TROJAN - !update-4395[1].0000 and XC 29[1].exe - PLS HELP

[ambarsaria]

Hi Guys,

I am suffering from these two Guys.. Urgently Need your HELP. Please...

MacAfee Virus Scan show these two problems, 1) !update-4395[1].0000 detected as Generic Downloader
and 2) XC 29[1].exe detected as Fake Alert-L. dr

Looking for ur help and Big thanks in Advance.

Cheers.

 

[momok]

Hi ambarsaria and welcome to techspot. =)

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly Momok =)

This thread is for the use of ambarsaria only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ambarsaria]

Fresh Logs

Hi Momok,

Thanks for a Quick Reply, Pls find attached Logs as you attached.

I hope to hear from you soon.

Thank you so much.

 

[momok]

Hi,

You are running an outdated version of HijackThis. Also you have not posted the AVG Antispyware log as an attachment.

You can obtain both programs from the links in my signature. Please download them before going on with the following steps.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

InfoData
SManager
CTDrive
AVP
Jcim
Sen

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

smanager.7.exe
avp.exe
services.exe
rundll.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\nmgyqaqc.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfib.dll,startup

O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKCU\..\Run: [Jcim] "C:\Documents and Settings\Singh\Application Data\??sks\services.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Singh\APPLIC~1\SCURIT~1\rundll.exe" -vt ndrv

O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\nmgyqaqc.dll
C:\WINDOWS\smanager.7.exe
C:\WINDOWS\system32\drvfib.dll
C:\WINDOWS\system32\avp.exe

C:\Documents and Settings\Singh\Application Data\??sks\services.exe
C:\DOCUME~1\Singh\APPLIC~1\SCURIT~1\rundll.exe

Reboot into normal mode and rehide your protected OS files.

Please visit this link http://virusscan.jotti.org/

Click the Browse... button and navigate to the following file:
C:\Program Files\vbuzzer\VBuzzer.exe
Click Open
Also, do the same for:
C:/Program Files/Wengo/wengophone.exe

Please let me know the results.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly Momok =)

This thread is for the use of ambarsaria only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ambarsaria]

Thank you Momok

Hi Momok,

Thank you so much for your help and concern. I did the same as you suggested but I was not able to End the Process named - system.exe from Task Menu. There were no other processes like smanager.7.exe and avp.exe and rundll.exe.

Also I am NOT able to find any File or folder you mentioned below -

C:\WINDOWS\system32\nmgyqaqc.dll
C:\WINDOWS\smanager.7.exe
C:\WINDOWS\system32\drvfib.dll
C:\WINDOWS\system32\avp.exe
C:\Documents and Settings\Singh\Application Data\??sks\services.exe
C:\DOCUME~1\Singh\APPLIC~1\SCURIT~1\rundll.exe

anyway, pls find attached the Fresh Logs from HJT, Combofix and AVG Antivirus ( I attached 2 logs, one before fixing the problems and one after fixing all the problems).

Pls let me know whats next. and once again thank you so much for your time and concern.

I am falling on love with techspot.com ..

Cheers,

Ambarsaria

 

[momok]

Hi,

I noticed some of the items in your AVG log show 'ignored'. Please run your scan once more and quarantine those items. Allow the archive to be quarantined should AVG prompt you whether to quarantine the archive in which the item is embedded in.

You have also not given me the results for the 2 files I asked you to check at jotti. Please do so in the next reply.

Reboot into safe mode again and unhide all your files and folders.

Run AVG antirootkit scan and fix anything related to xpdt. Let me know if anything else turns up.

Now, run HijackThis and fix this entry:
O2 - BHO: (no name) - {10C58843-30A3-1822-F248-1CE34BE7F39A} - C:\WINDOWS\system32\kpbtvvn.dll (file missing)

Navigate in Windows Explorer and delete the following:
C:\WINDOWS\system32\wnstssv32.exe
C:\intvuvmp.exe
C:\WINDOWS\VbFaxPrinter.exe

Then, go to start > run and type regedit. Press Enter.

Press ctrl + f and search for all instances of wintfj32.dll and delete them.

Reboot into normal mode and post fresh HijackThis, Combofix and AVG Antispyware logs. Please let me know the results of the anti root kit scan and jotti scans.


Regards,
Your friendly Momok =)

This thread is for the use of ambarsaria only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.