TechSpot

Fixing !Update.exe

By Negotiator
Jul 3, 2007
  1. Hello, I am trying to get rid of that !Update.exe trojan off of my brother computer. I ran a HJT and have attached the text file for it, I need to know which files on this list need to be fixed.
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello and welcome to TechSpot.

    I don't see anything particularly nasty in your HJT log; however, the version you are running is outdated, and HJT doesn't catch everything.

    For that reason, please go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    Here are the files. The AVR Antirootkit scan didn't come up with anything. With the ComboFix log, there are two of them and I don't know which one you need, so I attached them both. Finally, if you don't mind, what are you looking for when you are looking though these logs?

    Thanks You For Your Help And For Your Time
     
  4. bobby123

    bobby123 TS Rookie Posts: 336

    I think its a case of looking for any uneeded files which are affecting your system. Your report scan shows that avg has got rid of the trojans. Wait and see what the guys sa about combofix logs.

    C:\WINDOWS\system32\svchost.exe

    That could be the problem but wait.
     
  5. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please copy and paste these instructions into a Notepad file and save it to your desktop. Then close your web browser and follow the instructions from Notepad.

    Step 1:

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\system32\nxmbd.dll

    Step 2:

    Navigate to virusscan.jotti.org.

    Enter the following into the text box at the top of the page.

    C:\WINDOWS\bwUnin-6.3.3.61-7211241L.exe

    Click the Submit button and then make note of the results.

    Step 3:

    Run HijackThis with no other programs open (except Notepad). Do a system scan.

    Place a check in the box next to the following entries (if there):

    R3 - URLSearchHook: (no name) - {8530D748-6CA0-1E02-F1ED-6744E6834F9D} - C:\WINDOWS\system32\nxmbd.dll (file missing)

    O2 - BHO: (no name) - {8530D748-6CA0-1E02-F1ED-6744E6834F9D} - C:\WINDOWS\system32\nxmbd.dll (file missing)

    O4 - HKCU\..\Run: [Ilj] C:\WINDOWS\system32\M?crosoft.NET\mshta.exe

    O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\ALLUSE~1.JSH\APPLIC~1\CURITY~1\chkntfs.exe" -vt ndrv

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click the Fix Checked button.

    Step 4:

    Go into Control Panel->Add/Remove Programs and uninstall anything having to do with Viewpoint.

    Then go Start->Run, and type in services.msc. Press Enter.

    Select anything relating to the following from the list and select Stop if they are running:

    viewpoint manager
    viewmgr


    Step 5:

    Download the attached "Combofix-Do.txt" ( from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job.

    Then post fresh ComboFix (combofix.txt) and HJT logs, as well as the results of the Jotti virus scan.

    Regards :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  6. bobby123

    bobby123 TS Rookie Posts: 336

    good work kitty
     
  7. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Thanks mate :)

    Actually, I sort of enjoy it.
     
  8. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    Here is the combofix log and the new HJT log. The Jotti virus scan didn't find anything.
     
  9. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Please run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\DOCUME~1\ALLUSE~1.JSH\APPLIC~1\CURITY~1\chkntfs.exe
    C:\WINDOWS\bwUnin-6.3.3.61-7211241L.exe

    I'd like you to open C:\Windows\system32
    Set the view to "details".
    Search for this rogue folder named as Microsoft.NET and check its contents for mshta.exe. There may be more than one folder which displays a folder name Microsoft.NET in your C:\Windows\system32 folder.

    The rogue folder should be the one that is not alphabetically in order with the rest of the folders; at the end of the list of folders starting with "M", after MsDtc and mui etc.
    Delete the entire rogue folder. Do not get the wrong folder!

    Let me know if you manged to find it.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Negotiator only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    Here is the new HTJ Log and ComboFix Log.

    I was unable to delete this file:
    C:\DOCUME~1\ALLUSE~1.JSH\APPLIC~1\CURITY~1\chkntfs.exe
    For some reason I couldn't get to the \CURITY~1\ folder to do it.

    Also there wasn't that rouge Microsoft.NET folder in the system32 folder, in fact, there was no Microsoft.NET folder at all in system32.
     
  11. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Have HijackThis fix this entry:
    O4 - Global Startup: Digital Line Detect.lnk = ?

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the C:\VundoFix Backups folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Negotiator only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...