my laptop is infected

Discussion in 'NOD32 version 2 Forum' started by ankupan, May 27, 2007.

Thread Status:
Not open for further replies.
  1. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Hi,

    I am using NOD32 and Comodo FW.

    Today when I started it than got this message and I am unable to clean it.

    How can I remove this from memory ?
     

    Attached Files:

  2. ASpace

    ASpace Guest

    Re: my laptop is infacted

    Hello !

    1) Settings as per Blackspear (scan for everything , with everything , clean+delete)
    2) Boot in Safe Mode and perform full scan of C:\Windows
    3) NOD32 will delete the trojan
    4) Reboot back in Normal Mode and start the scanner to see if there is an infection


    Should the threat is still there , download UnDll - the dll removal utility
    http://www.nod32.it/tools/undll.php

    Extract it , start it , point it to the infected DLL (libHide.dll) and follow the instructions


    Report back your results . ;)
     
  3. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Re: my laptop is infacted

    1) Settings as per Blackspear (scan for everything , with everything , clean+delete)
    I am using BS setting from day one when I installed NOD32

    2) Boot in Safe Mode and perform full scan of C:\Windows
    Yes, I did it.

    3) NOD32 will delete the trojan
    Yes, NOD32 deleted this trojan in safe mode.

    4) Reboot back in Normal Mode and start the scanner to see if there is an infection
    Yes, Still my laptop is infected and I getting same message.


    Should the threat is still there , download UnDll - the dll removal utility
    http://www.nod32.it/tools/undll.php

    Yes, threat is still there and I downloaded this utility

    Extract it , start it , point it to the infected DLL (libHide.dll) and follow the instructions
    Did it after reboot, still infected.


    Report back your results .

    still machine is infected with this Trojan and I am Waiting for help
     
  4. ASpace

    ASpace Guest

    Re: my laptop is infacted

    Very strange , UnDll should have done the job .

    Ok , do this (follow steps very carefully) :

    1. Download The Avenger
    http://swandog46.geekstogo.com/avenger.exe

    The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

    2. Download this file and save it somewhere (e.g. on Desktop)

    3. Run the program avenger.exe

    4. Choose "Load Script From File"

    5. Browse to find the file/the script I gave you (trojan.txt) , press the Glass icon to see the script and when you are ready ...

    6. Press on the traffic light icon.Confirm

    Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated

    After this , if the malware have eliminated Winsock (not sure but some does it) , you'll need to repair Winsock

    Repair Winsock
    Windows XP SP2 / Windows Vista

    Goto Start –> Run
    type cmd and click OK.
    Type netsh winsock reset
    Press ENTER . Restart immediately !

    Note that there is a space between the commands , example netshSPACEwinsockSPACEreset

    After restart , open NOD32's Control Center -> Click IMON and reregisted it to the system
     
  5. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Re: my laptop is infacted

    After reboot, messaged appeared that

    failed to delete this file. Avenger is also failed to delete this trjan.

    Even before posting to this forum, I tried Ewido Micro and SAS also.

    Now I am worry, how to delete this Trojan ?

     
  6. ASpace

    ASpace Guest

    Re: my laptop is infacted

    Can you copy/paste the exact message from the Avenger's log here , please.
     
  7. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Re: my laptop is infacted

    first time, it was failed and I didn't save the mesaage.

    but now to get that message, I tried two times and got this message.

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\axfscujq

    *******************

    Script file located at: \??\C:\WINDOWS\eklqqkph.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\libHide.dll deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.


    than I followed other command (winsock repair)

    But when I am running NOD32 (Run Nod32), still getting the same message and my system is infected

     
  8. ASpace

    ASpace Guest

    Re: my laptop is infacted

    Very very strange to me is the fact that The Avenger shows file deleted but NOD32 shows file exists

    I would suggest you:
    - Update NOD32 to v.2293 (just released)
    - Perform full scan of all the hard drive
    - Post back results
    - Wait here either for ESET Mod or other suggestions or contact ESET TechSupport (since other tools are not allowed here at Wilders)

    Good luck! :thumb:
     
  9. ASpace

    ASpace Guest

    Re: my laptop is infacted

    ESET Smart Security uses new engine of the AV - NOD32 version 3 engine.
    Marcos mentioed once that ESET Smart Security has improved cleaning mechanism

    You can also try it instead of NOD32.
     
  10. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Re: my laptop is infacted

    Hi ankupan
    Hitech is a terrific resource and he is very helpful.
    I am sorry to hear what is happening to you, however, go here and see if that will remove it
    http://www.greatis.com/appdata/d/l/libhide.dll_Removal.htm
    I did a search and found out that this "dll" seems to be difficult (PITA) to remove as it attaches itself to the following
    explorer.exe
    zboard.exe
    zboardtray.exe
    rundll32.exe
    spysweeper.exe
    soundman.exe
    ctfmon.exe
    system.exe
    iexplore.exe
    wordpad.exe
    If these suggestions do not help, then someone from ESET maybe able to give you specific removal instructions.
    This is a nasty :mad:
    Cheers :)
     
  11. samia

    samia Registered Member

    Joined:
    May 27, 2007
    Posts:
    6
    Re: my laptop is infacted

    Well,

    first, sorry for my english ( i'm french )


    Use hijackthis

    run hijack, do a system scan and you'll see these lines :

    C:\WINDOWS\vbstub.exe
    C:\WINDOWS\libHide.dll
    C:\WINDOWS\system.exe
    C:\WINDOWS\system16.exe

    select it, and click on "fix checked" button
    restart laptop
    it worked for me.
     
    Last edited: May 27, 2007
  12. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: my laptop is infacted

    Please note, we do not handle HJT logs here and very strongly recommend going through a site with trained analysts available. See here, that message contains links to some of the generally recommended sites for HJT analysis.

    Blue
     
  13. samia

    samia Registered Member

    Joined:
    May 27, 2007
    Posts:
    6
    Re: my laptop is infacted


    ok like this ?

    sorry i did'nt knew :ninja:
     
  14. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Re: my laptop is infacted

    I tried hijack and unable to find C:\WINDOWS\libHide.dll this thing.

    I checked each line and not found this thing.

    Let me know, is it harmful Trojan ? any chance of loosing data ?

     
  15. ASpace

    ASpace Guest

    Just like every trojan , it poses some risk .

    As Blue have pointed , HJT is not allowed here . What you did (searching through the lines) is completely incorrect while working with such tools.

    So did you performed full scan to check for other threats , did you try ESS ? Just try , it doesn't hurt but may be helpful .
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is a bad idea, the software is in BETA and may damage a production system.

    Blackspear.
     
  17. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Hi,

    Just I submit this file to http://virusscan.jotti.org/

    and got this result.

    LWM - The Jotti results have been removed per our policy about posting such results, however...

    NOD32 said it found "a variant of Win32/Agent.OO". This may or may not be significant as some others found nothing. It could be a false positive. It could be Agent.BCH, or, it could be anything. Results are visible to Eset and forum staff.
     
    Last edited by a moderator: May 28, 2007
  18. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    waiting for ESET comments.......... :rolleyes:
     
  19. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Re: my laptop is infacted

    I did full scan and still machine is infected with same trojan.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: my laptop is infacted

    In such a scenario please see below.

    Contact your local NOD32 support office and provide them with the following logs:

    1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
    2. Click on NOD32.
    3. Click on Run NOD32.
    4. Click on “Scan and Clean”.

    When the scan has completed please continue below:

    Download HijackThis from here: https://www.wilderssecurity.com/showthread.php?t=12516

    Download Autoruns from here: http://www.sysinternals.com/Utilities/Autoruns.html

    Download and run Lookinmypc from here: http://www.lookinmypc.com
    1. Select "Generate report"
    2. Wait - scan results will pop up in a browser
    3. Go to folder with LookInMyPC installed (default in C:\ProgramFiles\LookInMyPC\Reports\username\LookInMyPC.zip), and attach LookInMyPC.zip to the reply email

    Then run the other 2 programs and forward the logs together with the following NOD32 log file:

    1. Go to the NOD32 Control Centre
    2. Click on Logs
    3. Right Click on one of last completed full system scan logs.
    4. Click on “Details”
    5. Right Click anywhere on the scan log
    6. Click on “copy all”
    7. Right Click in the replying email to me.
    8. Click on “Paste”

    This will paste a copy of one of the scans you have completed.

    Cheers :D
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: my laptop is infacted

    Please zip the file, protect the archive with the password "infected" and send it to support[at]eset.com with a link to this thread.
     
  22. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436
    Re: my laptop is infacted

    I have sent it to this email ID.


     
  23. samia

    samia Registered Member

    Joined:
    May 27, 2007
    Posts:
    6
    Last edited by a moderator: May 28, 2007
  24. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    436

    Attached Files:

    Last edited by a moderator: May 28, 2007
  25. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
Thread Status:
Not open for further replies.