TechSpot

Completed all 8 steps.. now what?

By wallflower89
Aug 6, 2009
  1. I Use Kasperksy Internet Security 2009, I also use the fire wall that is with it *is that enough do I need one of the free ones?*.

    Two Trojans were found: Trojandownloader.win32.agent.cjup
    My KIS told me to delete them. So I did.
    I got something that said “Password protected C:\ProgramData\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg” umm last time I checked that was a Trojan.. and really bad I have never downloaded anything by that name….  My KIS picked this up :\
    I took spybot off a little while ago cause it seemed like it was missing stuff I would see what it was scanning and it would say something like “so and so casino” or “zango” and from what I have been told and remember that stuff is spyware… and it kept saying something about smitfraud and I have never downloaded anything by that name, and it looks fishy.. so I took spybot off and started this virus removal thing yall have.. do I need to put spybot back on? Oh spybot after I think 5 or 6 scans picked this up as something bad but when I went to go and get rid of it, it said I had to be and admin.. I am an admin.. I am the only person on this computer? I even tried to manually go into the registry where it said it was but I never found it *I followed the thing it was in like Hkeylocal so on and so on.

    Ran cleaner three times.



    Downloaded and ran malware bytes got this after selecting “remove all” (log at bottom)
    ”certain items could not be removed! The first few are listed below. All items that could not be removed have been added to the delete on reboot list. Please restart your computer now. A log file was saved to the logs folder…(then more about wanting to reboot now.. I did).

    Downloaded and ran the superantispyware free edition (log below) was given a prompt saying I needed to reboot . I did.

    Downloaded and ran hijack this (log below) I don’t understand a thing that hijack this said. It just gave me a list of things I don’t know if something is wrong or what?? Can someone please tell me what to do with it?
     
  2. PrivateCranky

    PrivateCranky TS Rookie

    Hi there,

    Have you tried deleting the said file as noted in your MBAM log?

    C:\Users\Public\Favorites\NginuL_na.exe (Worm.AutoRun) -> Delete on reboot.

    Is this file still there, and if you run MBAM again, is the file located again?

    Sorry If this is too obvious :)

    Pvt. Cranky
     
  3. rev_olie

    rev_olie TS Maniac Posts: 560

    Hi,

    Go to: Start > Run
    Type: services.msc
    Click Enter

    Maximize the Services window

    Drag the separator bar between Name and Description, so you can see all the text in the Name column.

    Scroll down and look for: Viewpoint Manager Service < ---name of service.
    Right click it and select "Properties"
    Click the "Stop" button and wait for the service to be stopped.
    Change the "Startup Type" from Automatic to "Disabled" (c/o drop-down menu)

    Please open HijackThis Again and then select Do a System Scan only
    Navigate to the following items and place a tick next to it:

    Viewpoint is classed as foistware that can view movements and show advertising on your PC and should therefore be removed.

    Then press Fix Checked.

    Now Go to Start > Control Panel > Programs and Features and uninstall the following if there

    Viewpoint

    After that please go to Start > Control Panel > Folder Options and click View. Then click on Show Hidden files and Folders.

    Then navigate to C:\Users\Public\Favorites\ and delete the following files if there:

    NginuL_na.exe
    The file may now be present and might have ben removed by MBAM and so if its not there dont panic

    Now please run Hijackthis again and select Do a system scan and save a log file
    Attach that to your next reply.

    Also please do another Malwarebytes scan.
     
  4. wallflower89

    wallflower89 TS Rookie Topic Starter Posts: 19

    thank you for the help
    i did everything step by step and had noproblems untill: the 023:service in Hijackthis.. Viewpoint wasnt there... so i went on and just uninstalled
    Next i showed hidden folders went to C;\users\publics\favorites and got this message : "C\users\public\favorites is not accessable the name of the file cannot be resolved by the system"
    just read to do another malwarebytes scan will do :) do you also want the log from that ?

    Ran Malwarebytes again recieved this message "certian items could not be removed! the first few are listed below. all items that couldnt be removed have been added to the delete on reboot list. File : C:\userspublic\favorites\ngiul_na.exe Please reboot"
    also attached is the log
    here is hijackthis:
     
  5. rev_olie

    rev_olie TS Maniac Posts: 560

    Ok then.

    I've been doing some digging around and that infection is actually a false positive. It is a read error with windows Vista that is not actually apparent on the users system. See Here

    Viewpoint is also gone so that's not a problem any more.

    So lets have a further look and make sure everything is gone:

    Go to Kaspersky website and perform an online anti virus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  6. wallflower89

    wallflower89 TS Rookie Topic Starter Posts: 19

    YAY THANK YOU!! i have been worried for somtime that it would like mess with my other files and such :D ok im not finding the online scanner for kaspersky's... i will keep looking for it till i find it:) thank you verry much for your contiuned help :)
    UPDATE

    I clicked on the kapersky's link for the online scanner and it gave me this message "Program has failed to start.close the kaspersky online scanner 7.0 window and open it again to install the program.

    [ERROR: java.lang.RuntimeException: You can not run scanner 7.0 because you already have kaspersky 8.0(9.0) installed on your computer"
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...