Win32:downloader-NXD[Trj]

Hello folks

I’m new to this forum, but I have been an Avast Internet Security user for years now.

Last week I managed to get my first virus, Win32:downloader-NXD[Trj], also named ms0cgf32.exe.
Avast put it into virus chest, and everything seemed to be normal. Web browser was working, everything was working. I did try to get rid of it using tips and cleans and so on by search on google. After at leats 10 more scans with Avast, Avast cannot find the virus anymore.
But now I have problems with getting into Explorer or any browser. And with a quick CTRL + Alt + DELETE, in process there is a lot of Svchost.exe running, and i guess the virus is still instack within my computer.

When the virus was in the chest, the location was under Temp folder. And of course I cant see any with the name ms0cgf32.exe there, so i guess its hidden under a different name.

I hope someone here can guide me or have any tips to get rid of that sucker :slight_smile:

Thanks in advance!

//Trond

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Hello!

Sorry for late reply. Been to work all day. I will post logs later tonight :slight_smile:

Monitoring

Ok then

I have done what Asyn suggest, and I have followed the instructions. Please check attachments.

I can’t find anything wrong and no viruses in any scans.

I will also add some more attachment from when check process with CTRL ALT DELETE

I guess so many svchost is not normal…

as i mentioned in first post, i can not connect to any of the web browers. I think thats the virus f… up.

i also did the FSS, check attachment

Hope anything of my attachment is helpful.

All help is much appreciated as the computer is infected is my studio computer…

thanks ain advance!

//Trond

When you try to flash up a browser what error do you get ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL @Alternate Data Stream - 969 bytes -> C:\Documents and Settings\All Users\Programdata\Microsoft:kpjyw3T8DLrCtIeGmLInGn4o3vq04w @Alternate Data Stream - 1229 bytes -> C:\Documents and Settings\All Users\Programdata\Microsoft:9xpqdQNyPgSgSSZti0MRG7Z @Alternate Data Stream - 1210 bytes -> C:\Documents and Settings\All Users\Programdata\Microsoft:1tl0ItlZBKLPR7KCLhFFT @Alternate Data Stream - 1156 bytes -> C:\Documents and Settings\All Users\Programdata\Microsoft:2592wTtC7cKlTEvivlOQ @Alternate Data Stream - 1138 bytes -> C:\Documents and Settings\All Users\Programdata\Microsoft:FC1ZkBNUnYhV9bKWZDzvzIBvX @Alternate Data Stream - 1101 bytes -> C:\Programfiler\Outlook Express:3fokEsuJe2ftIh0U2WcLpd @Alternate Data Stream - 1097 bytes -> C:\Programfiler\WindowsUpdate:AgVs5goTZ1h9pt2bhTNij5kK @Alternate Data Stream - 1010 bytes -> C:\Documents and Settings\All Users\Programdata\Microsoft:yhXlYFiyHajyl1Z55VXM

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

“Internet explorer cannot diplay the webpage”. Not an “error”, but this started after i got the virus. Read that the virus create own Ip adresses, so you can’t go online.

New OTL log attached.

Quick question. I logged in as admin, is that the right wayt to do it, or do i need to log in as user? im so noob at this, sorry :frowning:

No evidence of that as Farbar was able to connect to Google… So lets dive deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ok then,

i started the combofix in safe mode as admin. Tried to deactivate Avast, but that did not seem to work 100%.
The scan went nice, and the computer rebooted. I forgot to press F8 at this point cause i was busy, sorry for that. The pc started in normal mode and Combofix window was up. Some programmed opened up as the combofix was running (MBAM and RegClean). The combofix didn’t seemed to be affected.

Then i suddenly got bluescreen and the pc rebooted.

Combofix log is attached, please check it out (Sorry for the norwegian).

Internet is still down, and lots of svchost are up running in process (not in safe mode).

Thanks in advance

Could you re-run combofix as it failed to complete, from normal mode if at all possible. Combofix did replace one infected file

Tried to rerun combofix in normal mode. It starts fine, but dissapears within a few seconds. win XP issue?

Hmm this smells of the new Whistler

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

Just did a scan with TDSKiller. No malicious found, could only use “Skip”.

Report attached.

I’m starting to begin thinking the virus is not there, but something is wierd. The first day i lost the net i tried new cables and checked the netgear and card. Everything works. There was a brief second of relief when i suddenly managed to use firefox on monday on 12th attempt, but shut it down and tried start it again with no results.

If its still a virus, this one does not get killed easily.

Thank you for helping me btw. Much appreciated :slight_smile:

There are a lot of system files there that are unsigned

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

[]Double click Dr Web
[
]IMGBurn will open
[*]Burn the ISO to a cd

[]Reboot the infected computer with the CD in the drive
[
]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[
]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

Hello and sorry for late reply. Worked a lot this weeks, so havent been able to check avast forum.
I will test the Dr Web live as soon as possible. Really hope this will help.

I can alsomention that i tried to open World of warcraft, and i got a message i have never seen before. Certenly something wrong going on.

I have a feeling it my be some type of file infector. Dr Web will confirm or deny that

Running DrWeb atm, and it seems like the scan stops 2-3 minutes out in the scan… and the irony is that the scan seems to freezu up at “Avast bla bla /pack017 by Xerox”. Its tood there for 5 mintes now… I hope it continue scan more through the night or do I need to uninstall Avast? :confused:

No Avast should be totally inactive as you are running from a Linux base

If it is still locked then restart the scan but only look at the system32 folder initially

It’s scanning just fine at the moment. I had to uncheck the Avast folders, so it does not scan those folders.
Also ironic that the scan have found to Trojans in the OTL? Trojan.sigurd.

Well, hopefully the scan is done in a few hours because the scan is kinda slow :slight_smile:

I will post an OTL log when its all done.

I can’t thank you enough Essexboy for helping me :slight_smile: Hopefully we manage to fix it. I will also post the jpeg error when i try log on net based games and programs.