trojan prob

Discussion in 'malware problems & news' started by miss piggy, May 6, 2005.

Thread Status:
Not open for further replies.
  1. miss piggy

    miss piggy Registered Member

    Joined:
    May 6, 2005
    Posts:
    4
    Hi there pls help.

    i had an alert from panda that it had disinfected the following trj/agent.dll found in C:\windows\system\keyweb.dll the pop keeps reappearing cant get rid at all.

    then tried trnds housecall which threw up TROJ.VUNDO.H which it said cudn't be deleted as it was within a running program?

    it's realy annoying me. i've tried disabling system restore etc and doing can again all to no avail. any adv very greatfully rcd. thnks in advance.
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    can you post the log for the Panda scan.

    http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm


    http://housecall.antivirus.com/housecall/start_corp.asp

    Set the AUTOCLEAN setting box at Housecall, or any other options for automatically disinfecting things found. Scan all hard (data) drives. Save the Report at Panda, it will not remove adware-type infections but shows what is found.

    also you can try


    http://www.kaspersky.com/beta?product=161744315


    and


    The latest vintage of Trojan Vundo was not being detected or fixed by the previous tool. Give the one below a run if you have this problem.


    If you have the Vundo.B virus there appears to be a couple of key things to do when you run the new Symantec removal tool:

    1. Run the removal tool when you are in the safe mode
    2. Make sure you are disconnected from any network.

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html


    Windows XP

    If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.
    If the computer is running, shut down Windows, and then turn off the power
    Wait 30 seconds, and then turn the computer on.
    Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    Ensure that the Safe mode option is selected.
    Press Enter. The computer then begins to start in Safe mode.
    When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

    To use the System Configuration Utility method
    Close all open programs.
    Click Start, Run and type MSCONFIG in the box and click OK
    The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
    The computer restarts in Safe mode.
    Perform the troubleshooting steps for which you are using Safe Mode.
    When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    BTW..

    When Trojan.Vundo.B is executed, it performs the following actions:



    Creates a .dll file with a file name that is constructed from the following strings:


    abr
    av
    anti
    ac
    acc
    ad
    ap
    as
    bin
    bas
    bak
    cab
    cat
    cmd
    com
    cr
    c
    drv
    db
    disk
    dll
    dns
    dos
    doc
    dvd
    eula
    exp
    fax
    font
    ftp
    hard
    iis
    img
    inet
    info
    ip
    java
    kb
    key
    lib
    log
    main
    ms
    mc
    mfc
    mp3
    msvc
    net
    nut
    odbc
    ole
    pc
    ps
    play
    ras
    reg
    run
    sys
    srv
    svr
    svc
    s
    tapi
    tcp
    task
    un
    url
    util
    vb
    vga
    vss
    xml
    wave
    web
    w
    win
    wms


    ***************

    so as you see your Keyweb.dll most likely is the Symantec Vundo.B
     
  4. miss piggy

    miss piggy Registered Member

    Joined:
    May 6, 2005
    Posts:
    4
    thnks everyone so what u r saying is download the symantec removal tool then close and reboot in safe mode and then run tool? corrrect i'm only checking in case i do something wrong!!! help. is trojan _vundo H the smae as the B version or is the method of removal the same? and what is troh/Agent.SC? is it all part of the same thing/problem?
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Since each vendor seems to have a different name for all thse bad boy..and there is no conventional naming method..I could not begin to tell you..do not worry about the versions..follwing the instructions to the letter..on using the symantec tool..

    Do i think the .dll agent thing is part of the same thing House call found calling it vundo ? YES

    and if you have more problems still do this.
    First do these steps

    Guidelines for Posting in This Forum, READ THIS FIRST PLEASE


    http://forum.gladiator-antivirus.com/index.php?showtopic=10517

    Then post your hijackthis log in a new topic at that fourm


    HELP! Think you are Infected?


    http://forum.gladiator-antivirus.com/index.php?showforum=170


    To use that forum you must first register at their Board.
     
  6. miss piggy

    miss piggy Registered Member

    Joined:
    May 6, 2005
    Posts:
    4
    hi there thanks for all yr help anbd sri that i didn't follow the correct protocol i did d/l and run the symantec tool in safe mode and hey presto the pop up has gone and the tool said that it had removed the trojan and wud complete on reboot. do i still need to do the hijack this thing and copy to the specified place.? thnks for yr patience.

    p.s. i did already hv the spybot s & d and ad aware thing on my system, and a trial version of the panda plat 7. this is due to run out in 25 days and adv as to what i shud replace it with?
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    1. Posting your Hijackthis log there is at your decision..if you think you are clean and have nothing else running that needs to be clean then hold off.
    2. If your decision to find a new AV after the expiration of Panda is based upon economics and you do not intend to purchase any AV..then you can look at AVG or the other free ones..just make sure that as you test them all that you really cleaned off the last one first..some are not that easy to uninstall and will conflict with your next decision. ;)


    In any case these steps always help.
    It is recommended that you do a couple of things after a serious infection.

    Just to be sure.

    Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >
    Internet Options. Under the General tab click the Delete temporary internet files,
    choose to delete all Offline content. Clear out Cookies.

    Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all ->
    File > delete.

    Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one.

    This one too if Win2K or XP.
    C:\Documents and Settings\username\Local Settings\Temp\

    Empty the Recycle Bin.

    This will result in your having to re-enter passwords at forums, banks, and the like.

    A small price to pay if it gets rid of any bad guys.

    Flush your restore points in ME and XP, by turning System Restore off and then back on.
    This will create a fresh restore point.

    Explained here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    Also if you have sunjava installed it's cache should be cleared too.
    > control panel java-plugin > cache tab > hit clear!
    And make sure you have the latest version if you have sunjava.

    Adjust your security settings for ActiveX:
    a. Go to Internet Options/Security/Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set/click the options as follows:
    Download signed ActiveX controls > prompt
    Download unsigned ActiveX controls > disable
    Initialize and Script ActiveX controls not marked as safe > disable
    b. In your Restricted Sites Zone set everything that can be to "disable". Set anything that cannot be disabled to "prompt".
    c. Never add any site to your Trusted Sites Zone.

    I would also recommend, In your own self defense and to reduce the potential for spyware infection in the future, installing both SpywareBlaster and SpywareGuard.

    SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

    More info and download is available at:
    SpywareBlaster: http://www.majorgeeks.com/download.php?det=2859
    SpywareGuard: http://www.majorgeeks.com/download.php?det=3045

    Maybe consider this as well:
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit
    innocent-looking sites that aren't really innocent at all.
    http://www.spywarewarrior.com/uiuc/resource.htm
    Also some info on that page to tighten your IE security.

    Be sure to also keep up with Windows and IE updates.

    Windows security and critical updates.
    http://v4.windowsupdate.microsoft.com/en/default.asp

    Internet Explorer security and critical updates.
    http://www.microsoft.com/windows/ie/default.asp

    Keep all of these programs updated, its free.
     
  8. miss piggy

    miss piggy Registered Member

    Joined:
    May 6, 2005
    Posts:
    4
    hi there hv done all that u recommended so far so good then remembered i shud hv turned off system restore does that mean i hv to do it all over again or wud now be ok?

    also keep getting message saying that poeple will be abale to view my activity do i want to proceed only way of getting onto anything is to say yes. what hv i done wrong please. bit worrying. ?? thnks again for yr patience.
     
Loading...
Thread Status:
Not open for further replies.