Can't Remove Trojan.Vundo.B !

Discussion in 'malware problems & news' started by hard-to-live, Apr 29, 2005.

Thread Status:
Not open for further replies.
  1. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    I got: Win XP + Norton Internet Security 2005

    Norton AntiVirus detects it right away, but cannot cure/delete/quarantine :mad:
    Also tried latest TDS-3 - nothin..

    Got this *** trojan on Sunday. Tried to use FixVundo.exe (Symantec) - didn't find any files affected. I've tracked it (using Process Explorer) - it's sav.dll file that clings to explorer.exe and winlogon.exe - this doesn't allow me to delete it. Killing winlogon shuts down my comp.

    Tried to use Dellater - but don't know what to do with this dellater.exe after i launch it o_O

    Help, please ..
     
  2. cheers

    cheers Guest

    Thats exactly whats happening to me.... Can anyone help. I have tried all day to remove it
     
  3. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    try counterspy here

    free trial period, good luck
     
  4. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    I tried CounterSpy - found other malware, about 16 new !!
    All were cured (deleted), i rescanned again and found nothing.

    But still couldn't detect Trojan.Vundo.B, Norton still displays warning.

    Could you also give me instructions how to use DelLater.exe - don't know how to use this .exe file.
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Have you tried scanning with Norton in safemode:
    You could of course try Killbox (use delete on reboot) Or Locked files wizard. :)
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    To Run DelLater:-

    Unzip dellater.exe into C:\Windows (this is important!).

    Type out the file paths, of the files to be deleted, into notepad, exactly as per the following example:-

    dellater.exe C:\Windows\upyours.exe
    dellater.exe C:\windows\system32\scalliwag.dll

    Then save as File name "del.bat", and as type 'All Files', on your desktop. (This creates a DOS batch file).

    Doubleclick the del.bat file. You will get a notification for every file marked for deletion. Click O.K. and reboot.

    P.S. I haven't had a chance to research your problem but it is Adware and looks quite easy to remove; follow these instructions:- http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.html
     
    Last edited: Apr 29, 2005
  7. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    Thankz Pelotas and Topper,

    I'll try listed above, but before i do it i got a question - what notepad exactly should i insert provided filepaths (for dellater) ?
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Click Start/All Programs/Accessories/Notepad. Type the files to be deleted as per the above example, and save the file to your desktop as explained above.
     
  9. Fif

    Fif Guest

    Hi there,

    I'm also having the same problem; have been trying to fix the problem, following the steps suggested by symantec, including updating the virus definition, running in safe more, disabling system restore, etc. but so far to no avail. Any solution?

    Rgds
    F
     
  10. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    Hey Fif ,

    I'm away from my comp at work, so i didn't try DelLater yet.

    Did you?
    try that (see above)
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you are trying to delete a .dll file, you may not be able to do so if the source file is in use. So you must first 'unregister' the dll and then reboot into Safe Mode to delete it.

    To unregister .dll, you can use the Regsvr32 tool (Regsvr32.exe). To do this for Scalliwag.dll (or whatever yours is called!) click Start/Run and enter the following command line (giving the correct file path for your .dll!):-

    regsvr32 /u C:\WINNT\system32\Scalliwag.dll

    (Note the spaces are also important).

    If DelLater can do the job without bothering with the above, then all well and good - but you may be able to do it without DelLater.

    There are also the Registry changes to deal with, look for them with Regedit; if you are not sure how to back-up and delete keys, let us know and we will assist.
     
    Last edited: Apr 29, 2005
  12. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    I tried DelLater - didn't help, file is still there.

    Just tried Regsvr32 - here's what it said: LoadLibrary("C:\WINDOWS\system\sav.dll") failed - access is denied

    As for the regedit - i know how to back up keys, this was first location i started searching for problem, nothing in the registry...
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    This is an obstinate son-of-a-gun isn't it? Unless someone can come up with a better idea,it is beginning to look like you are going to need to try a HijackThis log (which they no longer do at Wilder's).

    One more try would be an online scan at Kaspersky, which seems to recognise all of the known variants. Possibly it is a long shot, but worth doing:- http://www.kaspersky.com/beta?product=161744315

    The other possibility is to D/L and try Ewido:- http://www.ewido.net/en/
     
  14. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    Obstinate? Hell yeah!
    Kaspersky doesn't detect it.
    This file (sav.dll) is the only thing left to remove, but whoo knows how ?

    Oki, i finally got the whole picture of this sonova*** :

    For people who may encounter this problem :

    It is NOT a Trojan.Vundo.B - Norton is detecting it wrongly. The stuff i got is an IST Search Assistant !

    Removing all listed below in Safe Mode:

    Main directory: c:\windows\srchasst

    Basic files : srchctls.dll, srchui.dll, sav.dll, vas.ini, rover.acs, srchasst.inf (and .pnf also), f5r4bnh.exe (or any similar).

    I bet there could be any alterations in directory location. So search thoroughly.
    Also delete all strings through Run>Regedit, containing filenames listed above, AND FilesNamedMRU or RunMRU, and Search Assistant..

    The only thing left for me is to figure out how to get rid of sav.dll, which is clinged to explorer.exe AND winlogon.exe simultaneously. So in this case Safe Mode is useless (winlogon triggers sav.dll).

    Anyone, who knows how to delete it thru DOS, maybe??

    Appreciate all replies
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Norton misrerading the situation hardly comes as a surprise, but what makes you think you've got the Home Search Assistant problem?

    If you have got it then there will be two .dll files, one of them hidden. No use trying just to get rid of the visible one - you can't. But this is something for a HJT log to diagnose. You really would be best advised to take that route.

    However, have a look here and see if it helps:-

    http://www.pchell.com/support/aboutblank.shtml

    http://www.adwareaway.com/
     
  16. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    Generally, what makes me think this is Search Assistant is registry:

    Almost all keys named "Search Assistant" or similar, were related to sav.dll, srchctls.dll and other kinds of basic files posted above.

    using Safemode i finally managed to unregister all of them, and delete all exept damn sav.dll.

    What did you mean hidden dll - not an attribute of a system file ?
    Like an encrypted or somth. ?

    thnkz
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Hidden dll is mentioned in the link I gave above and is the cause of the problems in these type of cases. I don't want to presume what you may have, but 'hidden' dll can sometimes be revealed by a prog called 'Dll Compare'. This looks at all the dll you have loaded and compares it with official files - anything that doesn't match is suspect. You can Google to find that, but as I say a HJT log looks your best bet.

    One thing you can do though is to click Tools/Manage Add-ons in I.E. and see if you have a suspect Browser Helper Object loaded. If you have you can at least disable it there. It also might be worth looking at 'Control Panel'/'Add-Remove Progs' to see if you have any entries for 'Search Assistant' or other possible Adware entries.

    If this is a difficult spyware case though, a HJT log offers your best hope of resolution.
     
  18. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    Ok, I've scanned the system with HJT, and tried to remove these:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system\sav.dll

    and rescanned - they were displayed again o_O

    By the way, could you tell me what are these :

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

    Are there any means to delete all the crap through DOS or any, before windows is loaded and user is logged on ?
     
  19. Happy Bytes

    Happy Bytes Guest

    did u close all internet instances before deleting this? Means closing ALL explorer windows and ALL programs which are using activex components for displaying something?
     
  20. aaprocto

    aaprocto Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    4
    hey everyone-
    i found the forum here in a google search and i'm jumping into this thread because my mother is calling me telling me her norton said she has the vundo b trojan yesterday and the warning stays up, clean: failed, quarateen: failed. i told her to download the removal tool from symantec to no avail, didn't detect the virus. she also says her computer is running very slow....is this typical of the virus? also- she says the virus was found in the main operating drive (windows) in the "fonts" folder. please bear with me here, i'm 4 hrs. away from her in grad school, she knows NOTHING about computers, i have *moderate* knowledge...can do basic stuff. is there a general consensus as to a fix here?? i'm trying to keep up with you guys....there's no way she could handle getting into the registry and deleting keys, that'd be a mess. it'd be nice if you guys could help if a sound fix is determined...thanks.
     
  21. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    To Happy Bytes:
    Yup, i closed all the windows (as it was also said in warning of HJT before the scan).

    To Aaprocto:

    Comp runs slow coz explorer consumes 99% cpu
    temporary solution for this is to reboot in safe mode:

    Simply follow the steps:

    1. Start>Turn off computer>Restart
    2. After comp shuts down during restarting, press and hold F8 , better if she presses it several times
    3. Select Safe Mode in menu displayed, press Enter
    4. After system is fully booted, restart again (see 1) - it loads in normal mode automatically, and everything is ok - temporarily. If yr comp slows down again - better shut it down and try to live some days without it - because it can go worse.
    5. Ignore Norton's screaming - this is NOT a Vundo trojan. Smthn else, now here we'r trying to remove this malware.
     
  22. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    Step 1:

    Please download Process Explorer by Systernals from HERE

    Also download KillBox by Option^Explicit from HERE


    Step 2:

    Download the file and save it to your desktop:

    FixVundo Registry File


    Step 3:

    Print out the following instructions as you will not have Internet Access for the rest of this fix.

    Then boot up in SAFE MODE

    The rest of this fix must be done in safe mode.


    Unzip Process Explorer and double click on procexp.exe

    In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of C:\WINDOWS\system\sav.dll once and then click the kill button.

    After you have killed all of the C:\WINDOWS\system\sav.dll's under winlogon click OK.

    If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well( that would be sav.ini or sav.bak, vas.ini or vas.bak)

    Next double-click on explorer.exe, select the Threads tab, and again click once on each instance of C:\WINDOWS\system\sav.dll then click the kill button.

    If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well

    Once you have done that click OK again.

    Next run HijackThis and

    fix O2 and O20 entries from hijackthis



    Now double-click on the vundo.reg file that you saved on your desktop earlier and allow it to merge with the registry.

    Step 4:

    Double click on Killbox.exe and then check the delete on reboot button.

    Enter the following filepath and filename into the Full path of file to delete box

    C:\WINDOWS\system\sav.dll

    Click the red circle with the white x and say yes to the delete prompt but no to reboot then repeat with any of the reverse named .bak or .ini files

    after you have input the last file name then reboot

    After your computer has rebooted please tell us how it went ;)


    edit: beforedoing anything make sure that you have the newest hijackthis, because the older versions dont show winlogon notify lines... !!!!!
     
    Last edited: Apr 30, 2005
  23. hard-to-live

    hard-to-live Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    11
    YEAAHHH !!

    it Helped !!!

    Wilders Security RULZ 4EVA !! :D

    I'm really thankful to everybody on this forum, especially Don Pelotas, Illukka The spyware Fighter and Topper.

    No doubt, folkz can rely on you !!
     
  24. LongLeaf

    LongLeaf Guest

    I HAVE RESOLVED IT!!

    First, Download the Trojan.Vundo.B Removal Tool from the Symantc WebSite.

    Disable Win XP System restore.

    Re-start your computer in Safe Mode (Press several times F8 when starting up)

    Then run the Symantec removal tool.

    This tool has removed 5 registry entries. (see report on the screen)

    Last, rebooted the system in normal mode (the notice of a virus present did not appear) and enable System restore again.

    So far things seem to be back to normal.

    Thanks to you all for your help
     
  25. memememe

    memememe Guest

    thankyou especially last guy who posted abvout safe mode. it worked. thanks
     
Loading...
Thread Status:
Not open for further replies.