I also have the Win32: Downloader NUA Trojan Virus.... Help needed

Hi,

RE: Win32: Downloader NUA Trojan

New to this and although i am pretty good with a pc i have little experience getting rid of pesky trojans like this one so much help needed!

The virus is found by avast but keeps moving. So far it has gotten in to several files and folders and destroying some programmes. Got in to my symatec anti virus and i had trouble uninstalling it (soon fixed it with microsoft Fix It)

Ran the TDSKILLER, found 5 threats, all incurable.

Ive tried everything i know of to get rid and nothing so far… any advice would be helpful as i feel the last resort is to format and start again and would rather avoid that! Cheers

Also I am doing the anti malware and OTS thing now…

Could you also attach the TDSSKiller log please

There we go

The 5 found by TDSSKiller are of no import at the moment ;D

This is the malware report

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.08.05

Windows XP Service Pack 3 x86 NTFS

Protection: Enabled

08/04/2012 19:41:47
mbam-log-2012-04-08 (19-41-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196741
Time elapsed: 15 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) → Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\Temp\DWH7D93.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\DWHF9E7.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Gemma Wright\AS3fXO3 (Virus.Ramnit) → Delete on reboot.

(end)

Virus.Ramnit this is not to good - are you getting alerts about this malware

Had one that was moved to chest

I’m doing the OTL now

Although i’ve read that ramnit is incurable? Is it best to reformat?

If you are not receiving continual alerts then it may well have been stopped from executing

I got one alert the other day but that was it

Here is the OTL log

Looks like it was stopped from running… Once this run is complete can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = http://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} IE - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}: "URL" = http://search.bearshare.com/web?src=ieb&systemid=2&q={searchTerms} FF - prefs.js..browser.search.order.1: "BearShare Web Search" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 [2010/09/14 13:41:12 | 000,002,506 | ---- | M] () -- C:\Documents and Settings\Gemma Wright\Application Data\Mozilla\Firefox\Profiles\heuo2gqq.default\searchplugins\BearShareWebSearch.xml [2010/05/16 15:38:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/08/29 17:34:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2011/02/22 21:51:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011/02/26 15:25:26 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\GEMMA WRIGHT\LOCAL SETTINGS\APPLICATION DATA\{621A474C-43BC-4666-89A4-4B7FB58DD35C} [2010/09/14 13:41:12 | 000,002,506 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll File not found O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found. O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found. O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-527237240-1202660629-839522115-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - No CLSID value found. O4 - HKU\S-1-5-21-527237240-1202660629-839522115-1003..\Run: [GihNnsib] C:\Documents and Settings\Gemma Wright\Local Settings\Application Data\xcpbdpcn\gihnnsib.exe File not found O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Gemma Wright\Local Settings\Application Data\xcpbdpcn\gihnnsib.exe) - File not found [2012/04/01 18:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gemma Wright\Local Settings\Application Data\xcpbdpcn

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Essex,

If you look at the aswmbr log from the other person who has the same bad guy, mbr is infected. Bootrec /fixmbr might be in order here.

Different infection, TDSSKiller reported clear
And fix /mbr would probably not work as that just rewrites the mbr and does not remove the file system

There we go

I have to turn pc off till tomorrow now but thank you for your help so far and i will reply tomorrow

:slight_smile:

OK when you switch on next let me know how it is behaving ;D

Not so sure about it being different malware. I suspect MBAM is classifying the same as Microsoft - Ramnit. Also appears Kapersky doesn’t recognize it at all.

Other Common Detection Aliases

Company Names Detection Names

avast Win32:Downloader-NUA [Trj]
AVG (GriSoft) Dropper.Generic5.BYEP (Trojan horse)
avira TR/Offend.kdv.588346
BitDefender Trojan.Generic.KDV.588346
Dr.Web Trojan.Rmnet.8
eSafe (Alladin) Suspicious file
Microsoft Trojan:Win32/Ramnit.A
Symantec Trojan.Gen
Eset Win32/Kryptik.ADSK trojan (variant)
panda Suspicious
V-Buster Trojan.Kryptik!A3Ty2d2zM64 (trojan)

Every infection is different to some degree, this one has a healthy MBR

19:53:44.0421 1336 \Device\Harddisk0\DR0\Partition0 - ok 19:53:44.0421 1336 ============================================================ 19:53:44.0421 1336 Scan finished 19:53:44.0421 1336 ============================================================ 19:53:44.0531 2668 Detected object count: 5 19:53:44.0531 2668 Actual detected object count: 5 19:54:14.0328 2668 Aspi32 ( UnsignedFile.Multi.Generic ) - skipped by user 19:54:14.0328 2668 Aspi32 ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:54:14.0328 2668 Netaapl ( UnsignedFile.Multi.Generic ) - skipped by user 19:54:14.0328 2668 Netaapl ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:54:14.0328 2668 nv ( UnsignedFile.Multi.Generic ) - skipped by user 19:54:14.0328 2668 nv ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:54:14.0328 2668 NVSvc ( UnsignedFile.Multi.Generic ) - skipped by user 19:54:14.0328 2668 NVSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:54:14.0328 2668 STEC3 ( UnsignedFile.Multi.Generic ) - skipped by user 19:54:14.0328 2668 STEC3 ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:54:16.0515 3232 Deinitialize success

BTW - looks like this sucker is mutating. Here’s today’s version of it: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1020193#none

They all mutate on a daily basis, as fast as the AV’s catch them they change