookie Topic Starter

    many thx for ur help, am going to do it now

    many thx for all but where is the avenger.txt file?
    where do i download it from?

    just saw it, sorry
     
  10. ellyquim

    ellyquim TS Rookie

    100% CPU Usage

    okay..if it still no luck. try UBCD. its a Virtual Boot CD that loads its application to the memory without using your hard drive. and then it has a tools like AVG, AVAST, Spybot, spy ad-aware to scan your registry and disk
     
  11. HSN

    HSN TS Rookie Topic Starter

    ok, i did as you asked
    as you can see avenger did not succeed
    pls advise
    will run avg now (takes a while)
    thx a mil
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please follow these instructions carefully.

    1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Run HijackThis and fix the following entries:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: CardMinder Viewer.lnk = ?
    O4 - Global Startup: Conversion to PDF with ScanSnap Organizer.lnk = ?
    O4 - Global Startup: GammaTray.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O4 - Global Startup: ScanSnap Manager.lnk = ?
    O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab


    6. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


    Regards,
    Your friendly momok =)

    This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. HSN

    HSN TS Rookie Topic Starter

    hello momok, many thx
    will do as you say
    just one more thing:
    att is avg anti spyware report
    the files it deleted have already been deleted by avg a few hourbefore
    so it came back...
    a few remarks:
    -ie7 always asks if i want it to be the default browser
    -avg anti spyware has silently detected over 200 malware (in the counter) actieve shiled
    - pc is slow
    -norton finds trojan.nebuler again and again
    will run now norton anti virus and the will use avenger as you stated
    btw, i use all the items u stated in the avenger list (scansnap, bluetooth etc) so do i need to remove it for sure?
    many thx
    avg log att.
    greetz

    ps i'm adding 2 avg logs, one is taken at 030742 and states "ignored" on all the items but i did delete the items after the log was created, he second log, 115931, is from now

    oops forgot to mention: avg anti spyware was run in safe mode
     
  14. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    All of the items in your second AVG Anti-Spyware log say they were ignored. You need to run the program again and set it to apply the recommended action to all malware found (instructions here).

    I recommend removing Norton and installing either AVG free or avast! antivirus (but not both at the same time, as this can cause conflicts). If you have any problems uninstalling Norton, see this thread.

    If your version of Norton does not include a firewall, or if you get rid of Norton, you should install either ZoneAlarm or Sunbelt firewall (again, only one at a time).

    Please post the HijackThis, ComboFix, and Avenger logs as momok said.

    Regards :)

    This thread is for the use of HSN only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  15. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your second log is fine. So we do not need the AVG antispyware log anymore. Do post the other 2 logs as requested.


    Regards,
    Your friendly momok =)

    This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. HSN

    HSN TS Rookie Topic Starter

    dear all,
    pls find herewith the logs requested (avenger, combo, hjt and)avg
    avg anti spyware was run in safe mode, logged in with harry and not admin
    am i right in thinking that what avg found are malware in archive zip folders from avenger OR are they really still in my pc?
    avg was run as last (so all the other logs are from before this avg log)
    many thx for all ur help to date
     
  17. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Only one of it is from avenger. The rest are registry entries and stuff in your restore points.

    I just realised I missed out an entry to remove. I'm sorry about that. Apparently it created more exe's on your system. Please do the following.

    Please boot into safe mode as previously done and unhide your files and folders.

    Delete the following files.

    C:\WINDOWS\g407453.exe
    C:\WINDOWS\g5092343.exe
    C:\WINDOWS\bwUnin-7.2.0.137-8876480SL.exe

    Reboot into normal mode and rehide all your files and folders.

    Thereafter please post a fresh ComboFix and HijackThis log from normal mode.


    Regards,
    Your friendly momok =)

    This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. HSN

    HSN TS Rookie Topic Starter

    no problem, done!
    is my pc ok now?
    btw, some startups which u told me to delete are needed (by me), do i have to reinstall the whole program?
    many thx
    greetz

    do i need to delete the items from avg? (they are now in quarantine)
    and do i delete the restore points?
     
  19. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Have HijackThis fix this entry:

    O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

    Which startup are you referring to that you needed?

    Apart from that, your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    May I also suggest that you read this thread here on how to speed up your system.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. HSN

    HSN TS Rookie Topic Starter

    hi,

    many thx for all your help
    i did precisely as said
    pc seems fine now
    avg anti spyware keeps finding adware.roguesuspect again and again
    i wonder if it's not a needed file...
    i keep quarantining it
    pls advise
    i installed norton 360 and pc seems really ok! ;-)
    re startup programs, i meant stuff like scansnap (scanner) and logitech (so u can see when u actually change the volume on the screen etc)
    again, many thx to all the wonderfull, helpfull ppl out here!
    g-d bless!
    greetz

    ps hjt & avg file att.
     
  21. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your HijackThis log is clean. With regards to the AVG AS log, that is a nasty which resides in your system restore point. Follow my instructions on disabling then renabling restore and that will go away.

    Regards,
    Your friendly momok =)

    This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. HSN

    HSN TS Rookie Topic Starter

  23. momok

    momok TS Rookie Posts: 2,265

    Hi,

    The false positive is not the file in question we are dealing with on your system. Have AVG fix it.


    Regards,
    Your friendly momok =)

    This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...