Trojan Generic ¿?

system · February 17, 2009, 8:52pm

Hello everybody!

Ive been few days wondering with some diferent worms and viruses in my laptop because of an old flash memory that someone gave me to change information. In that moment I had only Avast 4.8 thinking I was protected, without a firewall or any other antispyware. The first day Avast detected a nmdfgds0 that I wasnt able to delete till I found your forum. I read a similar case an I followed the diferent steps sugested. Thanks

I have now Avast 4.8, Superantispyware, Spyware Doctor and Malwarebytes’ Anti-Malware. The thing is that when I scan with Avast it doesn`t found anything wrong but with Spyware Doctor it founds:

Application.NirCmd (25 infections)
Trojan.Generic (1 infection)
HKEY_USERS\S-1-5-21-67338376-4111881831-613361792-1006\Software\Wget

system · February 17, 2009, 8:58pm

Must I register Spyware Doctor to clean those files or can I do it another way?

When I ran Superantispyware it founds only Adware.Tracking cookie but after deleting TEMP files from Internet Explorer it founds again others Adware.Tracking cookie. Is it because of the other trojan?

Thanks

polonus · February 17, 2009, 9:12pm

Ola Javier77,

Name: Application.NirCmd
Threat Level: Info
Description: Application.NirCmd is a collection of third party tools packed in one executable that can be used to remove threats in an infected machine. However it can also be used by users with malicious intent to do a different activity.
Type: TT_Info
For this being remnants of legit removal tools like ComboScript etc. read here:

http://www.techsupportteam.org/forum/malware-removal/2298-nircmds-legacy_catchme-swearware-plus-other-threats.html

Following is the virus description and detail of NIRCMD.EXE removal:
For successful remove NIRCMD.EXE removal , following the instruction:

Temporarily Disable System Restore .
Update the virus definitions. Reboot computer in SafeMode,;

3.Stop NIRCMD.EXE removal virus files process if you can find on the task list;

Locate NIRCMD.EXE removal virus files and double-click on it to uninstall virus files program.
Follow the screen step-by-step screen instructions to complete uninstallation of NIRCMD.EXE removal.
Do not worry about this if you cannot find it in Add/Remove window.
Delete/Modify any values added to the registry related with NIRCMD.EXE removal,
Exit registry editor and restart the computer;
Clean/delete all infected file(s):NIRCMD.EXE removal,or rename NIRCMD.EXE removal virus files;
Please delete all your IE temp files manually,or download the tool ATF Cleaner to delete all your IE temp files.
Use antivirus program run a whole scan;

Following is the information of the virus file NIRCMD.EXE removal

NIRCMD.EXE:The filename NIRCMD.EXE was first seen on Mar 14 2008 in The UNITED ARAB EMIRATES.
It has also been seen in the following geographical regions of the Prevx community:

* SPAIN on Apr 12 2008
* INDONESIA on May 30 2008

The filename NIRCMD.EXE refers to many versions of an executable program.
The most common file size is 28,672 bytes. But the following file sizes have also been seen:

* 37,888 bytes
* 33,788 bytes
* 57,856 bytes
* 74,240 bytes

These files have no vendor, product or version information specified in the file header.
NIRCMD.EXE has been seen to perform the following behavior(s):

* The Process is packed and/or encrypted using a software packing process
* This Process Creates Other Processes On Disk
* Executes a Process
* This Process Deletes Other Processes From Disk

NIRCMD.EXE has been the subject of the following behavior(s):

* Created as a process on disk
* Executed as a Process
* Deleted as a process from disk

NIRCMD.EXE can also use the following file names:

* 62870304.DAT
* 88596536.EXE
* 09786665.EXE
* 32238923.EXE
* A0002000.EXE
* THUNDERBIRDPORTABLE CONTROL/NIRCMD.EXE
* 44237495.EXE
* 64487119.EXE
* I.EXE
* 53152372.EXE

Malware Fighter Info,

Con Dios,

polonus

system · February 17, 2009, 9:21pm

Have you used Combofix or Smitfraudfix. lately

system · February 17, 2009, 9:59pm

Gracias!

Solo un par de preguntas (basics I supose):
How do I Disable System Restore? and delete all your IE temp files manually?

You`re right, I run Combofix to delete the ndmdfgds0. Do I have to uninstall something?

Lisandro · February 17, 2009, 10:06pm

Disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

You can use CleanUp or CCleaner for that.

system · February 17, 2009, 10:25pm

I read this post from pc tools forum, maybe you should post there. You may not have a virus

http://www.pctools.com/forum/showthread.php?t=50389

spyware doctor forum http://www.pctools.com/forum/forumdisplay.php?f=54

system · February 17, 2009, 10:41pm

I picked trojan-gen from a facebook thread. It has screwed up my IE7. I can still go online with netscape, it was still on my computer from install, and download IE7, but it still won’t update. Any help. The only way I know I have the trojan is by a requied by Avast, boot scan. One sys32 file I could not store in the chest or repair it. I had to ignore to get by.
Now all anti virus software says everything is clean, but I know it’s now.
Can I be helped?

system · February 17, 2009, 10:53pm

Start a new thread,with more info, the virus name,the infected files and their locations.Hijacking this thread just confuses matters

system · February 17, 2009, 10:56pm

I`ve uninstalled combofix that seemed to be the reason of the Application.NirCmd (25 infections) detected by Spyware Doctor. I have now done another scan with this program and it detects this Application.NirCmd (28 infections). Seems wright.

In any case, how do I remove the other infection with the information that gives me? I suppose its very simple but I`m a little bit lost: Trojan.Generic (1 infection)
HKEY_USERS\S-1-5-21-67338376-4111881831-613361792-1006\Software\Wget

polonus · February 17, 2009, 11:14pm

Hi Javier77,

Wget is considered riskware by some anti malware programs, based on an exploit for a bug in the software,
the software on itself isn’t malware, deleting it i.m.o. can be considered optional,

polonus

system · February 17, 2009, 11:19pm

Are you saying since removing Combofix the infections have gone up ? Did you remove Combofix properly ( I know very little about Combofix ) http://www.myantispyware.com/2008/03/26/how-to-uninstall-combofix/
Have you run Malwarebytes Antimalware ? What are the results

Can you copy/paste any logs from spywaredoctor ( AFTER removing combofix )

system · February 17, 2009, 11:36pm

I have done what it was said on the attach, but it continuos detecting the same amount of Application.NirCmd. The folder in wich detects this stuff is in C:/Combofix so I suppose your in the right. Doesn`t it?

Malwarebytes’ Anti-Malware still doesn`t find anything.

Polonus, how do I delete wget?

system · February 18, 2009, 12:28am

Attachs of spywaredoctor

system · February 18, 2009, 8:15am

The pictures are very small,all the entries are registry entries.I personally do not like deleting registry entries.Seeing as they all look like false positives,I would be inclined to stop using Spyware Doctor,especially if you have to pay,to remove things.I think Malwarebytes and Superantispyware are sufficient

Lisandro · February 18, 2009, 12:59pm

Feel exactly the same.

Trojan Generic ¿?

Announcements