Hi,

I am using NOD32 and Comodo FW.

Today when I started it than got this message and I am unable to clean it.

How can I remove this from memory ?

Hello !

1) Settings as per Blackspear (scan for everything , with everything , clean+delete)
2) Boot in Safe Mode and perform full scan of C:\Windows
3) NOD32 will delete the trojan
4) Reboot back in Normal Mode and start the scanner to see if there is an infection


Should the threat is still there , download UnDll - the dll removal utility
http://www.nod32.it/tools/undll.php

Extract it , start it , point it to the infected DLL (libHide.dll) and follow the instructions


Report back your results . ;)

1) Settings as per Blackspear (scan for everything , with everything , clean+delete)
I am using BS setting from day one when I installed NOD32

2) Boot in Safe Mode and perform full scan of C:\Windows
Yes, I did it.

3) NOD32 will delete the trojan
Yes, NOD32 deleted this trojan in safe mode.

4) Reboot back in Normal Mode and start the scanner to see if there is an infection
Yes, Still my laptop is infected and I getting same message.


Should the threat is still there , download UnDll - the dll removal utility
http://www.nod32.it/tools/undll.php
Yes, threat is still there and I downloaded this utility

Extract it , start it , point it to the infected DLL (libHide.dll) and follow the instructions
Did it after reboot, still infected.


Report back your results .

still machine is infected with this Trojan and I am Waiting for help

Very strange , UnDll should have done the job .

Ok , do this (follow steps very carefully) :

1. Download The Avenger
http://swandog46.geekstogo.com/avenger.exe

The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

2. Download this file (http://pandaman.my.contact.bg/trojan.txt) and save it somewhere (e.g. on Desktop)

3. Run the program avenger.exe

4. Choose "Load Script From File"

5. Browse to find the file/the script I gave you (trojan.txt) , press the Glass icon to see the script and when you are ready ...

6. Press on the traffic light icon.Confirm

Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated

After this , if the malware have eliminated Winsock (not sure but some does it) , you'll need to repair Winsock

Repair Winsock
Windows XP SP2 / Windows Vista

Goto Start –> Run
type cmd and click OK.
Type netsh winsock reset
Press ENTER . Restart immediately !

Note that there is a space between the commands , example netshSPACEwinsockSPACEreset

After restart , open NOD32's Control Center -> Click IMON and reregisted it to the system

After reboot, messaged appeared that

failed to delete this file. Avenger is also failed to delete this trjan.

Even before posting to this forum, I tried Ewido Micro and SAS also.

Now I am worry, how to delete this Trojan ?

{QUOTE-> Very strange , UnDll should have done the job .

Ok , do this (follow steps very carefully) :

1. Download The Avenger
http://swandog46.geekstogo.com/avenger.exe

The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

2. Download this file (http://pandaman.my.contact.bg/trojan.txt) and save it somewhere (e.g. on Desktop)

3. Run the program avenger.exe

4. Choose "Load Script From File"

5. Browse to find the file/the script I gave you (trojan.txt) , press the Glass icon to see the script and when you are ready ...

6. Press on the traffic light icon.Confirm

Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated
<-QUOTE}

Can you copy/paste the exact message from the Avenger's log here , please.

first time, it was failed and I didn't save the mesaage.

but now to get that message, I tried two times and got this message.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\axfscujq

*******************

Script file located at: \??\C:\WINDOWS\eklqqkph.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\libHide.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

than I followed other command (winsock repair)

But when I am running NOD32 (Run Nod32), still getting the same message and my system is infected

{QUOTE-> Can you copy/paste the exact message from the Avenger's log here , please. <-QUOTE}

Very very strange to me is the fact that The Avenger shows file deleted but NOD32 shows file exists

I would suggest you:
- Update NOD32 to v.2293 (just released)
- Perform full scan of all the hard drive
- Post back results
- Wait here either for ESET Mod or other suggestions or contact ESET TechSupport (since other tools are not allowed here at Wilders)

Good luck! :thumb:

ESET Smart Security uses new engine of the AV - NOD32 version 3 engine.
Marcos mentioed once that ESET Smart Security has improved cleaning mechanism

You can also try it instead of NOD32.

Hi ankupan
Hitech is a terrific resource and he is very helpful.
I am sorry to hear what is happening to you, however, go here and see if that will remove it
http://www.greatis.com/appdata/d/l/libhide.dll_Removal.htm
I did a search and found out that this "dll" seems to be difficult (PITA) to remove as it attaches itself to the following
explorer.exe
zboard.exe
zboardtray.exe
rundll32.exe
spysweeper.exe
soundman.exe
ctfmon.exe
system.exe
iexplore.exe
wordpad.exe
If these suggestions do not help, then someone from ESET maybe able to give you specific removal instructions.
This is a nasty >:(
Cheers :)

Well,

first, sorry for my english ( i'm french )


Use hijackthis

run hijack, do a system scan and you'll see these lines :

C:\WINDOWS\vbstub.exe
C:\WINDOWS\libHide.dll
C:\WINDOWS\system.exe
C:\WINDOWS\system16.exe

select it, and click on "fix checked" button
restart laptop
it worked for me.

{QUOTE-> run hijack, do a system scan and save log file

copy/paste the logfile here <-QUOTE}Please note, we do not handle HJT logs here and very strongly recommend going through a site with trained analysts available. See here (http://www.wilderssecurity.com/showthread.php?t=42148), that message contains links to some of the generally recommended sites for HJT analysis.

Blue

{QUOTE-> Please note, we do not handle HJT logs here and very strongly recommend going through a site with trained analysts available. See here (http://www.wilderssecurity.com/showthread.php?t=42148), that message contains links to some of the generally recommended sites for HJT analysis.

Blue <-QUOTE}


ok like this ?

sorry i did'nt knew :lurking:

I tried hijack and unable to find C:\WINDOWS\libHide.dll this thing.

I checked each line and not found this thing.

Let me know, is it harmful Trojan ? any chance of loosing data ?

{QUOTE-> Well,

first, sorry for my english ( i'm french )


Use hijackthis

run hijack, do a system scan and you'll see these lines :

C:\WINDOWS\vbstub.exe
C:\WINDOWS\libHide.dll
C:\WINDOWS\system.exe
C:\WINDOWS\system16.exe

select it, and click on "fix checked" button
restart laptop
it worked for me. <-QUOTE}

Just like every trojan , it poses some risk .

As Blue have pointed , HJT is not allowed here . What you did (searching through the lines) is completely incorrect while working with such tools.

So did you performed full scan to check for other threats , did you try ESS ? Just try , it doesn't hurt but may be helpful .

{QUOTE-> ...did you try ESS ? Just try , it doesn't hurt but may be helpful . <-QUOTE}This is a bad idea, the software is in BETA and may damage a production system.

Blackspear.

Hi,

Just I submit this file to http://virusscan.jotti.org/

and got this result.

LWM - The Jotti results have been removed per our policy about posting such results, however...

NOD32 said it found "a variant of Win32/Agent.OO". This may or may not be significant as some others found nothing. It could be a false positive. It could be Agent.BCH, or, it could be anything. Results are visible to Eset and forum staff.

waiting for ESET comments.......... ::)

{QUOTE-> Very very strange to me is the fact that The Avenger shows file deleted but NOD32 shows file exists

I would suggest you:
- Update NOD32 to v.2293 (just released)
- Perform full scan of all the hard drive
- Post back results
- Wait here either for ESET Mod or other suggestions or contact ESET TechSupport (since other tools are not allowed here at Wilders)

Good luck! :thumb: <-QUOTE}

I did full scan and still machine is infected with same trojan.

{QUOTE-> I did full scan and still machine is infected with same trojan. <-QUOTE}In such a scenario please see below.

Contact your local NOD32 support office and provide them with the following logs:

1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
2. Click on NOD32.
3. Click on Run NOD32.
4. Click on “Scan and Clean”.

When the scan has completed please continue below:

Download HijackThis from here: http://www.wilderssecurity.com/showthread.php?t=12516

Download Autoruns from here: http://www.sysinternals.com/Utilities/Autoruns.html

Download and run Lookinmypc from here: http://www.lookinmypc.com
1. Select "Generate report"
2. Wait - scan results will pop up in a browser
3. Go to folder with LookInMyPC installed (default in C:\ProgramFiles\LookInMyPC\Reports\username\LookInMyPC.zip), and attach LookInMyPC.zip to the reply email

Then run the other 2 programs and forward the logs together with the following NOD32 log file:

1. Go to the NOD32 Control Centre
2. Click on Logs
3. Right Click on one of last completed full system scan logs.
4. Click on “Details”
5. Right Click anywhere on the scan log
6. Click on “copy all”
7. Right Click in the replying email to me.
8. Click on “Paste”

This will paste a copy of one of the scans you have completed.

Cheers ;D

Please zip the file, protect the archive with the password "infected" and send it to support[at]eset.com with a link to this thread.

I have sent it to this email ID.


{QUOTE-> Please zip the file, protect the archive with the password "infected" and send it to support[at]eset.com with a link to this thread. <-QUOTE}

download this :
ht tp://siri.urz.free.fr/Fix/SmitfraudFix.zip

run smitfraud.exe, scan and restart

download this :
http://www.intermute.com/spysubtract/cwshredder_download.html

run scan too

don't worry, i have plenty of solutions ;D

during download, I got this message.


{QUOTE-> download this :
ht tp://siri.urz.free.fr/Fix/SmitfraudFix.zip

run smitfraud.exe, scan and restart

download this :
http://www.intermute.com/spysubtract/cwshredder_download.html

run scan too

don't worry, i have plenty of solutions ;D <-QUOTE}

Smitfraudfix was created by S!Ri and can give a warning
Here is a link with more data and an exe is given, why a zip was quoted to you I don't know
http://siri.geekstogo.com/SmitfraudFix.php

As a NOD32 + Comodo FW user (same protection as ankupan), I find ankupan's problem especially disturbing. Clearly it suggests one of either two possibilities, neither of which speaks well for NOD32... :(


NOD32 failed to detect the malware before it infected the system. Worse yet, it is unable to remove the malware => MAJOR RISK and BAD NEWS!


NOD32 is issuing an alert based on an FP and there doesn't seem to be any way to confirm that and stop the alert => MAJOR NUISSANCE!

{QUOTE->
NOD32 failed to detect the malware before it infected the system
<-QUOTE}

This is not the case here . A detection for Agent.OO trojan was not added yesterday nor the previous day . Ankupan repors problems since yesterday.I don't think it is false positive - if it was a FP it would not be so persistent to remove . It is also not a Microsoft file ( I have it on no XP computer)

NOD32 detects this heuristicially . I managed to see the Jotti scan before it was removed by LWM (Admin) and NOD32 and only one other product detects it .

The detection by NOD32 (and the other product) is very good thing , at least we know there is a problem . Since Marcos asked the file to be sent for further investigation , I am sure ESET Support will be able to help him .

We have confirmed it was not a false positive. AVG was another AV to detect it, but maybe they added detection based on ours :)

I myself would be very happy and pleased if you could keep us somehow updated and let us know when his computer is clean . Also , if you could share details how exactly he cured his machine . Thanks in advance and congratulations about the detection :thumb:

to avoid problems with trojans and all that better I recommend to you to move away from nod32 and sw to kaspersky lol

{QUOTE-> to avoid problems with trojans and all that better I recommend to you to move away from nod32 and sw to kaspersky lol <-QUOTE}

At least you added LOL at the end :) However, keep in mind that ranting and trolling is not allowed here and such posts will be removed.

{QUOTE-> This is not the case here . A detection for Agent.OO trojan was not added yesterday nor the previous day . Ankupan repors problems since yesterday.I don't think it is false positive - if it was a FP it would not be so persistent to remove . It is also not a Microsoft file ( I have it on no XP computer)

NOD32 detects this heuristicially . I managed to see the Jotti scan before it was removed by LWM (Admin) and NOD32 and only one other product detects it .

The detection by NOD32 (and the other product) is very good thing , at least we know there is a problem . Since Marcos asked the file to be sent for further investigation , I am sure ESET Support will be able to help him . <-QUOTE}
Pardon me, but as much as I would like my confidence in NOD32 to be restored, I don't see how your reply changes anything!

NOD32 was in place before ankupan's system was infected. Assuming that it was up-to-date, NOD32 failed to prevent the infection by either signature or heuristic recognition. Furthermore, NOD32 failed to remove the infection once it discovered it (after the fact). Am I missing something here?

{QUOTE-> Furthermore, NOD32 failed to remove the infection once it discovered it (after the fact). Am I missing something here? <-QUOTE}

I am not a virus analyst so I have no detailed information about this trojan . I only know it is probably injected DLL and very difficult to remove . Lots of top vendors even missed detection .

Why NOD32 didn't detect the trojan before it became malware resident , well that is another topic . Did he stayed updated all the time , did he kept AMON enabled are only some of the questions we can ask . But it is no longer important , we can only guess why . Ankupan is in good hands when there is ESET Tech Support :thumb:

NOD32 was one of the few to detect the threat so it surprises me to read complaints here about its detection. As to why it got installed, here are several possibilities:
- NOD32 was installed on an already infected system and the threat was detected during an on-demand scan in memory
- AMON was disabled at the time the malicious file got installed
- NOD32 was outdated at the time the malicious file got installed
- AMON was not set to move newly created files to quarantine
- detection for this threat was added after the infection took place

{QUOTE-> Why NOD32 didn't detect the trojan before it became malware resident, well that is another topic. <-QUOTE}
Actually, it's the most pertinent issue of this topic!


{QUOTE-> Ankupan is in good hands when there is ESET Tech Support :thumb: <-QUOTE}
Of course good tech support is important, but I would venture to guess that most NOD32 users want to believe they are 'in good (protective) hands' by using NOD32!

{QUOTE-> NOD32 was installed on an already infected system and the threat was detected during an on-demand scan in memory
- AMON was disabled at the time the malicious file got installed
- NOD32 was outdated at the time the malicious file got installed
- AMON was not set to move newly created files to quarantine
<-QUOTE}
Hi Marcos,

That does make a difference, but I don't see the basis for those comments -- how did you determine the deficiencies quoted above?

Hi Jo Ann
Not intending to be argumentative, however, my interpretation is that those are the possible scenarios.
I would not term them "deficiencies" (as you stated).
DLL injection is not easy to identify OR remove and it seems to be getting rather prevalent. If the "injection" occurs in an OS system DLL, then removing it will have devastating results.
Elvis has already left the building ...... LOL ;D ;D ;D ;D
I hope readers get that joke ;D ;D
Cheers ;D

Ok, let em ask one thing. If the matter is only a dll then why not to just boot from a CD and delete this stupid dll?
But where is the source of this dll? I think some maleware is hiding somewhere and reloading this dll again after it is deleted.
If I am in this situition, I will install a HIPS, delete the dll by booting from a CD and will reboot and see what process tried to reload this dll. Just a wild guess. What u think about this?

Hi,

I did full scan two times and NOD32 caught more 30 trojan (WIN32/Ahent.OO) in different files and all were cleaned).

But still unable to clean that dll.

Can some one confirm that it is not useful dll, so I can delete it from my system while using bootable CD.

Waiting for help.

{QUOTE->
Can some one confirm that it is not useful dll, so I can delete it from my system while using bootable CD. <-QUOTE}

I don't have this dll on any Windows XP I have checked . Marcos confirmed it is not a false positive .

{QUOTE-> Waiting for help. <-QUOTE}

Didn't you contact ESET Tech support as suggested by me , by Blackspear (in post 20) and by Marcos (post 21) . I would wait for the Support provide removal procedure if everything else fails.

It was not a suggestion, I rather asked a sort of Q. I can,t guarante that it will not damage ur system. If u have full backup and ready for any disater like unbootable system etc, u can try( on ur own risk).

Can I delete this dll ?

{QUOTE-> I don't have this dll on any Windows XP I have checked . Marcos confirmed it is not a false positive .



Didn't you contact ESET Tech support as suggested by me , by Blackspear (in post 20) and by Marcos (post 21) . I would wait for the Support provide removal procedure if everything else fails. <-QUOTE}

{QUOTE-> Hi,

I did full scan two times and NOD32 caught more 30 trojan (WIN32/Ahent.OO) in different files and all were cleaned).

But still unable to clean that dll.

Can some one confirm that it is not useful dll, so I can delete it from my system while using bootable CD.

Waiting for help. <-QUOTE}
For sure, that is not something you want on your system! If you follow this procedure there's an excellent chance of removing the malware.

Download Killbox (http://killbox.net/) to your desktop - you will need to use it during this procedure.

Clean out the System Restore folder. Go to Start > Control Panel > System > System Restore Tab and put a check in the box to the left of "Turn off System Restore" then click on Apply and Ok (this may take a minute or so). When finished, go back and remove the check (re-enabling System Restore), click on Apply and Ok.

Run System Restore again and tick the circle next to "Create a Restore Point", click Next, giving the RP an appropriate name and click Create. Now restart your PC into Safe Mode (continuously tap F8 during bootup until presented with the boot-option menu).

Launch Killbox, placing a tick next to [x]Delete on reboot "Press the All Files button". Copy the following (red) list to Windows' clipboard (highlight the entire red list below and press CTRL C):

C:\WINDOWS\libHide.dll `
C:\WINDOWS\system.exe
C:\WINDOWS\bot.exe
C:\WINDOWS\down.exe
C:\WINDOWS\system16.exe
C:\WINDOWS\vbstub.exe
C:\WINDOWS\awnfcandidateform.exe
C:\WINDOWS\keygen.exe
C:\WINDOWS\vb.ini
C:\WINDOWS\vbfile.exe
C:\WINDOWS\vbaddin.ini

Now using Killbox go to File > Paste from clipboard. Click on the "All Files button". Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and then will ask you if you want to reboot now. You do want to reboot now (into normal mode), so click Yes and let your PC reboot. If the computer does not restart automatically, start it manually.

With any luck that nasty malware should be gone. ~pv

We have already suggested to try using undll, killbox and avenger to no avail. If possible, try renaming the dll and restart the computer to see if the dll's created again.

Hi,

thanks for this information.

When i was trying only one dll, it was failed to delete libhide.DLL.

As per your suggestion, I selected all these files and deleted through this killbox and amazing, it works and now problem is resolved.

Yes, i got email from ESET support and they also suggested this killbox, and I tried with only one file and it was failed to delete this file.

Once again thanks to every one and ESET support for helping me a lot.


{QUOTE->

C:\WINDOWS\libHide.dll `
C:\WINDOWS\system.exe
C:\WINDOWS\bot.exe
C:\WINDOWS\down.exe
C:\WINDOWS\system16.exe
C:\WINDOWS\vbstub.exe
C:\WINDOWS\awnfcandidateform.exe
C:\WINDOWS\keygen.exe
C:\WINDOWS\vb.ini
C:\WINDOWS\vbfile.exe
C:\WINDOWS\vbaddin.ini


With any luck that nasty malware should be gone. ~pv <-QUOTE}

So some of these exe was sourceof this dll.

{QUOTE-> Hi,

thanks for this information.

When i was trying only one dll, it was failed to delete libhide.DLL.

As per your suggestion, I selected all these files and deleted through this killbox and amazing, it works and now problem is resolved.

Yes, i got email from ESET support and they also suggested this killbox, and I tried with only one file and it was failed to delete this file.

Once again thanks to every one and ESET support for helping me a lot. <-QUOTE}
Glad to hear that my 'Rx' worked and that your problem is now totally resolved...

Take care, pv

thanks,

{QUOTE-> Glad to hear that my 'Rx' worked and that your problem is now totally resolved...

Take care, pv <-QUOTE}

{QUOTE-> thanks, <-QUOTE}
yw... ;)

Well that surely made a very good read. I am glad it is finally resolved.