trojan prob

Hi there pls help.

i had an alert from panda that it had disinfected the following trj/agent.dll found in C:\windows\system\keyweb.dll the pop keeps reappearing cant get rid at all.

then tried trnds housecall which threw up TROJ.VUNDO.H which it said cudn't be deleted as it was within a running program?

it's realy annoying me. i've tried disabling system restore etc and doing can again all to no avail. any adv very greatfully rcd. thnks in advance.

 

can you post the log for the Panda scan.

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm


http://housecall.antivirus.com/housecall/start_corp.asp

Set the AUTOCLEAN setting box at Housecall, or any other options for automatically disinfecting things found. Scan all hard (data) drives. Save the Report at Panda, it will not remove adware-type infections but shows what is found.

also you can try


http://www.kaspersky.com/beta?product=161744315


and


The latest vintage of Trojan Vundo was not being detected or fixed by the previous tool. Give the one below a run if you have this problem.


If you have the Vundo.B virus there appears to be a couple of key things to do when you run the new Symantec removal tool:

1. Run the removal tool when you are in the safe mode
2. Make sure you are disconnected from any network.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html


Windows XP

If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.
If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

To use the System Configuration Utility method
Close all open programs.
Click Start, Run and type MSCONFIG in the box and click OK
The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
The computer restarts in Safe mode.
Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer

 

BTW..

When Trojan.Vundo.B is executed, it performs the following actions:



Creates a .dll file with a file name that is constructed from the following strings:


abr
av
anti
ac
acc
ad
ap
as
bin
bas
bak
cab
cat
cmd
com
cr
c
drv
db
disk
dll
dns
dos
doc
dvd
eula
exp
fax
font
ftp
hard
iis
img
inet
info
ip
java
kb
key
lib
log
main
ms
mc
mfc
mp3
msvc
net
nut
odbc
ole
pc
ps
play
ras
reg
run
sys
srv
svr
svc
s
tapi
tcp
task
un
url
util
vb
vga
vss
xml
wave
web
w
win
wms


***************

so as you see your Keyweb.dll most likely is the Symantec Vundo.B

 

thnks everyone so what u r saying is download the symantec removal tool then close and reboot in safe mode and then run tool? corrrect i'm only checking in case i do something wrong!!! help. is trojan _vundo H the smae as the B version or is the method of removal the same? and what is troh/Agent.SC? is it all part of the same thing/problem?

 

Since each vendor seems to have a different name for all thse bad boy..and there is no conventional naming method..I could not begin to tell you..do not worry about the versions..follwing the instructions to the letter..on using the symantec tool..

Do i think the .dll agent thing is part of the same thing House call found calling it vundo ? YES

and if you have more problems still do this.
First do these steps

Guidelines for Posting in This Forum, READ THIS FIRST PLEASE


http://forum.gladiator-antivirus.com/index.php?showtopic=10517

Then post your hijackthis log in a new topic at that fourm


HELP! Think you are Infected?

http://forum.gladiator-antivirus.com/index.php?showforum=170


To use that forum you must first register at their Board.

 

hi there thanks for all yr help anbd sri that i didn't follow the correct protocol i did d/l and run the symantec tool in safe mode and hey presto the pop up has gone and the tool said that it had removed the trojan and wud complete on reboot. do i still need to do the hijack this thing and copy to the specified place.? thnks for yr patience.

p.s. i did already hv the spybot s & d and ad aware thing on my system, and a trial version of the panda plat 7. this is due to run out in 25 days and adv as to what i shud replace it with?

 

1. Posting your Hijackthis log there is at your decision..if you think you are clean and have nothing else running that needs to be clean then hold off.
2. If your decision to find a new AV after the expiration of Panda is based upon economics and you do not intend to purchase any AV..then you can look at AVG or the other free ones..just make sure that as you test them all that you really cleaned off the last one first..some are not that easy to uninstall and will conflict with your next decision.


In any case these steps always help.
It is recommended that you do a couple of things after a serious infection.

Just to be sure.

Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >
Internet Options. Under the General tab click the Delete temporary internet files,
choose to delete all Offline content. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all ->
File > delete.

Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one.

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

This will result in your having to re-enter passwords at forums, banks, and the like.

A small price to pay if it gets rid of any bad guys.

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Also if you have sunjava installed it's cache should be cleared too.
> control panel java-plugin > cache tab > hit clear!
And make sure you have the latest version if you have sunjava.

Adjust your security settings for ActiveX:
a. Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set/click the options as follows:
Download signed ActiveX controls > prompt
Download unsigned ActiveX controls > disable
Initialize and Script ActiveX controls not marked as safe > disable
b. In your Restricted Sites Zone set everything that can be to "disable". Set anything that cannot be disabled to "prompt".
c. Never add any site to your Trusted Sites Zone.

I would also recommend, In your own self defense and to reduce the potential for spyware infection in the future, installing both SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

More info and download is available at:
SpywareBlaster: http://www.majorgeeks.com/download.php?det=2859
SpywareGuard: http://www.majorgeeks.com/download.php?det=3045

Maybe consider this as well:
IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit
innocent-looking sites that aren't really innocent at all.
http://www.spywarewarrior.com/uiuc/resource.htm
Also some info on that page to tighten your IE security.

Be sure to also keep up with Windows and IE updates.

Windows security and critical updates.
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer security and critical updates.
http://www.microsoft.com/windows/ie/default.asp

Keep all of these programs updated, its free.

 

hi there hv done all that u recommended so far so good then remembered i shud hv turned off system restore does that mean i hv to do it all over again or wud now be ok?

also keep getting message saying that poeple will be abale to view my activity do i want to proceed only way of getting onto anything is to say yes. what hv i done wrong please. bit worrying. ?? thnks again for yr patience.