system
April 8, 2012, 6:33pm
1
Hi,
RE: Win32: Downloader NUA Trojan
New to this and although i am pretty good with a pc i have little experience getting rid of pesky trojans like this one so much help needed!
The virus is found by avast but keeps moving. So far it has gotten in to several files and folders and destroying some programmes. Got in to my symatec anti virus and i had trouble uninstalling it (soon fixed it with microsoft Fix It)
Ran the TDSKILLER, found 5 threats, all incurable.
Ive tried everything i know of to get rid and nothing so far… any advice would be helpful as i feel the last resort is to format and start again and would rather avoid that! Cheers
system
April 8, 2012, 6:42pm
2
Also I am doing the anti malware and OTS thing now…
Could you also attach the TDSSKiller log please
The 5 found by TDSSKiller are of no import at the moment ;D
system
April 8, 2012, 7:07pm
6
This is the malware report
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.04.08.05
Windows XP Service Pack 3 x86 NTFS
Protection: Enabled
08/04/2012 19:41:47
mbam-log-2012-04-08 (19-41-47).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196741
Time elapsed: 15 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) → Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) → Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\WINDOWS\Temp\DWH7D93.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\DWHF9E7.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Gemma Wright\AS3fXO3 (Virus.Ramnit) → Delete on reboot.
(end)
Virus.Ramnit this is not to good - are you getting alerts about this malware
system
April 8, 2012, 7:12pm
8
Had one that was moved to chest
I’m doing the OTL now
system
April 8, 2012, 7:26pm
9
Although i’ve read that ramnit is incurable? Is it best to reformat?
If you are not receiving continual alerts then it may well have been stopped from executing
system
April 8, 2012, 7:31pm
11
I got one alert the other day but that was it
Here is the OTL log
Looks like it was stopped from running… Once this run is complete can you let me know what problems remain
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL
http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = http://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms}
IE - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = http://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms}
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
[2010/09/14 13:41:12 | 000,002,506 | ---- | M] () -- C:\Documents and Settings\Gemma Wright\Application Data\Mozilla\Firefox\Profiles\heuo2gqq.default\searchplugins\BearShareWebSearch.xml
[2010/05/16 15:38:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/29 17:34:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/02/22 21:51:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/02/26 15:25:26 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\GEMMA WRIGHT\LOCAL SETTINGS\APPLICATION DATA\{621A474C-43BC-4666-89A4-4B7FB58DD35C}
[2010/09/14 13:41:12 | 000,002,506 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml
O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll File not found
O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - No CLSID value found.
O4 - HKU\S-1-5-21-527237240-1202660629-839522115-1003..\Run: [GihNnsib] C:\Documents and Settings\Gemma Wright\Local Settings\Application Data\xcpbdpcn\gihnnsib.exe File not found
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Gemma Wright\Local Settings\Application Data\xcpbdpcn\gihnnsib.exe) - File not found
[2012/04/01 18:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gemma Wright\Local Settings\Application Data\xcpbdpcn
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
system
April 8, 2012, 7:56pm
13
Essex,
If you look at the aswmbr log from the other person who has the same bad guy, mbr is infected. Bootrec /fixmbr might be in order here.
Different infection, TDSSKiller reported clear
And fix /mbr would probably not work as that just rewrites the mbr and does not remove the file system
system
April 8, 2012, 8:03pm
15
There we go
I have to turn pc off till tomorrow now but thank you for your help so far and i will reply tomorrow
OK when you switch on next let me know how it is behaving ;D
system
April 8, 2012, 8:23pm
17
Not so sure about it being different malware. I suspect MBAM is classifying the same as Microsoft - Ramnit. Also appears Kapersky doesn’t recognize it at all.
Other Common Detection Aliases
Company Names Detection Names
avast Win32:Downloader-NUA [Trj]
AVG (GriSoft) Dropper.Generic5.BYEP (Trojan horse)
avira TR/Offend.kdv.588346
BitDefender Trojan.Generic.KDV.588346
Dr.Web Trojan.Rmnet.8
eSafe (Alladin) Suspicious file
Microsoft Trojan:Win32/Ramnit.A
Symantec Trojan.Gen
Eset Win32/Kryptik.ADSK trojan (variant)
panda Suspicious
V-Buster Trojan.Kryptik!A3Ty2d2zM64 (trojan)
Every infection is different to some degree, this one has a healthy MBR
19:53:44.0421 1336 \Device\Harddisk0\DR0\Partition0 - ok
19:53:44.0421 1336 ============================================================
19:53:44.0421 1336 Scan finished
19:53:44.0421 1336 ============================================================
19:53:44.0531 2668 Detected object count: 5
19:53:44.0531 2668 Actual detected object count: 5
19:54:14.0328 2668 Aspi32 ( UnsignedFile.Multi.Generic ) - skipped by user
19:54:14.0328 2668 Aspi32 ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:54:14.0328 2668 Netaapl ( UnsignedFile.Multi.Generic ) - skipped by user
19:54:14.0328 2668 Netaapl ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:54:14.0328 2668 nv ( UnsignedFile.Multi.Generic ) - skipped by user
19:54:14.0328 2668 nv ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:54:14.0328 2668 NVSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:54:14.0328 2668 NVSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:54:14.0328 2668 STEC3 ( UnsignedFile.Multi.Generic ) - skipped by user
19:54:14.0328 2668 STEC3 ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:54:16.0515 3232 Deinitialize success
system
April 8, 2012, 8:40pm
19
BTW - looks like this sucker is mutating. Here’s today’s version of it: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1020193#none
They all mutate on a daily basis, as fast as the AV’s catch them they change