my laptop is infected

Hi,

I am using NOD32 and Comodo FW.

Today when I started it than got this message and I am unable to clean it.

How can I remove this from memory ?

 

Re: my laptop is infacted

Hello !

1) Settings as per Blackspear (scan for everything , with everything , clean+delete)
2) Boot in Safe Mode and perform full scan of C:\Windows
3) NOD32 will delete the trojan
4) Reboot back in Normal Mode and start the scanner to see if there is an infection


Should the threat is still there , download UnDll - the dll removal utility
http://www.nod32.it/tools/undll.php

Extract it , start it , point it to the infected DLL (libHide.dll) and follow the instructions


Report back your results .

 

Re: my laptop is infacted

1) Settings as per Blackspear (scan for everything , with everything , clean+delete)
I am using BS setting from day one when I installed NOD32

2) Boot in Safe Mode and perform full scan of C:\Windows
Yes, I did it.

3) NOD32 will delete the trojan
Yes, NOD32 deleted this trojan in safe mode.

4) Reboot back in Normal Mode and start the scanner to see if there is an infection
Yes, Still my laptop is infected and I getting same message.


Should the threat is still there , download UnDll - the dll removal utility
http://www.nod32.it/tools/undll.php
Yes, threat is still there and I downloaded this utility

Extract it , start it , point it to the infected DLL (libHide.dll) and follow the instructions
Did it after reboot, still infected.


Report back your results .

still machine is infected with this Trojan and I am Waiting for help

 

Re: my laptop is infacted

Very strange , UnDll should have done the job .

Ok , do this (follow steps very carefully) :

1. Download The Avenger
http://swandog46.geekstogo.com/avenger.exe

The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

2. Download this file and save it somewhere (e.g. on Desktop)

3. Run the program avenger.exe

4. Choose "Load Script From File"

5. Browse to find the file/the script I gave you (trojan.txt) , press the Glass icon to see the script and when you are ready ...

6. Press on the traffic light icon.Confirm

Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated

After this , if the malware have eliminated Winsock (not sure but some does it) , you'll need to repair Winsock

Repair Winsock
Windows XP SP2 / Windows Vista

Goto Start –> Run
type cmd and click OK.
Type netsh winsock reset
Press ENTER . Restart immediately !

Note that there is a space between the commands , example netshSPACEwinsockSPACEreset

After restart , open NOD32's Control Center -> Click IMON and reregisted it to the system

 

Re: my laptop is infacted

After reboot, messaged appeared that

failed to delete this file. Avenger is also failed to delete this trjan.

Even before posting to this forum, I tried Ewido Micro and SAS also.

Now I am worry, how to delete this Trojan ?

 

Re: my laptop is infacted

Can you copy/paste the exact message from the Avenger's log here , please.

 

Re: my laptop is infacted

first time, it was failed and I didn't save the mesaage.

but now to get that message, I tried two times and got this message.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\axfscujq

*******************

Script file located at: \??\C:\WINDOWS\eklqqkph.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\libHide.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

than I followed other command (winsock repair)

But when I am running NOD32 (Run Nod32), still getting the same message and my system is infected

 

Re: my laptop is infacted

Very very strange to me is the fact that The Avenger shows file deleted but NOD32 shows file exists

I would suggest you:
- Update NOD32 to v.2293 (just released)
- Perform full scan of all the hard drive
- Post back results
- Wait here either for ESET Mod or other suggestions or contact ESET TechSupport (since other tools are not allowed here at Wilders)

Good luck!

 

Re: my laptop is infacted

ESET Smart Security uses new engine of the AV - NOD32 version 3 engine.
Marcos mentioed once that ESET Smart Security has improved cleaning mechanism

You can also try it instead of NOD32.

 

Re: my laptop is infacted

Hi ankupan
Hitech is a terrific resource and he is very helpful.
I am sorry to hear what is happening to you, however, go here and see if that will remove it
http://www.greatis.com/appdata/d/l/libhide.dll_Removal.htm
I did a search and found out that this "dll" seems to be difficult (PITA) to remove as it attaches itself to the following
explorer.exe
zboard.exe
zboardtray.exe
rundll32.exe
spysweeper.exe
soundman.exe
ctfmon.exe
system.exe
iexplore.exe
wordpad.exe
If these suggestions do not help, then someone from ESET maybe able to give you specific removal instructions.
This is a nasty
Cheers

 

Re: my laptop is infacted

Well,

first, sorry for my english ( i'm french )


Use hijackthis

run hijack, do a system scan and you'll see these lines :

C:\WINDOWS\vbstub.exe
C:\WINDOWS\libHide.dll
C:\WINDOWS\system.exe
C:\WINDOWS\system16.exe

select it, and click on "fix checked" button
restart laptop
it worked for me.

 

Re: my laptop is infacted

Please note, we do not handle HJT logs here and very strongly recommend going through a site with trained analysts available. See here, that message contains links to some of the generally recommended sites for HJT analysis.

Blue

 

Re: my laptop is infacted

ok like this ?

sorry i did'nt knew

 

Re: my laptop is infacted

I tried hijack and unable to find C:\WINDOWS\libHide.dll this thing.

I checked each line and not found this thing.

Let me know, is it harmful Trojan ? any chance of loosing data ?

 

Just like every trojan , it poses some risk .

As Blue have pointed , HJT is not allowed here . What you did (searching through the lines) is completely incorrect while working with such tools.

So did you performed full scan to check for other threats , did you try ESS ? Just try , it doesn't hurt but may be helpful .

 

This is a bad idea, the software is in BETA and may damage a production system.

Blackspear.

 

Hi,

Just I submit this file to http://virusscan.jotti.org/

and got this result.

LWM - The Jotti results have been removed per our policy about posting such results, however...

NOD32 said it found "a variant of Win32/Agent.OO". This may or may not be significant as some others found nothing. It could be a false positive. It could be Agent.BCH, or, it could be anything. Results are visible to Eset and forum staff.

 

waiting for ESET comments..........

 

Re: my laptop is infacted

I did full scan and still machine is infected with same trojan.

 

Re: my laptop is infacted

In such a scenario please see below.

Contact your local NOD32 support office and provide them with the following logs:

1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
2. Click on NOD32.
3. Click on Run NOD32.
4. Click on “Scan and Clean”.

When the scan has completed please continue below:

Download HijackThis from here: https://www.wilderssecurity.com/showthread.php?t=12516

Download Autoruns from here: http://www.sysinternals.com/Utilities/Autoruns.html

Download and run Lookinmypc from here: http://www.lookinmypc.com
1. Select "Generate report"
2. Wait - scan results will pop up in a browser
3. Go to folder with LookInMyPC installed (default in C:\ProgramFiles\LookInMyPC\Reports\username\LookInMyPC.zip), and attach LookInMyPC.zip to the reply email

Then run the other 2 programs and forward the logs together with the following NOD32 log file:

1. Go to the NOD32 Control Centre
2. Click on Logs
3. Right Click on one of last completed full system scan logs.
4. Click on “Details”
5. Right Click anywhere on the scan log
6. Click on “copy all”
7. Right Click in the replying email to me.
8. Click on “Paste”

This will paste a copy of one of the scans you have completed.

Cheers

 

Re: my laptop is infacted

Please zip the file, protect the archive with the password "infected" and send it to support[at]eset.com with a link to this thread.

 

Re: my laptop is infacted

I have sent it to this email ID.

 

download this :
ht tp://siri.urz.free.fr/Fix/SmitfraudFix.zip

run smitfraud.exe, scan and restart

download this :
http://www.intermute.com/spysubtract/cwshredder_download.html

run scan too

don't worry, i have plenty of solutions

 

during download, I got this message.

 

Smitfraudfix was created by S!Ri and can give a warning
Here is a link with more data and an exe is given, why a zip was quoted to you I don't know
http://siri.geekstogo.com/SmitfraudFix.php