wvurs.dll Trojan.Startup.NameShifter.HN

wvurs.dll Trojan.Startup.NameShifter.HN
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
wvurs.dll Trojan.Startup.NameShifter.HN DennisB 01-06-2006
Posted by =?Utf-8?B?RGVubmlzQg==?= on January 6, 2006, 1:19 am
If you were  Registered and logged in, you could reply and use other advanced thread options
The Microsoft AntiSpyware Beta1 finds Trojan.Startup.NameShifter.HN (High)
everytime I run it. It indicates a successful removal. But it is very
temporary. If I go to the location of the removed key,
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\ delete it and press F5, it
s back.
Apparently it's a "ConHook-N trojan component - responsible for installing a
variant of Vundo adware". At this point, I have it isolated, that is the key
always points to the same file - wvurs.dll, but I can't find a way to get rid
of it. I can't unregister it, can't rename it, or delete it. Process
explorer shows it's in use by winlogon.exe and svchost.exe. This problem is
on an XP Home SP2. Booting with command prompt doesn't let me have access to
it either. NTFS file system. Any ideas. Thanks.

Posted by =?Utf-8?B?UGFuZGFfbWFu?= on January 6, 2006, 2:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi !

Goto my web-site
http://free.hit.bg/fightmalware/homepage_en.htm

and perform the malware removal instruction to clean your computer.

Good luck !


Panda_man
--
Prevention is always better than cure !
Panda TruPrevent - the most intelligent technology to combat unknown malware
http://www.pandasoftware.com
http://free.hit.bg/fightmalware/homepage_en.htm


"DennisB" wrote:

> The Microsoft AntiSpyware Beta1 finds Trojan.Startup.NameShifter.HN (High)
> everytime I run it. It indicates a successful removal. But it is very
> temporary. If I go to the location of the removed key,
> HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
> Objects\ delete it and press F5, it
> s back.
> Apparently it's a "ConHook-N trojan component - responsible for installing a
> variant of Vundo adware". At this point, I have it isolated, that is the key
> always points to the same file - wvurs.dll, but I can't find a way to get rid
> of it. I can't unregister it, can't rename it, or delete it. Process
> explorer shows it's in use by winlogon.exe and svchost.exe. This problem is
> on an XP Home SP2. Booting with command prompt doesn't let me have access to
> it either. NTFS file system. Any ideas. Thanks.

Posted by Malke on January 6, 2006, 8:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
DennisB wrote:

> The Microsoft AntiSpyware Beta1 finds Trojan.Startup.NameShifter.HN
> (High)
> everytime I run it. It indicates a successful removal. But it is
> very
> temporary. If I go to the location of the removed key,
> HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
> Objects\ delete it and press F5,
> it s back.
> Apparently it's a "ConHook-N trojan component - responsible for
> installing a
> variant of Vundo adware". At this point, I have it isolated, that is
> the key always points to the same file - wvurs.dll, but I can't find a
> way to get rid
> of it. I can't unregister it, can't rename it, or delete it. Process
> explorer shows it's in use by winlogon.exe and svchost.exe. This
> problem is
> on an XP Home SP2. Booting with command prompt doesn't let me have
> access to
> it either. NTFS file system. Any ideas. Thanks.

Here are various methods to remove the malware. I would start with Dave
Lipman's fix and then go to the others if that doesn't solve the issue.

1 - Feedback from users reports that the Removal Tool here is the most
effective against what is currently the most common variety of this
malware - http://forums.mcafeehelp.com/viewtopic.php?t=57049

2 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

3 - Courtesy of Dave Lipman:
Download WinFixerFix.exe from -
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
Execute c:\mcafee\clean.bat (or Double-click on 'Clean Link' in c
\mcafee)

4 - McAfee has a combined automated/manual removal procedure here -
http://vil.nai.com/vil/content/v_127690.htm

5 - Download Attribune's VundoFix.exe to your desktop -
http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files. This will create a
VundoFix folder on your desktop. After the files are extracted, please
restart your computer into Safe Mode. Once in safe mode open the
VundoFix folder and double-click on KillVundo.bat

6 - The Adware-Virtumundo Removal Tool will specifically clean the Vundo
Trojan and Virtumundo Adware -
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

7 - Grinler (Lawrence Abrams, a Security MVP) has another removal method
that can be used if the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"

And here are general malware removal steps for after you've gotten Vundo
off:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by David H. Lipman on January 6, 2006, 9:46 am
If you were  Registered and logged in, you could reply and use other advanced thread options

| The Microsoft AntiSpyware Beta1 finds Trojan.Startup.NameShifter.HN (High)
| everytime I run it. It indicates a successful removal. But it is very
| temporary. If I go to the location of the removed key,
| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
| Objects\ delete it and press F5, it
| s back.
| Apparently it's a "ConHook-N trojan component - responsible for installing a
| variant of Vundo adware". At this point, I have it isolated, that is the key
| always points to the same file - wvurs.dll, but I can't find a way to get rid
| of it. I can't unregister it, can't rename it, or delete it. Process
| explorer shows it's in use by winlogon.exe and svchost.exe. This problem is
| on an XP Home SP2. Booting with command prompt doesn't let me have access to
| it either. NTFS file system. Any ideas. Thanks.



Two phase answer...

Perform Part 1 then perform part 2

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being
exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Part 1
------------
Download Adware-Virtumundo Removal Tool v1.5 --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing
another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy
of the HTML
report for each session.

Please Copy and Paste the contents of the HTML Log file;
C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by =?Utf-8?B?RGVubmlzQg==?= on January 7, 2006, 1:33 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I appreciate all of your ideas. Some good links too.
I didn't think of it at the time, but the final deletion of wvurs.dll was
easy. I used the XP recovery console to delete the file. I did have a
problem in that I couldn't log into the recovery console but I found a tip on
another site to disable the recovery console password:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
Set the DWORD SecurityLevel value to 1
Exit Registry and Reboot

Thanks



Similar ThreadsPosted
trojan.startup.nameshifter.EW/wingu/EZ August 16, 2005, 6:11 pm
trojan.bho.nameshifter.dk July 22, 2005, 12:46 pm
WinXP, trojan hidden startup locations??? April 10, 2007, 8:47 am
BLock Programs From Startup August 12, 2005, 3:51 pm
A new startup process SlowDowncpu.exe gets added July 20, 2005, 1:36 am
aim virus: my startup acts like its being used for the first time September 28, 2005, 6:00 pm
error message on startup 'windows can't find January 7, 2006, 10:47 pm
Trojan August 2, 2005, 8:42 pm
Trojan August 19, 2005, 6:31 pm
trojan by icq November 4, 2005, 6:40 am

The site map in XML format XML site map

Contact Us | Privacy Policy