trojan.vundo.b

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have the above trojan according to Norton 2003. I have scanned several
times in normal and safe mode but am unable to remove the file. With Norton
it finds the file but cannot quarantine it or delete it. It is labelled
c:\windows\repair\infodb.dll I understand it is an adware and I am getting
the following advert comming up routinely
http://www.winantivirus.com/index-pro.php?aid=mdwavtop&lid=virus . I do not
want to contact them as I am unsure of what efect that might have.

The microsoft website has nothing on search this adware trojan.

Any clues?
--
Philogynist.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "philogynist" <philogynist@discussions.microsoft.com>

| I have the above trojan according to Norton 2003. I have scanned several
| times in normal and safe mode but am unable to remove the file. With Norton
| it finds the file but cannot quarantine it or delete it. It is labelled
| c:\windows\repair\infodb.dll I understand it is an adware and I am getting
| the following advert comming up routinely
| http://www.winantivirus.com/index-pro.php?aid=mdwavtop&lid=virus . I do not
| want to contact them as I am unsure of what efect that might have.
|
| The microsoft website has nothing on search this adware trojan.
|
| Any clues?
| --
| Philogynist.

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache
Tools --> Options --> Privacy --> Cache --> Clear

1) Download TrendMicro Sysclean by one of the following 2 methods

Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt604.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

2) Download and install Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/
3) Update Adaware with the latest definitions then exit the software.
4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode and shutdown as many applications as possible
6) Using the Trend Sysclean and Ad-aware SE utilities, perform a Full Scan of your
platform and clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your platform using both Trend
Sysclean and Ad-aware SE
8) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) Create a new Restore point

* * Please report back your results * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "philogynist" <philogynist@discussions.microsoft.com>

| I have the above trojan according to Norton 2003. I have scanned several
| times in normal and safe mode but am unable to remove the file. With Norton
| it finds the file but cannot quarantine it or delete it. It is labelled
| c:\windows\repair\infodb.dll I understand it is an adware and I am getting
| the following advert comming up routinely
| http://www.winantivirus.com/index-pro.php?aid=mdwavtop&lid=virus . I do not
| want to contact them as I am unsure of what efect that might have.
|
| The microsoft website has nothing on search this adware trojan.
|
| Any clues?
| --
| Philogynist.

Alternate directions....

1) Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache
Tools --> Options --> Privacy --> Cache --> Clear

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

3) Download Pocket KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Extract killbox.exe from the ZIP file.
Execute; KillBox.exe

Click on Tools --> Select; Delete Temp Files.

Choose; OK

In the Full Path of File to Delete box, type the entire following line exactly

C:\Windows\REGIST~\cabplay.dll

Select; Replace on Reboot

put a check in the box "Use Dummy"

Click The Red circle and a white X

When prompted to Replace on Reboot, click YES

If prompted to Reboot Now, Click YES

Allow the PC to shutdown

4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using your NAV software, perform a Full Scan of your platform and clean/delete any
infectors found
6) Restart your PC and perform a "final" Full Scan of your platform
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

I also had this trogan and this fix did the job, so many thanks! For others
with the same problem, I did have to disable the Windows firewall for
GETFILES.BAT to work. The scan also took ages, but was worth it!

Thanks again
Chris

"David H. Lipman" wrote:

> From: "philogynist" <philogynist@discussions.microsoft.com>
>
> | I have the above trojan according to Norton 2003. I have scanned several
> | times in normal and safe mode but am unable to remove the file. With Norton
> | it finds the file but cannot quarantine it or delete it. It is labelled
> | c:\windows\repair\infodb.dll I understand it is an adware and I am getting
> | the following advert comming up routinely
> | http://www.winantivirus.com/index-pro.php?aid=mdwavtop&lid=virus . I do not
> | want to contact them as I am unsure of what efect that might have.
> |
> | The microsoft website has nothing on search this adware trojan.
> |
> | Any clues?
> | --
> | Philogynist.
>
> The following set of instructions have been reported WILL WORK !
> Attached is a HTML Log file of that report.
>
> Download CLEAN.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/clean.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link (.lnk) files and a PDF instruction file.
> GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line Scanner.
>
> CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose to scan again at a future date, run this batch file. It will automatically check the date of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest signature files and install them before performing the scan.
>
> DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after you have booted from an Emergency Boot Disk or DOS disk and have already executed; c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from; http://www.bootdisk.com/bootdisk.htm
>
> I need you to perform the following...
>
> Execute; CLEAN.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\mcafee\GetFiles.BAT
> { or Double-click on 'GetFiles Link' in c:\mcafee }
>
> Reboot the PC into Safe Mode [F8 key during boot]
>
> Shutdown as many applications as possible !
> It would also help for you to read - "How to perform a clean boot in Windows XP"
> http://support.microsoft.com/kb/310353
>
> Execute; c:\mcafee\CLEAN.BAT
> { or Double-click on 'Clean Link' in c:\mcafee }
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "chrisr63" <chrisr63@discussions.microsoft.com>

| Hi,
|
| I also had this trogan and this fix did the job, so many thanks! For others
| with the same problem, I did have to disable the Windows firewall for
| GETFILES.BAT to work. The scan also took ages, but was worth it!
|
| Thanks again
| Chris


Thank you Chris for that feedback. I am receiving *many* reports of infection by the Vundo
Trojan. It seems to be rampant in the last few days.

I especially thank you for the feedback on the FireWall issue. I'll try to include that
information in future responses.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[claire]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

I have norton antivirus, will this work for me as I have downloaded
'CLEAN.exe' from the URL and then I got to the bit after where you have to go
to c:\mcafee\getfiles.BAT and realised that I probably didn't have this as I
on Norton AntiVirus

HELP!!!

Thanks

Claire

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Claire" <Claire@discussions.microsoft.com>

| Dave,
|
| I have norton antivirus, will this work for me as I have downloaded
| 'CLEAN.exe' from the URL and then I got to the bit after where you have to go
| to c:\mcafee\getfiles.BAT and realised that I probably didn't have this as I
| on Norton AntiVirus
|
| HELP!!!
|
| Thanks
|
| Claire

Claire:

This is a standalone utility that can be used in conjunction with *any* anti virus.

After you execute CLEAN.EXE, a c:\mcafee folder will be created and the needed files will be
in there.

When you execute; c:\mcafee\getfiles.BAT it will FTP the nedeed scanner files and once
that is complete you acvn then go to the next phase which is to reboot into Safe Mode.

When you are in Safe Mode you will then execute; c:\mcafee\Clean.BAT which will actually
perform the scan process. When the scan is completed it will display a HTML Log file in
your browser.


Here are the general instructions again (and note that there is a PDF help file placed in
c:\mcafee)

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files.

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }


A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (FireFox or Internet Explorer). It is
suggested that you move the report out of c:\mcafee before performing another scan. It
would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session. I would very much like a copy of the report(s) and your findings.


I guess that should do it for now Claire...Good Luck !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[claire]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

Thanks - am a bit of a novice at computers and didn't realise that the
McAfee files would be downloaded. Have spent the afternoon running the Clean
and it has worked. Thanks for your help.

Claire

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Claire" <Claire@discussions.microsoft.com>

| Dave,
|
| Thanks - am a bit of a novice at computers and didn't realise that the
| McAfee files would be downloaded. Have spent the afternoon running the Clean
| and it has worked. Thanks for your help.
|
| Claire

Fantastic Claire !

Thnx for updating the thread.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[bill]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Could I please ask for some help?
When I started up my PC, Norton 2002 told me it had detected the above
virus. I scanned but it's unable to delete a file crvga.dll which is located
in C:\windows\system. I've tried Norton, Tweak XP Pro and a shareware product
GIP and none can remove the offending file. I've also tried scanning with
Norton in Sage mode. AVG anti - virus says my machine is ok - can anyone help
please?
Bill

"David H. Lipman" wrote:

> From: "Claire" <Claire@discussions.microsoft.com>
>
> | Dave,
> |
> | Thanks - am a bit of a novice at computers and didn't realise that the
> | McAfee files would be downloaded. Have spent the afternoon running the Clean
> | and it has worked. Thanks for your help.
> |
> | Claire
>
> Fantastic Claire !
>
> Thnx for updating the thread.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>