Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Removal


  • Please log in to reply
16 replies to this topic

#1 ibnhana

ibnhana

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 10 February 2008 - 02:02 AM

I am not computer savy and I noted about 3 weeks ago that I have some trojans including but possibly not limited to PWS_LegMir, PWS_Mmorpg.gen, VAnyi.sys, and W32/magish.dam3.

Can you please guide me how to get rid of them?

Thank you and Best Regards

Fuad Fuleihan

BC AdBot (Login to Remove)

 


#2 V e g e t a

V e g e t a

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 10 February 2008 - 06:56 AM

Hmm...
Firstly make sure your firewall are denying these programs access.
Secondly run a Hijackthis and post the results.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 10 February 2008 - 02:25 PM

Hello ibnhana and welcome to BC :flowers:

Let's hold off on any HJT posting; those logs aren't to be posted in this forum anyway.

What is your operating system: Windows XP, Vista etc.?

What program alerted you to these trojans?

What security programs do you have installed?

What security programs have you run?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 11 February 2008 - 12:08 PM

Thanks orange blossom.
Where am I supposed to post the logs?
My Operating system is Windows XP.
Macaffee alerted me to these trojans, deleted few but kept some.
I have Macaffee and Macaffee fire wall.
I have run Nacaffee. I did also download yesterday a profeam from this site http://www.greatis.com/appdata/d/v/vanti.sys_Removal.htm and it detected about 40 suspicious files but wanted me to decide if this is a false indication or to delete the files and as I did not know and did not know the effects of deleting these files, then I indicated that all are false alarms.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 11 February 2008 - 02:22 PM

Where am I supposed to post the logs?


Which logs are you referring to?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 February 2008 - 02:11 AM

i AM REEFERING TO WHERE i POSTED MY ORIGINAL QUESTION FOR HELP AND YOUR ANSWER THAT THESE ARE NOT THE APPROPRIATE LOGS TO POST MY QUESTION IN.

bEST rEGARDS

IBNHANA

#7 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 February 2008 - 09:12 AM

Dear Orange Blossom

Sorry for the caps in my last email but thr cap key was down.

ibnhana

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 12 February 2008 - 09:53 AM

Hello ibnhana,

For the first 24 hours after posting, you can edit your post, so if you are online within that time frame, you can edit the caps out. :thumbsup:
----------
The reason I asked "which logs" is because it wasn't clear whether you were referring to HiJack This or other security program logs, such as McAfee. As I stated earlier, I think it would be better to see if you can be disinfected without resorting to HJT as the HJT team is very busy. In order to do that, we need clearer information. If it turns out that HJT is the way to go, we'll give you directions of what to do and where to post at that time.

Can you please post the log from the McAfee scan as a reply?

I would suggest also at this point to scan with SUPERAntiSpyware in Safe Mode. You will of course install it in normal mode.

Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 February 2008 - 12:22 PM

Dear Orange blossom

Thanks a million for all your help and your detailed explanation. I did not know how to do the following instructions of yours:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
I will check with a friend and repeat the scan tomorrow using safe mode as I do not know how to do it. The scan logs are below:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2008 at 07:01 PM

Application Version : 3.9.1008

Core Rules Database Version : 3400
Trace Rules Database Version: 1392

Scan type : Complete Scan
Total Scan Time : 00:39:24

Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 6357
Registry threats detected : 7
File items scanned : 26862
File threats detected : 31

Trojan.Downloader-Gen/Kavo
[kava] C:\WINDOWS\SYSTEM32\KAVO.EXE
C:\WINDOWS\SYSTEM32\KAVO.EXE

Trojan.JBLoader
HKLM\Software\Classes\CLSID\{55667788-ABCD-1234-5678-00C04FD8DBD8}
HKCR\CLSID\{55667788-ABCD-1234-5678-00C04FD8DBD8}
HKCR\CLSID\{55667788-ABCD-1234-5678-00C04FD8DBD8}
HKCR\CLSID\{55667788-ABCD-1234-5678-00C04FD8DBD8}\InprocServer32
HKCR\CLSID\{55667788-ABCD-1234-5678-00C04FD8DBD8}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JBLOADER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{55667788-ABCD-1234-5678-00C04FD8DBD8}

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@bizrate[2].txt
C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[2].txt
C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt
C:\Documents and Settings\user\Cookies\user@estat[2].txt
C:\Documents and Settings\user\Cookies\user@2o7[1].txt
C:\Documents and Settings\user\Cookies\user@ads.planetactive[1].txt
C:\Documents and Settings\user\Cookies\user@e-2dj6wjk4wpdzefp.stats.esomniture[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@ehg-jag.hitbox[1].txt
C:\Documents and Settings\user\Cookies\user@smartadserver[2].txt
C:\Documents and Settings\user\Cookies\user@questionmarket[1].txt
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt
C:\Documents and Settings\user\Cookies\user@northwestairlines.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@realmedia[1].txt
C:\Documents and Settings\user\Cookies\user@overture[2].txt
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt
C:\Documents and Settings\user\Cookies\user@partner2profit[1].txt
C:\Documents and Settings\user\Cookies\user@anad.tacoda[1].txt
C:\Documents and Settings\user\Cookies\user@ads.pointroll[1].txt
C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt
C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@specificclick[1].txt
C:\Documents and Settings\user\Cookies\user@citi.bridgetrack[2].txt
C:\Documents and Settings\user\Cookies\user@statse.webtrendslive[2].txt
C:\Documents and Settings\user\Cookies\user@hitbox[1].txt
C:\Documents and Settings\user\Cookies\user@e-2dj6wjnyomd5kbq.stats.esomniture[2].txt
C:\Documents and Settings\user\Cookies\user@advertising[2].txt

I am very appreciative to your help and look forward to hear from you again

Best Regards

ibnhana

#10 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 February 2008 - 01:59 PM

Dear orange blossom

I scaned again usung your complete instructions (except sllep mode which I will perform tomorrow) and the scan time was one hour 15 minutes because of the larger files but no new trojans were detected. However when I click on my computer and click on any drive C, D, F or G a Macaffee alert of Vanti.sys virus appears (this has been appearing for the last week) which does not allow me to delete it as all the options are blanc. The second, third etcetera times I do this the virus alert does not appear. Onlt the first time after I reboot.

Best Regards

ibnhana

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:14 AM

Posted 13 February 2008 - 08:50 AM

when I click on my computer and click on any drive C, D, F or G a Macaffee alert of Vanti.sys virus appears

From what you describe and the files identified thus far, it appears to be a flash drive infection. Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Vanti.sys is a rootkit component. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 13 February 2008 - 04:55 PM

Thank you for your advice global moderator.

Best Regards

ibnhana

#13 ibnhana

ibnhana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 13 February 2008 - 05:00 PM

Dear Orange blossom

I run the system again on safe mode and got the following log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/13/2008 at 09:20 PM

Application Version : 3.9.1008

Core Rules Database Version : 3400
Trace Rules Database Version: 1392

Scan type : Complete Scan
Total Scan Time : 02:10:31

Memory items scanned : 165
Memory threats detected : 0
Registry items scanned : 6642
Registry threats detected : 0
File items scanned : 47321
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@ads.bridgetrack[2].txt
C:\Documents and Settings\user\Cookies\user@2o7[1].txt
C:\Documents and Settings\user\Cookies\user@smartadserver[1].txt
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt
C:\Documents and Settings\user\Cookies\user@tacoda[2].txt
C:\Documents and Settings\user\Cookies\user@ads.pointroll[2].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt
C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@specificclick[1].txt
C:\Documents and Settings\user\Cookies\user@advertising[1].txt

The comments from quite man7 are very scary and I guess you agree with him that I shoul reformat. Please respond.

Best Regards

ibnhana

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 13 February 2008 - 05:04 PM

Hello ibnhana,

Please follow quietman7's directions and address his questions. He has much more experience and knowledge than I regarding computer infections. :thumbsup:

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:14 AM

Posted 13 February 2008 - 06:29 PM

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format?" link and whether it is worth the effort as described in the "Reformatting the computer or troubleshooting; which is best?" link. Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users