win32rungbu.a?

[spybot2]

Is win32rungbu.a , a tojan?
Thx for the response.

[Buster]

Yes, it is. Win32.Rungbu.a copies an executable file into the system directory and starts itself in autorun as "kava". It also connects to the internet in background and downloads executable files from a malicious server.

[spybot2]

Thanks Buster. But Win32.Rungbu.a reappears even when Spybot fix it!

[Yodama]

hello,

please create and attach a complete Spybot report , to do this scan with Spybot S&D then right click the scan result and select "save full report to file..." .
With this report we can see what is being found and we may be able to see what part of the trojan horse is still running and not being detected. That way we can adjust our detection on this trojan horse.

[zerocool64]

I did a scan and this is the spyware that popped up. Win32.Rungbu.a
I saved the log file as an attachment. Hope this helps.
Thank you

[Yodama]

hello,

according to your log the usual system start settings for this trojan horse are not in place. It may be using different ways to start itself. Taking a look at the actual information in the "MADOWN" key can give us more insight to this situation.

Please do the following:

• scan with Spybot S&D
• if the MADOWN key is found again, doubleclick the blue icon to the right within Spybot S&D. This will open the registry editor and jump to the registry location.
• now right click the key (it looks like a folder) and choose export, make sure that "selected branch" is selected
• attach the export file to your next post

[kinserk]

have same problem as users above... hope this atachments helps u to figure it out how to help me:D

[Yodama]

hello,

from your registry export this does not look like a false positive, it appears to be more likely that Spybot misses some parts of the Trojan horse.

Please do the following:

* Download *OTListIt2*
(http://oldtimer.geekstogo.com/OTListIt22.exe) to your desktop.
* Double click on the icon to run it. Make sure all other windows
are closed and to let it run uninterrupted.
* When the window appears, underneath *Output* at the top change it
to *Minimal Output*.
* Under the *Standard Registry* box change it to *All*.
* Check the boxes beside *LOP Check* and *Purity Check*.
* Click the Run Scan button.
* OTListIt2 will create 2 log files, please attach the OTListIt.Txt to your
next post

[kinserk]

tnx for response... i think this is what u want...

[Yodama]

your OTListIt report shows that your computer is infected.
It appears that it got infected through a removable drive, in your case G:

Please do the following:

• download the suspicious file packer from here
• copy and paste the following into the suspicious file packer:
• Code:

  C:\opgde.exe
  C:\Config.Msi
  C:\2aaxaiy.exe
  C:\WINDOWS\System32\nmdfgds1.dll
  C:\1utbfd.bat
  C:\autorun.inf
  C:\WINDOWS\System32\olhrwef.exe
  C:\WINDOWS\System32\nmdfgds0.dll
  C:\WINDOWS\disney.ini
  C:\WINDOWS\emug3.ini

Not all of the files may be malicious but they should be analyzed since they are suspicious. The suspicious file packer will pack the files into a cab archive, please email this archive to detections@spybot.info with a reference to this thread. We will analyze the files and send you a detection file so your installation of Spybot S&D can find and remove the malicious files.

Also note that you should not open your c: drive in your windows explorer since this is likely to trigger the malicious files.