Vundu - Spyware has detected CANT get rid of it - pls help

[HSN]

hi, i tried the vundu fix, which found some files but after restart it is still here
spybot also has trouble with it
i deleted some file from the HJT o2 files (files missing) but still nothing
norton also finds, blocks and deletes the file but still nothing
i also tried ending ipmon.exe in taskmanager, it wont allow to end (it's mentioned twice in TM)
i have this annoyinhg red shield warning me of malware in my right hand lower corner of the screen
how do i get rid of it?
many thx!
hjt file att.

hjt beta v2 file att

i also have the trojan.nebuler coming and going the whole time (norton deletes it and it's back a few min later

 

[kitty500cat]

Hello HSN and welcome to TechSpot.

Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

If you decide to clean your system after reading the above thread, do the following.

Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

Regards

This thread is for the use of HSN only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[HSN]

will do so shortly, thx
avg is now running, waiting for it to end

im going nuts, now my pc also reboots after 60 seconds
trojan keeps appearing even norton blocks it
i cant get the avg to run fully as it takes more then 1 hour and the pc reboots (even in safe mode)
here are the combofix and hjt logs
pls help
thx

 

[kitty500cat]

Sorry, I'd check your logs, but I gotta go soon. I'll be back either tonight or tomorrow morning. Either Howard or Momok can take this if they feel like it.

Regards

 

[HSN]

sure, no problem
many thx
btw, avg found no rootkits

 

[ellyquim]

Have you tried UBCD? its a Live CD which you can use with all the tools in removing viruses and spyware. The problem in removing some viruses and spyware without using a third party device is they get going back on and on.

Hope it helps.

 

[HSN]

thx for reply but what will it help me with?

 

[kitty500cat]

Hi ellyquim.

That sounds cool, but I think we should be able to remove it manually and then put stuff in place to keep it from recurring.

Please copy and paste the following instructions into a Notepad file (.txt) and save it to your desktop. Then you can have the file open in safe mode.

Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

Run HijackThis with no other programmes open except Notepad. Place a tick in the box next to the following entries (if there):

Only fix the following R1 entry if you didn't set this proxy yourself or you don't know what it is.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.192.59.18:8080

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll

O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

Click the Fix Checked button. Close HJT.

Now reboot into normal mode.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and ComboFix logs, and an AVG Anti-Spyware log if you can.

Regards

This thread is for the use of HNS only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[HSN]

many thx for ur help, am going to do it now

many thx for all but where is the avenger.txt file?
where do i download it from?

just saw it, sorry

 

[ellyquim]

100% CPU Usage

okay..if it still no luck. try UBCD. its a Virtual Boot CD that loads its application to the memory without using your hard drive. and then it has a tools like AVG, AVAST, Spybot, spy ad-aware to scan your registry and disk

 

[HSN]

ok, i did as you asked
as you can see avenger did not succeed
pls advise
will run avg now (takes a while)
thx a mil

 

[momok]

Hi,

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Run HijackThis and fix the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: CardMinder Viewer.lnk = ?
O4 - Global Startup: Conversion to PDF with ScanSnap Organizer.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: ScanSnap Manager.lnk = ?
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab


6. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


Regards,
Your friendly momok =)

This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HSN]

hello momok, many thx
will do as you say
just one more thing:
att is avg anti spyware report
the files it deleted have already been deleted by avg a few hourbefore
so it came back...
a few remarks:
-ie7 always asks if i want it to be the default browser
-avg anti spyware has silently detected over 200 malware (in the counter) actieve shiled
- pc is slow
-norton finds trojan.nebuler again and again
will run now norton anti virus and the will use avenger as you stated
btw, i use all the items u stated in the avenger list (scansnap, bluetooth etc) so do i need to remove it for sure?
many thx
avg log att.
greetz

ps i'm adding 2 avg logs, one is taken at 030742 and states "ignored" on all the items but i did delete the items after the log was created, he second log, 115931, is from now

oops forgot to mention: avg anti spyware was run in safe mode

 

[kitty500cat]

All of the items in your second AVG Anti-Spyware log say they were ignored. You need to run the program again and set it to apply the recommended action to all malware found (instructions here).

I recommend removing Norton and installing either AVG free or avast! antivirus (but not both at the same time, as this can cause conflicts). If you have any problems uninstalling Norton, see this thread.

If your version of Norton does not include a firewall, or if you get rid of Norton, you should install either ZoneAlarm or Sunbelt firewall (again, only one at a time).

Please post the HijackThis, ComboFix, and Avenger logs as momok said.

Regards

This thread is for the use of HSN only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[momok]

Hi,

ps i'm adding 2 avg logs, one is taken at 030742 and states "ignored" on all the items but i did delete the items after the log was created, he second log, 115931, is from now

Your second log is fine. So we do not need the AVG antispyware log anymore. Do post the other 2 logs as requested.


Regards,
Your friendly momok =)

This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HSN]

dear all,
pls find herewith the logs requested (avenger, combo, hjt and)avg
avg anti spyware was run in safe mode, logged in with harry and not admin
am i right in thinking that what avg found are malware in archive zip folders from avenger OR are they really still in my pc?
avg was run as last (so all the other logs are from before this avg log)
many thx for all ur help to date

 

[momok]

Hi,

Only one of it is from avenger. The rest are registry entries and stuff in your restore points.

I just realised I missed out an entry to remove. I'm sorry about that. Apparently it created more exe's on your system. Please do the following.

Please boot into safe mode as previously done and unhide your files and folders.

Delete the following files.

C:\WINDOWS\g407453.exe
C:\WINDOWS\g5092343.exe
C:\WINDOWS\bwUnin-7.2.0.137-8876480SL.exe

Reboot into normal mode and rehide all your files and folders.

Thereafter please post a fresh ComboFix and HijackThis log from normal mode.


Regards,
Your friendly momok =)

This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HSN]

no problem, done!
is my pc ok now?
btw, some startups which u told me to delete are needed (by me), do i have to reinstall the whole program?
many thx
greetz

do i need to delete the items from avg? (they are now in quarantine)
and do i delete the restore points?

 

[momok]

Hi,

Have HijackThis fix this entry:

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

Which startup are you referring to that you needed?

Apart from that, your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

May I also suggest that you read this thread here on how to speed up your system.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HSN]

hi,

many thx for all your help
i did precisely as said
pc seems fine now
avg anti spyware keeps finding adware.roguesuspect again and again
i wonder if it's not a needed file...
i keep quarantining it
pls advise
i installed norton 360 and pc seems really ok! ;-)
re startup programs, i meant stuff like scansnap (scanner) and logitech (so u can see when u actually change the volume on the screen etc)
again, many thx to all the wonderfull, helpfull ppl out here!
g-d bless!
greetz

ps hjt & avg file att.

 

[momok]

Hi,

Your HijackThis log is clean. With regards to the AVG AS log, that is a nasty which resides in your system restore point. Follow my instructions on disabling then renabling restore and that will go away.

Regards,
Your friendly momok =)

This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HSN]

hi,
thx
i already did the restore disabling and enabling but it's sill here
pls advise
thx

ps i read somewhere that it is a "false positive"
do you know what that means?
here is the link
http://www.wilderssecurity.com/showthread.php?p=1017438
thx!

 

[momok]

Hi,

The false positive is not the file in question we are dealing with on your system. Have AVG fix it.


Regards,
Your friendly momok =)

This thread is for the use of HSN only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.