Problems with TROJANS that are hard to get rid of...

[KLM]

Very well:

C:\WINDOWS\system32\wncrcfvn.exe; is infected:

AntiVir  TR/Click.Agent.NP
BitDefender Trojan.Clicker.Agent.NP
DrWeb Trojan.Click.2799
Ikarus Trojan.Click.2799
Kaspersky Trojan-Downloader.Win32.Tiny.id
Panda Trj/Downloader.PCQ
Symantec Trojan Horse
VBA32 Trojan.Click.2799
Webwasher-Gateway Trojan.Click.Agent.NP


C:\WINDOWS\unvise32.exe; no virus at all

C:\WINDOWS\system32\mucltui.dll; no virus either

C:\WINDOWS\system32\winsock.dll; same, no virus.

ok, ready

[FreewheelinFrank]

A randomly named file which brings up nothing on Google is most often a malware file.

C:\WINDOWS\system32\wncrcfvn.exe; is infected:

Case in point.

KLM, did you try DrWeb CureIT! as requested. This should've nabbed this one.

[KLM]

uuuhhh, nop. I just tryed the avg antispyware... I going to install drweb cureit!...

[FreewheelinFrank]

You don't need to install it, just run it: that's why it's so useful.

That and a good detection rate too.

[KLM]

Ahh, all right. I'm on it

[KLM]

ok, Ready!!!, it looks like the problem is solved. Thank you FreewheelinFrank.

But what about my doubts:

Why can't avast solve this problems with the trojans?
Why can't it detect them as other antivirus?
In my opinion is a good antivirus (i have no basis to state that, it's just feeling) but i don't understand why if the team that developed it should be actualizating for new kind of trojans, worms, etc... I even send them one of this infected executables (bxyxyyyy, or something like that) so that the could analize it and develop a defence...
Maybe i am being impatient but i would like you to explain me a little about this dinamic.

[FreewheelinFrank]

Many tools and programs have been written to remove Vundo, although the trojan's authors often release new versions. Vundo creates a DLL file in the Windows system directory and writes registry entries causing Windows to inject the file into winlogon.exe.

http://en.wikipedia.org/wiki/Vundo_trojan

It's a combination of new malware files emerging very frequently (think hourly in some cases), and the fact that malware uses techniques to hide itself, inject itself into system processes, protect itself or start itself from obscure locations in the registry.

AV companies have to add detections for viruses, worms and a huge range of Trojans. Tools like ComboFix and VundoFix are specially designed to counter the tricks used by a specific type of malware, and may have more sucess in removing the infection.

Other AV's have the same problem: Symantec has a special tool to remove Vundo, and McAfee requires some 'manual removal methods':

Certain variants of the Vundo trojan are especially difficult to remove.  Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory.  However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat.

http://vil.nai.com/vil/content/v_127690.htm

Spyware generally is best dealt with using specialist spyware removal programs, which have more of an emphasis on registry scanning than AV programs, which concentrate on file scanning.

In a spyware infection, I use AVG Anti-Spyware, Ad-Aware and Spybot Search & Destroy in addition to an AV program, and they all find different things, and very often there's something to remove manually at the end.

Unfortunately nothing detects 100% of malware.

[KLM]

OK, thank you very much to every one, specially to mauserme, FreewheelinFrank and DavidR. The problem seems to be solved but considering that this kind of virus, malware, etc are being produced or elaborated very often well, maybe we will meet again.

That's good considering the lot of things I just learn with you, thanks again.

[FreewheelinFrank]

Don't forget the Secunia scan- avoid infection in the first place!!

http://secunia.com/software_inspector/

Remove all older versions of Sun Java especially.

[mauserme]

Just to be safe please download OTMoveIt  by OldTimer.  Save it to your desktop and double-click OTMoveIt.exe to run it.  Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\wncrcfvn.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also, install the latest version of Java

http://www.java.com/en/download/index.jsp

and then open Add/Remove Programs in the Control Panel.  Uninstall any versions of Java you find that have older version numbers than the one you just installed.


Have the trojan warnings stopped now?

I am still just a bit suspicious of C:\WINDOWS\system32\mucltui.dll and will research it some more.  I'll post again if/when I find anything.

[KLM]

Yes, i instaled OTmoveit, but it couldn't find

C:\WINDOWS\system32\wncrcfvn.exe

I think it was erased...by an antispyware or by ComboFix.

Yes, the trojan warning have stop... i think for now. Let's see later.

Thanks a lot Mauserme

[mauserme]

That's fine.  I just wanted to make sure something removed it since I didn't see it listed as a deletion in any of the logs. Probably one of the antispyware programs, as you said.

One last step if you don't mind.  Since you had infected System Restore Points we should create a new, clean point and delete the old ones.

1. Click Start>All Programs>Accessories > System tools > System Restore
2. In the dialog box that appears  Click in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a name you will remember if you need to find this again (like Clean Point)
5. Click CREATE

You now have a clean restore point, to get rid of the old ones:

1. Click Start>All Programs>Accessories > System tools > Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

and you're done.  But remember to get the old versions of Java off your computer too.

[KLM]

Ready, all is done. Thanks a lot again.