TechSpot

TROJAN - !update-4395[1].0000 and XC 29[1].exe - PLS HELP

By ambarsaria
May 19, 2007
  1. Hi Guys,

    I am suffering from these two Guys.. Urgently Need your HELP. Please...

    MacAfee Virus Scan show these two problems, 1) !update-4395[1].0000 detected as Generic Downloader
    and 2) XC 29[1].exe detected as Fake Alert-L. dr

    Looking for ur help and Big thanks in Advance.

    Cheers.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi ambarsaria and welcome to techspot. =)

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly Momok =)

    This thread is for the use of ambarsaria only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ambarsaria

    ambarsaria TS Rookie Topic Starter

    Fresh Logs

    Hi Momok,

    Thanks for a Quick Reply, Pls find attached Logs as you attached.

    I hope to hear from you soon.

    Thank you so much.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You are running an outdated version of HijackThis. Also you have not posted the AVG Antispyware log as an attachment.

    You can obtain both programs from the links in my signature. Please download them before going on with the following steps.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    InfoData
    SManager
    CTDrive
    AVP
    Jcim
    Sen


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    smanager.7.exe
    avp.exe
    services.exe
    rundll.exe


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\nmgyqaqc.dll",realset
    O4 - HKLM\..\Run: [SManager] smanager.7.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfib.dll,startup

    O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
    O4 - HKCU\..\Run: [Jcim] "C:\Documents and Settings\Singh\Application Data\??sks\services.exe"
    O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Singh\APPLIC~1\SCURIT~1\rundll.exe" -vt ndrv

    O4 - Global Startup: Digital Line Detect.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\system32\nmgyqaqc.dll
    C:\WINDOWS\smanager.7.exe
    C:\WINDOWS\system32\drvfib.dll
    C:\WINDOWS\system32\avp.exe

    C:\Documents and Settings\Singh\Application Data\??sks\services.exe
    C:\DOCUME~1\Singh\APPLIC~1\SCURIT~1\rundll.exe

    Reboot into normal mode and rehide your protected OS files.

    Please visit this link http://virusscan.jotti.org/

    Click the Browse... button and navigate to the following file:
    C:\Program Files\vbuzzer\VBuzzer.exe
    Click Open
    Also, do the same for:
    C:/Program Files/Wengo/wengophone.exe

    Please let me know the results.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of ambarsaria only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. ambarsaria

    ambarsaria TS Rookie Topic Starter

    Thank you Momok

    Hi Momok,

    Thank you so much for your help and concern. I did the same as you suggested but I was not able to End the Process named - system.exe from Task Menu. There were no other processes like smanager.7.exe and avp.exe and rundll.exe.

    Also I am NOT able to find any File or folder you mentioned below -

    C:\WINDOWS\system32\nmgyqaqc.dll
    C:\WINDOWS\smanager.7.exe
    C:\WINDOWS\system32\drvfib.dll
    C:\WINDOWS\system32\avp.exe
    C:\Documents and Settings\Singh\Application Data\??sks\services.exe
    C:\DOCUME~1\Singh\APPLIC~1\SCURIT~1\rundll.exe

    anyway, pls find attached the Fresh Logs from HJT, Combofix and AVG Antivirus ( I attached 2 logs, one before fixing the problems and one after fixing all the problems).

    Pls let me know whats next. and once again thank you so much for your time and concern.

    I am falling on love with techspot.com ..

    Cheers,

    Ambarsaria
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I noticed some of the items in your AVG log show 'ignored'. Please run your scan once more and quarantine those items. Allow the archive to be quarantined should AVG prompt you whether to quarantine the archive in which the item is embedded in.

    You have also not given me the results for the 2 files I asked you to check at jotti. Please do so in the next reply.

    Reboot into safe mode again and unhide all your files and folders.

    Run AVG antirootkit scan and fix anything related to xpdt. Let me know if anything else turns up.

    Now, run HijackThis and fix this entry:
    O2 - BHO: (no name) - {10C58843-30A3-1822-F248-1CE34BE7F39A} - C:\WINDOWS\system32\kpbtvvn.dll (file missing)

    Navigate in Windows Explorer and delete the following:
    C:\WINDOWS\system32\
    wnstssv32.exe
    C:\intvuvmp.exe
    C:\WINDOWS\VbFaxPrinter.exe

    Then, go to start > run and type regedit. Press Enter.

    Press ctrl + f and search for all instances of wintfj32.dll and delete them.

    Reboot into normal mode and post fresh HijackThis, Combofix and AVG Antispyware logs. Please let me know the results of the anti root kit scan and jotti scans.


    Regards,
    Your friendly Momok =)

    This thread is for the use of ambarsaria only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...