malware infection ngts-vao - need help with removal

Dopamean
Dopamean used Ask the Experts™
on
Hi there,

I am wondering if someone can assist me with removal of this malware.
Funnily enough I warned our senior team about the risk of facebook access inside our business environment and low and behold one of our most senior members how been fooled into having this malware put onto his PC via some facebook link.

The error on startup of his windows XP machine is: ngts-vao.dll failed to load.
This makes me think that Symantec end point may have caught some but not all of the malware variant.
Looking around the web there is not much info on removing this or I have been able to find it.

Can anyone assist?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sudeep SharmaTechnical Designer

Commented:
Hello

If you have access to the internet from the infected PC then go the following URL, upload the infected file ngts-vao.dll and hopefully they would provide you the name of the virus then it would be easier to remove the infection. Try these
http://www.virustotal.com/
and http://www.threatexpert.com/submit.aspx

hope that helps

Sudeep
Most Valuable Expert 2013
Commented:
Looks like the corporate End Point install has taken care of it and you're just left with the registry entry calling it on launch.
A quick search of the registry on the machine should allow you to delete the references to the .dll and your culprit can save face :)
>been fooled into having this malware put onto his PC via some facebook link


Juding it by "risk of infection" would definitely disqualify Google and Bing.  I had to clean up infections from users searching for cheap airline tickets.  Click-click-boom.

Facebook and MySpace and other sites (hmm...like Experts-Exchange) might be big time wasters.  But nothing stops an EE user from posting an HTML link to a bad site.

If this is Win32/Oficla (Trojan.Sasfis), then you can look at Symantec's removal page for info on the Windows Registry edits:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-020210-5440-99&tabid=3

Go all the way to the bottom for the manual removal info.

Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/

Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.

You'll might need to rename the file before saving to your desktop so it will not be blocked.

Please note: Don't run Combofix in Safe Mode.

Author

Commented:
@ aleghart:

The registry edits seem to point to restoring keys not removing values related to the error itself.
But this worked for you and were you receiving the same error on startup - cheers.
Sounded like a good fit.  From that page:

Warning messages may be displayed when the computer is restarted, since  the threat may not be fully removed at this point. You can ignore these  messages and click OK. These messages will not appear when the computer  is restarted after the removal instructions have been fully completed.

Did you search the registry for that DLL reference?

Author

Commented:
hehe not yet,  this is far from the most important thing I  am working on at the moment but in my attempt to find a solution yesterday I did not find one.
REGEDIT.  Ctrl-F.  "ngts-vao.dll".  Enter.
Just let it run for a few (dozens) of minutes.  It'll get there eventually.
Top Expert 2007

Commented:
This kind of error in startup means that the file has been removed and it's just the registry loading point that is still trying to load the file, and since the file is no longer there hence the error loading.

You could check the relevant entry in msconfig startup and uncheck it there, or run scanners... or ComboFix as already suggested and attach the log. Any bad files showing in the log  or reg entries that aren't removed we can remove using its script function.
Top Expert 2007
Commented:
Or if you already have Hijackthis, you could also fix the relevant loading entry there.... or just use ComboFix to make sure the infection is completely removed.

Author

Commented:
lmlml

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial