Jump to content
raygk

Can't remove trojan and adware

Recommended Posts

I just installed and updated SAS on my computer today. It worked great and found a trojan and adware not found by other anti-spyware applications. After it detected the problems, I quarantined the files and rebooted. I re-ran SAS again and it found the same problems which I again quarantined and re-booted. The problems are still there.

My question is: What do I need to do to eliminate the problems? Both scans resulted in identical log files. Any help in riding my computer of these problems would be greatly appreciated. Here is a copy of the last log file:

------------------------------

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 02/16/2008 at 10:59 AM

Application Version : 3.9.1008

Core Rules Database Version : 3404

Trace Rules Database Version: 1396

Scan type : Quick Scan

Total Scan Time : 00:08:03

Memory items scanned : 444

Memory threats detected : 2

Registry items scanned : 810

Registry threats detected : 4

File items scanned : 7608

File threats detected : 4

Trojan.Unclassifed/AffiliateBundle

C:\WINDOWS\SYSTEM32\IIFFFCD.DLL

C:\WINDOWS\SYSTEM32\IIFFFCD.DLL

Unclassified.Unknown Origin/System

C:\WINDOWS\SYSTEM32\GEEBB.DLL

C:\WINDOWS\SYSTEM32\GEEBB.DLL

Adware.Vundo Variant

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C845773A-2012-43F5-B94C-FDCDEF29D6D2}

HKCR\CLSID\{C845773A-2012-43F5-B94C-FDCDEF29D6D2}

HKCR\CLSID\{C845773A-2012-43F5-B94C-FDCDEF29D6D2}\InprocServer32

HKCR\CLSID\{C845773A-2012-43F5-B94C-FDCDEF29D6D2}\InprocServer32#ThreadingModel

Adware.Vundo Variant/Rel

C:\WINDOWS\SYSTEM32\BBEEG.INI

Adware.Vundo-Variant/Small-A

C:\WINDOWS\SYSTEM32\JUIEGAXF.DLL

-----------------------------------

Share this post


Link to post
Share on other sites

Thanks for the very rapid response.

I downloaded the Vundofix app and ran it. It found (and backedup) 4 files: iifffcd.dll, geebb.ini, gebb.ini2 and gebb.dll and removed them. It did not run after re-boot. I then ran SAS and it said the same files were still present (although I could not see them in the C:\system32\ folder - I include hidden files in the view). I re-ran Vundofix and it ran clean with a message "No infected files were found." So, I ran SAS again. This time it found nothing! So, I guess, the trojan and spyware are gone :).

I have no idea why SAS found the files after Vundofix was run but "all's well that ends well".

Thanks for your help.

Share this post


Link to post
Share on other sites
I have no idea why SAS found the files after Vundofix was run but "all's well that ends well".

SAS was detecting the files in the Vundofix quarantine folder on the follow up scan,this would show in the SAS log :wink:

Glad you have got it sorted :)

Share this post


Link to post
Share on other sites

Yes, the files were still in the VundoFix backup folder (and appear in the SAS log). But the backed up files were still there when SAS showed a clean computer after the next scan. And the SAS scan log indicated geebb.dll as located in system32 folder (see the log file below). I still don't understand why this showed up but they are all gone now.

Also noted (on a scan of a different hard drive) SAS identified a bunch of files named variations of "update.exe" which were not bad since they were added by tax programs and some are from my own programming. It appears SAS identifies any file name containing "update" as bad (?). Yes, it is easy to make them allowed items but just the same makes me wonder.

Thanks for your response.

-------------------------

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 02/16/2008 at 02:39 PM

Application Version : 3.9.1008

Core Rules Database Version : 3404

Trace Rules Database Version: 1396

Scan type : Quick Scan

Total Scan Time : 00:07:46

Memory items scanned : 376

Memory threats detected : 0

Registry items scanned : 810

Registry threats detected : 4

File items scanned : 7362

File threats detected : 2

Adware.Vundo Variant

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59E91E4B-FAC7-46A9-AA5E-74DC655F1588}

HKCR\CLSID\{59E91E4B-FAC7-46A9-AA5E-74DC655F1588}

HKCR\CLSID\{59E91E4B-FAC7-46A9-AA5E-74DC655F1588}\InprocServer32

HKCR\CLSID\{59E91E4B-FAC7-46A9-AA5E-74DC655F1588}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\GEEBB.DLL

Trojan.Unclassifed/AffiliateBundle

C:\VUNDOFIX BACKUPS\IIFFFCD.DLL.BAD

------------------------------------

Share this post


Link to post
Share on other sites

Thanks for the response.

I don't know if the infection re-installed or not but it wasn't present on the 2nd use of VundoFix or on the final scan via SAS. I have also removed the backup from VundoFix so there are no traces left and I get no indication of any infection now. So I don't think any further support for this problem (if it was one) is necessary.

I do very much appreciate the offer and also the interest shown by SAS program support and the great help here from fatdcuk. This speaks very highly for the program, the producers and this forum.

Thanks again :)

Share this post


Link to post
Share on other sites

HELP! My computer has been running extremely slowly for a little while and I can not search in any type of search field (google, youtube etc.) I scanned with Norton, but it found nothing. Just to be safe, I downloaded and ran a scan with SAS. It foound this Adware Vundo Variant/Rel. and no matter how many times I run the scan, delete it, and then reboot, it still finds it. SOMEONE PLEASE HELP ME. I NEED GOOGLE!

I have also tried VundoFix, but it doesn't find the vundo.

Thanks

Share this post


Link to post
Share on other sites

I am no expert but was able to remove all traces of Vundo from my computer as I mentioned earlier. Few suggestions for you:

1. After running VundoFix did it find anything?

2. Did you review what is running at startup? You could disable unneeded stuff and see if you stop the re-infection.

3. Suggest you go to http://vundofix.atribune.org/ and read the information there (and the warning). The current version of VundoFix is newer than the one I used.

4. Have you tried the forum at VundoFix home? I suggest you do. There may be an existing topic with info or you could start a new one.

5. How about taking up SUPERAntiSpy suggestion of submitting a support request here so they can run a custom dianostic of your system?

Good luck.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×