Can't Remove Trojan.Vundo.B !

I got: Win XP + Norton Internet Security 2005

Norton AntiVirus detects it right away, but cannot cure/delete/quarantine
Also tried latest TDS-3 - nothin..

Got this *** trojan on Sunday. Tried to use FixVundo.exe (Symantec) - didn't find any files affected. I've tracked it (using Process Explorer) - it's sav.dll file that clings to explorer.exe and winlogon.exe - this doesn't allow me to delete it. Killing winlogon shuts down my comp.

Tried to use Dellater - but don't know what to do with this dellater.exe after i launch it

Help, please ..

 

Thats exactly whats happening to me.... Can anyone help. I have tried all day to remove it

 

try counterspy here

free trial period, good luck

 

I tried CounterSpy - found other malware, about 16 new !!
All were cured (deleted), i rescanned again and found nothing.

But still couldn't detect Trojan.Vundo.B, Norton still displays warning.

Could you also give me instructions how to use DelLater.exe - don't know how to use this .exe file.

 

Have you tried scanning with Norton in safemode:

You could of course try Killbox (use delete on reboot) Or Locked files wizard.

 

To Run DelLater:-

Unzip dellater.exe into C:\Windows (this is important!).

Type out the file paths, of the files to be deleted, into notepad, exactly as per the following example:-

dellater.exe C:\Windows\upyours.exe
dellater.exe C:\windows\system32\scalliwag.dll

Then save as File name "del.bat", and as type 'All Files', on your desktop. (This creates a DOS batch file).

Doubleclick the del.bat file. You will get a notification for every file marked for deletion. Click O.K. and reboot.

P.S. I haven't had a chance to research your problem but it is Adware and looks quite easy to remove; follow these instructions:- http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.html

 

Thankz Pelotas and Topper,

I'll try listed above, but before i do it i got a question - what notepad exactly should i insert provided filepaths (for dellater) ?

 

Click Start/All Programs/Accessories/Notepad. Type the files to be deleted as per the above example, and save the file to your desktop as explained above.

 

Hi there,

I'm also having the same problem; have been trying to fix the problem, following the steps suggested by symantec, including updating the virus definition, running in safe more, disabling system restore, etc. but so far to no avail. Any solution?

Rgds
F

 

Hey Fif ,

I'm away from my comp at work, so i didn't try DelLater yet.

Did you?
try that (see above)

 

If you are trying to delete a .dll file, you may not be able to do so if the source file is in use. So you must first 'unregister' the dll and then reboot into Safe Mode to delete it.

To unregister .dll, you can use the Regsvr32 tool (Regsvr32.exe). To do this for Scalliwag.dll (or whatever yours is called!) click Start/Run and enter the following command line (giving the correct file path for your .dll!):-

regsvr32 /u C:\WINNT\system32\Scalliwag.dll

(Note the spaces are also important).

If DelLater can do the job without bothering with the above, then all well and good - but you may be able to do it without DelLater.

There are also the Registry changes to deal with, look for them with Regedit; if you are not sure how to back-up and delete keys, let us know and we will assist.

 

I tried DelLater - didn't help, file is still there.

Just tried Regsvr32 - here's what it said: LoadLibrary("C:\WINDOWS\system\sav.dll") failed - access is denied

As for the regedit - i know how to back up keys, this was first location i started searching for problem, nothing in the registry...

 

This is an obstinate son-of-a-gun isn't it? Unless someone can come up with a better idea,it is beginning to look like you are going to need to try a HijackThis log (which they no longer do at Wilder's).

One more try would be an online scan at Kaspersky, which seems to recognise all of the known variants. Possibly it is a long shot, but worth doing:- http://www.kaspersky.com/beta?product=161744315

The other possibility is to D/L and try Ewido:- http://www.ewido.net/en/

 

Obstinate? Hell yeah!
Kaspersky doesn't detect it.
This file (sav.dll) is the only thing left to remove, but whoo knows how ?

Oki, i finally got the whole picture of this sonova*** :

For people who may encounter this problem :

It is NOT a Trojan.Vundo.B - Norton is detecting it wrongly. The stuff i got is an IST Search Assistant !

Removing all listed below in Safe Mode:

Main directory: c:\windows\srchasst

Basic files : srchctls.dll, srchui.dll, sav.dll, vas.ini, rover.acs, srchasst.inf (and .pnf also), f5r4bnh.exe (or any similar).

I bet there could be any alterations in directory location. So search thoroughly.
Also delete all strings through Run>Regedit, containing filenames listed above, AND FilesNamedMRU or RunMRU, and Search Assistant..

The only thing left for me is to figure out how to get rid of sav.dll, which is clinged to explorer.exe AND winlogon.exe simultaneously. So in this case Safe Mode is useless (winlogon triggers sav.dll).

Anyone, who knows how to delete it thru DOS, maybe??

Appreciate all replies

 

Norton misrerading the situation hardly comes as a surprise, but what makes you think you've got the Home Search Assistant problem?

If you have got it then there will be two .dll files, one of them hidden. No use trying just to get rid of the visible one - you can't. But this is something for a HJT log to diagnose. You really would be best advised to take that route.

However, have a look here and see if it helps:-

http://www.pchell.com/support/aboutblank.shtml

http://www.adwareaway.com/

 

Generally, what makes me think this is Search Assistant is registry:

Almost all keys named "Search Assistant" or similar, were related to sav.dll, srchctls.dll and other kinds of basic files posted above.

using Safemode i finally managed to unregister all of them, and delete all exept damn sav.dll.

What did you mean hidden dll - not an attribute of a system file ?
Like an encrypted or somth. ?

thnkz

 

Hidden dll is mentioned in the link I gave above and is the cause of the problems in these type of cases. I don't want to presume what you may have, but 'hidden' dll can sometimes be revealed by a prog called 'Dll Compare'. This looks at all the dll you have loaded and compares it with official files - anything that doesn't match is suspect. You can Google to find that, but as I say a HJT log looks your best bet.

One thing you can do though is to click Tools/Manage Add-ons in I.E. and see if you have a suspect Browser Helper Object loaded. If you have you can at least disable it there. It also might be worth looking at 'Control Panel'/'Add-Remove Progs' to see if you have any entries for 'Search Assistant' or other possible Adware entries.

If this is a difficult spyware case though, a HJT log offers your best hope of resolution.

 

Ok, I've scanned the system with HJT, and tried to remove these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system\sav.dll

and rescanned - they were displayed again

By the way, could you tell me what are these :

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

Are there any means to delete all the crap through DOS or any, before windows is loaded and user is logged on ?

 

did u close all internet instances before deleting this? Means closing ALL explorer windows and ALL programs which are using activex components for displaying something?

 

hey everyone-
i found the forum here in a google search and i'm jumping into this thread because my mother is calling me telling me her norton said she has the vundo b trojan yesterday and the warning stays up, clean: failed, quarateen: failed. i told her to download the removal tool from symantec to no avail, didn't detect the virus. she also says her computer is running very slow....is this typical of the virus? also- she says the virus was found in the main operating drive (windows) in the "fonts" folder. please bear with me here, i'm 4 hrs. away from her in grad school, she knows NOTHING about computers, i have *moderate* knowledge...can do basic stuff. is there a general consensus as to a fix here?? i'm trying to keep up with you guys....there's no way she could handle getting into the registry and deleting keys, that'd be a mess. it'd be nice if you guys could help if a sound fix is determined...thanks.

 

To Happy Bytes:
Yup, i closed all the windows (as it was also said in warning of HJT before the scan).

To Aaprocto:

Comp runs slow coz explorer consumes 99% cpu
temporary solution for this is to reboot in safe mode:

Simply follow the steps:

1. Start>Turn off computer>Restart
2. After comp shuts down during restarting, press and hold F8 , better if she presses it several times
3. Select Safe Mode in menu displayed, press Enter
4. After system is fully booted, restart again (see 1) - it loads in normal mode automatically, and everything is ok - temporarily. If yr comp slows down again - better shut it down and try to live some days without it - because it can go worse.
5. Ignore Norton's screaming - this is NOT a Vundo trojan. Smthn else, now here we'r trying to remove this malware.

 

Step 1:

Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE


Step 2:

Download the file and save it to your desktop:

FixVundo Registry File


Step 3:

Print out the following instructions as you will not have Internet Access for the rest of this fix.

Then boot up in SAFE MODE

The rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of C:\WINDOWS\system\sav.dll once and then click the kill button.

After you have killed all of the C:\WINDOWS\system\sav.dll's under winlogon click OK.

If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well( that would be sav.ini or sav.bak, vas.ini or vas.bak)

Next double-click on explorer.exe, select the Threads tab, and again click once on each instance of C:\WINDOWS\system\sav.dll then click the kill button.

If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well

Once you have done that click OK again.

Next run HijackThis and

fix O2 and O20 entries from hijackthis



Now double-click on the vundo.reg file that you saved on your desktop earlier and allow it to merge with the registry.

Step 4:

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\system\sav.dll

Click the red circle with the white x and say yes to the delete prompt but no to reboot then repeat with any of the reverse named .bak or .ini files

after you have input the last file name then reboot

After your computer has rebooted please tell us how it went


edit: beforedoing anything make sure that you have the newest hijackthis, because the older versions dont show winlogon notify lines... !!!!!

 

YEAAHHH !!

it Helped !!!

Wilders Security RULZ 4EVA !!

I'm really thankful to everybody on this forum, especially Don Pelotas, Illukka The spyware Fighter and Topper.

No doubt, folkz can rely on you !!

 

I HAVE RESOLVED IT!!

First, Download the Trojan.Vundo.B Removal Tool from the Symantc WebSite.

Disable Win XP System restore.

Re-start your computer in Safe Mode (Press several times F8 when starting up)

Then run the Symantec removal tool.

This tool has removed 5 registry entries. (see report on the screen)

Last, rebooted the system in normal mode (the notice of a virus present did not appear) and enable System restore again.

So far things seem to be back to normal.

Thanks to you all for your help

 

thankyou especially last guy who posted abvout safe mode. it worked. thanks