Horrible Win32: Downloader NUA Trojan. Please Help!

Hi Guys,

On Thursday my laptop became infected with a horrible trojan virus and I simply cannot get rid of it.

Its called: Win32: Downloader NUA Trj

What it does:
WILL NOT let me into safe mode atall
Won NOT let me open certain programs like IE
Every 15 Seconds or so or if I try to open a program I will get Avast popping up saying “Trojan Horse Blocked” its not always in the same place though, it moves from program to program, (I’ve tried to find it but can never locate it)
Opening some programs like VLC results in this error message “error 0xc0000005”

What I did about it:
Plenty of boot scans, sometimes Avast finds it, sometimes not
ran Malware Bytes, Superantispyware, and Spybot search and destroy several times (they like avast were all updated before they ran) again sometimes they found the virus sometimes not.
I have also ran the AVG recovery disc but that didn’t seem to do anything.
Uninstalled and reinstalled Avast to simply check I didn’t have a fake version running. That too produced no effect

I do have another pc to work from so if you want to suggest something I should download I can. I’m figuring getting into safe mode might be the key but when I try the computer comes up with a blue error message and then powers off again. Whats equally weird is I have disconnected from the internet and avast still pops up telling me its blocked the Trojan Horse.

I hope you guys can help and any help is much appreciated.

Thanks

Jamie

welcome to the forum.

this needs further investigation of a expert please fallow this guide and post the results here so one of our expert can have a look on it.

http://forum.avast.com/index.php?topic=53253.0

Hey, attached are the logs you asked for. Hope I have done it right.

Thanks very much for your help,

Attached is the OTL log and heres the MBR Log

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2012-04-08 12:27:10

12:27:10.843 OS Version: Windows 5.1.2600 Service Pack 3
12:27:10.843 Number of processors: 1 586 0xD08
12:27:10.843 ComputerName: USER-2B3AC7FA18 UserName: User
12:27:12.812 Initialize success
12:27:13.921 AVAST engine defs: 12040800
12:27:20.953 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
12:27:20.953 Disk 0 Vendor: Hitachi_HTS541080G9AT00 MB4OA61A Size: 76319MB BusType: 3
12:27:22.968 Disk 0 MBR read successfully
12:27:22.968 Disk 0 MBR scan
12:27:23.015 Disk 0 Windows XP default MBR code
12:27:23.015 Disk 0 scanning sectors +156280320
12:27:23.046 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
12:27:23.046 Disk 0 PE file @ sector 156280345 !
12:27:23.093 Disk 0 scanning C:\WINDOWS\system32\drivers
12:27:34.187 Service scanning
12:27:35.468 Modules scanning
12:27:40.093 Disk 0 trace - called modules:
12:27:40.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:27:40.453 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86f14ab8]
12:27:40.453 3 CLASSPNP.SYS[f7687fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x86fa7940]
12:27:41.390 AVAST engine scan C:\WINDOWS
12:27:46.015 AVAST engine scan C:\WINDOWS\system32
12:29:35.531 AVAST engine scan C:\WINDOWS\system32\drivers
12:29:45.750 AVAST engine scan C:\Documents and Settings\User
12:29:49.140 File: C:\Documents and Settings\User\Air8gE9 INFECTED Win32:Downloader-NUA [Trj]
12:35:29.031 File: C:\Documents and Settings\User\uxIzuN3 INFECTED Win32:Downloader-NUA [Trj]
12:35:29.156 File: C:\Documents and Settings\User\XLUTFs3 INFECTED Win32:Downloader-NUA [Trj]
12:35:35.703 AVAST engine scan C:\Documents and Settings\All Users
12:37:00.515 Scan finished successfully
12:46:39.875 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\User\Desktop\MBR.dat”
12:46:39.875 The log file has been saved successfully to “C:\Documents and Settings\User\Desktop\aswMBR.txt”

This sucker looks like it’s brand new variant.

See this for info: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1018857#none

McAfee indicates a bootrec /fixmbr is required. See removal instructions.

Since Avast is finding it, is it being quarratined?

hey,

I will follow MCafee’s instructions. Avast is “blocking” it, not sure if that means its being quanrantined. I assume it is because its not causing me more issues.

Thanks for your help, I will reply again as soon as the MBR clean has finished.

Jamie

Ok ran the MBR Fix. It built a new partition (whatever that means) but still virus pops up and still get the error when launching programs. Any ideas?

Thanks again

Hey jibbyreznor

can you post all logs please, our malware expert is currently offline. he should be here hopefully soon. :wink:

Anthony

Happy easter

http://4.bp.blogspot.com/_J5KONx1-3Ks/S97gIxk4E3I/AAAAAAAAAKk/ab7_get2H-s/s320/images-4.jpeg

They frown on anyone giving malware removal advice in this forum other than one of the Avast malware specialists; Essexboy, Jeff, or Oldman. So your going to have to wait till one of them respond.

Which logs? I’ve already posted the OTD and MBr one.

Can you attach the malwarebytes log please 8)

Anthony

Hi,

Please download TDSSKiller

[*]Double-click to run TDSSKiller.exe
[*]Press Change Parameters
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click on the Start Scan button

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

[*]Copy and paste the log in your next reply

[*]A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please attach its contents on your next reply.


Hi DonZ63,

Do not give a misreprentation of the facts here. To set things straight- in malware removal routines only qualified removal experts that has been trained officially and sufficiently, like indeed essexboy, oldman, jeffce and some others here, are allowed to guide in and through malware cleansing routines that should be guided in this way.
These officially qualified removal experts have no connection to avast, they are volunteers and users of the avast programs like the others here, but they have been trained through various special online anti-malware universities or boot-camps and are members of Unite for instance, the membership of which organization is a webwide guarantee that the person is a qualified removal expert, and knows what he/she is doing.
This to prevent that untrained users may do more damage than good. The other side of the coin is natuarally that the malware removal experts here will build up a gigantic expertise with all the different sorts of malware that has to be cleansed. Just like others here build up expertise in cold reconnaisance anaysis of malware through url-scanning methods (Asyn, Pondus, spg Scott, !Donovan, etc.),

polonus

Ok attached is the TDSS Killer Log. Just to add after I ran this my CD Drive has now dissapeared! Said something about lower registries moved. Any ideas how I can get it back?

Thanks again

Jamie

Heres my latest Malware Bytes Log. Hope you guys now have all the info you need.

Jamie

Hi

I have the exact same trojan and have no idea how to get rid of it :frowning: It seems to be moving around my computer, avast is picking it up but can’t pin it down

Apart from formatting I have no clue how to get rid of this thing, it has already destroyed some files and programs

Please help!

Also i ran the TDSKILLER and found 5 threats… none curable

:frowning:

Hi DonZ63,

Do not give a misreprentation of the facts here


Lighten up, dude. I meant Avast forum malware specialist. My mistake. Go have a cool one and chill out.

@pennylane909.

You need to start your own topic…

Follow the guide here and attach the logs
http://forum.avast.com/index.php?topic=53253.0

Hi pennylane909 could you run aswMBR and OTL as per this thread and start your own topic… As soon as you have posted I will have a look see
http://forum.avast.com/index.php?topic=53253.0

Back to Jeff ;D

Hi jibbyreznor,

Rerun TDSSKiller and when you get to the new log please attach that. :slight_smile: