?
Solved

System infected w/ trojan.vundor.b & cant remove the infected file

Posted on 2005-04-30
20
Medium Priority
?
788 Views
Last Modified: 2008-03-10
Hi every 1,

I have a laptop with Windows XP SP2 installed on, & i find that its infected with a virus trojan called torjan.vundor.b, i used Norton AV but it faild to clean the system.

The norton has reported that the file is C:\Windows\Microsoft.net\adrole.dll was infected & failed to delete it.
& i have downloaded the removal tool for that virus from the symantec site, it scans the file & reported that it will deleted after the restart, but its still there

i followed all the instructions & disabled the system restore function but its still there after restarting the laptop.

I tired to delete the infected file manully but i failed, its like been used by another application or maybe the OS itself.
i tried also to delete it while i'm n the safe mode but its no use 2.

is there any way to git rid of this file????

0
Comment
Question by:Naser Gabaj
  • 11
  • 5
  • 4
20 Comments
 
LVL 23

Accepted Solution

by:
gecko_au2003 earned 500 total points
ID: 13901189
Run this program from this site first :

http://www.simplysup.com/tremover/download.html

Then run the virus scanners :

run a free online virus scanner :

http://housecall.trendmicro.com/

Then from there try avg free edition :

www.grisoft.com

I would reccomend doing the latter in safe mode :)

If that does not work then try system file checker :

go to start --> run and type

sfc /scannow

making sure to have your windows xp cd handy :)

If that fails then as a last resort do a repair install :

http://www.michaelstevenstech.com/XPrepairinstall.htm

0
 
LVL 23

Assisted Solution

by:gecko_au2003
gecko_au2003 earned 500 total points
ID: 13901192
I would also suggest that you use msconfig and go to www.mlin.net and get startup control panel, make sure nothing is starting up with windows, also go to start--> all programs --> startup

to make sure nothing is in there :)
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13901196
I forgot to mention that you need to press enter after typing that command in to the run dialog, or you can click ok , either way works :) which im sure is obvious to you :)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 13

Expert Comment

by:gonzal13
ID: 13901367
First a trojan is 'Malware' that cannot be removed by an Antivirus program. The program is probably in memory when you boot windows. Boot in safe mode so that there is less of a chance that it is in memory. You mentioned you had identified several viruses. Make sure that your Norton program is set to automatically update the antiviruses files. Also there is a page that you can check so that Norton will try to repair and if not sucessful, then it will quarantine the file.

Here are some programs that work on eliminating Trojans, worms etc.
Spyblaster
http://www.javacoolsoftware.com/spywareblaster.html

Spybot Search and Destroy
http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

Ad-Aware
http://www.lavasoftusa.com

Adware scanner
http://www.adwarekillers.com/

0
 
LVL 15

Author Comment

by:Naser Gabaj
ID: 13901615
TO gecko_au2003,

the scanner find the infected file but they faild to remove it, even in safe mode. its like been used by Windows it self.
the sfc is only to check the Windows XP system files but the file adrole.dll is not part of the windows xp system files so it didnt do nothing to it.

managing the startup services is also cant fix the issue since i scanned the laptop under the safe mode condition & its known that windows xp under that mode loads only the necessary services that it need to be able to work disabling all other stuffs.

TO gonzal13,

Norton Antivirus can identify many trojan viruses as n this case with this trojan virus but it faild to delete becasue its being used. i have mentioned also that i try scanning it under save mode using the symantec removal tool for that trojan but it faild also giving a message that it will be deleted at the next windows booting but its still there n the system.
also i dont see that i mentioned that i identified severl viruses!!!!!!!!!!!!!!!!!!!!!!!

i still have that file of the infected virus & couldnt clean it
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13901885
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13901890
If that is not the right one then you can search through here :

http://www.symantec.com/avcenter/vinfodb.html

click on the relevant one and it shows you removal instructions as well as what it does :)
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13901898
I found this tool which was highly rated by cnet so might be worth a go :

https://www.pctools.com/spyware-doctor/?ref=google_t

I would also suggest you use registry mechanic :)

http://www.majorgeeks.com/download3306.html
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13901905
http://www.bleepingcomputer.com/files/killbox.php

http://www.techwarelabs.com/downloads/?action=file&id=201

Not sure how useful those are but its a program to help you delete files that are hard to delete :)
0
 
LVL 15

Author Comment

by:Naser Gabaj
ID: 13901908

Thx gecko_au2003, i have used the removal tool from the link u give to me from before but as i stated it reported that it will delete the file at the next bootm but it didnt.
the file is still there although i followed all the instructions of it.

any other suggestions pls.
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13901916
Do a system restore as I suggested earlier !
0
 
LVL 15

Author Comment

by:Naser Gabaj
ID: 13902003
although the both last 2 links are for the same tool which is Killbox.exe, but really thx alot gecko_au2003, i'll give it try & let you know what happened!!
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13902073
well obviously the manual removal method didnt work and neither did the other things so I am guessing a repair install, if that does not work then the only other thing I can think of would be to back up your data and do a fresh install which btw is also shown and explained to you on that site I gave you earlier :)
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 13902557
Well Google, Yahoo, and gigablast come out with out any results which is strange. Would you repost the name of the Trojan horse?
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 13902568
Did you try the 'Malware' programs. I just had been on a "Warez" site which is known for it's viruses and malware. I then used the programs I listed and it removed 8 items which I got just by visiting the site and not even clicking on anything.
By the way do not visit a 'Warez' site since one time when I was downloading something and did not have DSl, I came back and my HD was wiped clean!

Joe
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 13902663
I went through 7 search engines. Possibly the spelling is incorrect? could it be trojan nvundor.b?

Normally using a search engine comes up with what is looked for. I have about a 100 engines, but I do need a double check on the exact spelling of the trojan horse.

Joe
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13903537
Are you sure it is not the Trojan.Vundo.B ? As per my suggestion earlier or when you do the scan does it show up as what you typed ?
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 13904783
I have alot of search enginess to try the search. I am glad you confirmed the spelling. Another approach may be needed. Does it mention Trojan in the phrase or did you add that word? Is it noted as a virus, because the word Trojan appears? if so what program mentions it?


You had 'torjan.vundor.b' which I did not notice later that it should have been trojan.vundor.b. Now this a 'Malware' which will not work with Norton AV. Now do you get the message from Norton?. If so please confirm the EXACT wording.

Also, if you do not have a fire wall install the free firewall called "zonealarm" at www.zonealarm.com. You should accompany it with a hardware firewall for more protection.

I will look at it again on Monday.

Here is an explanation of 'Malware' that Norton AV cannot deal with. It came from BillDll. I recently asked him if I could use it.

 It is a wonderful description of 'Malware' that shopuld be shared.

MALWARE  PROGRAMS

The following was obtained from BillDll. The text for each URL came from the url site and of course credit was given to them.

Download these programs, make an icon for each, run the programs in safe mode in case there is something in memory.

There can sometimes be a very fine line between a Virus and "spyware", generally Norton AntiVirus (and most other antivirus applications) will not detect normal "spyware" unless it comes in the form of what is referred to as a "Trojan".  This name is taken from the historical "Trojan Horse" where invaders sneaked into the walled city hidden in a wooden horse.  Similarly, a computer Trojan comes packaged and disguised as something else, and sneaks into your system where it can hide unseen doing a variety of things such as stealing passwords and sending them out to some other remote computer, monitoring activity, etc.

AntiVirus applications are often able to detect known Trojans, but not always.  It is very important for this reason to always allow your AntiVirus program to check regularly for updated "definition" files.  These are the "libraries" (for want of a better word) that the program uses to detect known threats, and new definition files will find new viruses.

Spyware is generally less nasty than a Trojan, but can certainly be a security leak.  In normal cases, they are huge annoyances rather than actual "spies".  I suppose that, if there were sub-categories, they could be divided into "Internet Home Page HiJackers" that redirect your internet pages constantly to specific search pages, "Ad Ware" which monitors your internet browsing habits and transmits them to central repositories for marketing purposes, and "Scumware" that sneakily installs programs that masquerade as legitimate programs and do similar things as "Adware", and "Scumware" which just messes up your system for no particular reason.

For the most part, all of these rely on changing or adding registry settings.  For instance, some will install and register files that have very similar names to genuine Windows system files so that a user checking what program files are currently being used won't immediately suspect a rogue process at work.  Some replace a windows system file with a rogue version of their own, and change a registry setting so that their rogue file does something else entirely different.

There is something known as a "Browser Helper Object" or BHO.  Most are legitimate and helpful, such as the integration of Adobe Acrobat Reader which will open up within Internet Explorer if you click on a link to a .PDF file.  Other BHO's are Norton AntiVirus Helper, which adds a "Scan with NAV" to various places and also runs behind the scenes ready to scan incoming email.  Unfortunately, some unscrupulous programs add unwanted BHO's into your system.

To somebody who is neither well acquainted with the names of files and folders in the "system" areas, and who has never had to know what lies in their windows registry, it can be difficult for that person to identify results thrown up by spyware removal tools.

Microsoft is often maligned and accused of creating unwanted, annoying, or "big brother-like" processes in Windows, and for that reason anti-spyware programs will often identify normal Windows registry settings, files, and processes as undesireable.  In most cases, these found items could be safely removed using the anti-spyware tool without suffering any adverse effects because they are not crucial to functionality.  In odd cases, however, allowing an anti-spyware utility to remove something could adversely affect your system.

There is also the risk that, by removing a rogue file that has deliberately replaced a legitimate system file, your system will look for that file and throw up errors when it can't find it.
The above was plagiarized from BilDll

http://www.cyberwalker.net/columns/oct02/241002.html

Hijackers exploiting this bug will insert one or several .hta files on your hard drive which run when you start up Windows.

To fix this nastiness manually, search your computer for *.hta files. Click Start and Search or Find and then Files or Folders and type in *.hta. If you find them rename them so that they can't be found. For example, change file.hta to file.hta1 or move the files to another folder on your computer. Then switch your homepage back to one you like. If your computer doesn't do weird things after this permanently delete them. If it does, you might want to put them back one by one until you find the offender and then delete it.


Anti spyware tutorial

Spyware, also known as adware or malware, are programs that can cause problems. These include: pop up advertisements on your computer, browser hijacks, search engine hijacks, website redirections, website restrictions, computer problems (like slowdowns, lockdowns, etc.), personal information being logged in without your permission, preventing you access to certain sites or the whole internet, etc. Some spyware are worst than viruses, in my opinion. This section was created to help you detect and remove any suspicious activity that may be going on your computer. Also included is a section on how to prevent future spyware installations. Please read and follow the steps below to help make this process much faster and easier.

Before running any spyware programs, please run an online antivirus scan at one of the below sites to make sure that you don't have a virus. It is recommended to run a scan online because there are some viruses that can disable or make themselves invisible to the antivirus programs you have on your computer. If any viruses are found, write them down and remove them. Before running any of them, first disable System Restore if you have Windows ME/XP. You may use more than one:


Hopefully the above explanation will understand about 'Malware.
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13904820
Just out of curiousty did you try the system restore yet or are you trying other things first ?
0
 
LVL 15

Author Comment

by:Naser Gabaj
ID: 14067087
Dear All,

Thanks for your participations, i have backed up my data, and i formated the HD, all the solutions shown above didn't fix my problem.

Anyway, you deserve the points for your instant efforts, and thanks.

Regards

Naser
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question