Win32:Neredr [Drp]

Hi, I visited a site. And when I entered, avast immediately came with the message “Malware was found!”

File name: C:\WINDOWS\Temp\wpv051250047226.exe\install.exe
Malware name: Win32:Neredr [Drp]
Malware type: Dropper

I’ve used the “move to chest” function and tried to delete it, but when I do it says "Cannot process “C:\WINDOWS\Temp\wpv051250047226.exe\install.exe” file.
I also went to the temp folder itself to try and delete it manually. Now the file from temp is gone, but the warning in avast still pops up. And there is also the “install.exe” application in list over processes. I’ve tried to terminate the process, but nothing happens… After that I tried running Malwarebytes’ Anti-Malware, but the scan got stuck 1 min and 15 sec into the scan. It stopped at C:\install.res.1031.dll. I’ve now also tried to terminate the Malwarebytes program, but it also won’t quit. Now I am completely out of ideas and afraid to turn off my computer…
When I downloaded avast I thought it would protect me from this kind of stuff, not just be on my computer, take space and not work… I don’t know for what reason.

So I would very much appreciate if someone could please help me out here.

[Update] Now I got 5 apps in the process list called “dumprep.exe” which I can’t end either…

Hi, welcome to the forum.
It looks like a rootkit has been installed by a trojan. Such things usually install either by taking advantage of a security vulnerability in out of date software, or by the user clicking on a link disguised to look like something else.
Using a browser that permits scripts to be run without user intervention can be a hazard these days, though I’m not saying that is the case here…it might be.

I’m not really expert enough to tell you exactly what to do.
Others who use this forum are, however.
You may want to wait to get an answer from someone more expert at malware removal.

What I would do is schedule a boot scan with Avast, exit MBAM, disconnect from the internet and reboot. I think that what you have is similar to (or the same as) this. So what else I would do is copy the filenames and regkeys indicated to notepad, reboot into safe, and see if manual deletion was possible. Then reboot to normal and run MBAM again. (disconnected.)

You might need to run some anti rootkit applications. Here is a site with reference/links to quite a few. I’d probably start with the Trend Micro one, then maybe the Avira, or the Sophos, or rootrepeal.
Avast has a rootkit scanner built in, based on Gmer. Appears it was unable to stop this one, for whatever reason.
Did you have any other AV installed before Avast?
(Apart from MBAM) any other security software active? Firewall on?

Thank you for your response.

To answer your question about other security programs. I have avast, mbam, spybot s&d, ad-aware, super antispyware free edition, hijackthis, combofix, ccleaner, diskeeper. Installed on my computer and windows firewall on yes(always on). I’m not an expert on using these programs however. avast, super antispyware and diskeeper was running at the time I got the virus.

Try a scan with Superantispyware, if MBAM is not responding or stalled.

And post a hijackThis log, please.
Open Hijack this, select “perform a scan and save a log”. At the scan completion, a logfile will open. Post that as an attachment, or c&p directly onto your next post. It probably won’t fir into one post; you might have to break it up.
easier to post as an attachment. (Select all, save as, probably to the desktop would be easiest, then add as an attachment by using the “additional options” link at the bottom left of the reply window in this forum.

All clear?

Thanks for responses.

I’ve tried running super antispyware. Finds nothing.

I have added the HiJack this log as attachment.

Hi Cieran,

Try to run this tool: http://greatis.com/security/Rustock(lzx32.sys)_free_removal_tool.htm

Then post a fresh HJT log as an attached txt file,

polonus

Ok, done. Took some restarts. And some of the same files keep popping up. Can’t seem to get rid of them.

Posted HiJack this log as attachment.

Hi Cieran,

From the HJT logfile nothing in particular appears. Try to look for the following and try to take out:

%USERPROFILE%\local settings\temp\dixmhtm.exe

The following registry elements have been changed:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\

* pendingfilerenameoperations = \??\c:\docume~1\admini~1\locals~1\temp
  \16.tmp

You should install User Profile Hive Cleanup Service to help with slow log off and unreconciled profile problems:
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Download CCleaner from here: http://www.filehippo.com/download_ccleaner/
Cleanse with the following given in:
rd /s /q c:\recycler

polonus

Thanks for your help.

I’m not particularly good with computers, so there is something you’re gonna have to explain to me.

  1. How should I search for “# %USERPROFILE%\local settings\temp\dixmhtm.exe”
  2. As you wrote: "The following registry elements have been changed:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\

* pendingfilerenameoperations = \??\c:\docume~1\admini~1\locals~1\temp
  \16.tmp" - I don't know what that means..
  1. I downloaded UPHClean, but when I access it nothing happens. A black window just appears, like when you open a .bat file etc.
  2. “Cleanse with the following given in:
    rd /s /q c:\recycler” - Not sure how to do that either…

Keep in mind that I have little knowledge of these kind of things.

When I scan with RegRun, some files keep reappearing all the time. No matter how many times I reboot they are still there. How can I get rid of them?
And how can I be absolutely sure that they are gone?

Hi there could you run two programmes for me please

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

[]Click on the Log tab.
[
] In the Write to log box select all items.
[] Click on the Create Log button on the bottom right.
[
] After a few seconds a new Window should appear.
[] Make sure Scan all drives is selected and click on the Start button.
[
] When it is complete a new Window will appear to indicate that the scan is finished.
[*] The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

THEN

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - File Associations
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Ok, I’ve added the sysprot log, but when I run scan with OTS.exe it freezes and I get this error message:

http://img241.imageshack.us/img241/4768/errorw.jpg

sysprot log:

http://www.mediafire.com/?ljyqadhyutu

Did another avast scan. Look what happens…


http://img38.imageshack.us/img38/4933/error1nvz.th.jpg


http://img40.imageshack.us/img40/9226/error2g.th.jpg

So there it is… Just lying there and I can’t seem to do anything about it.
Also I can’t seem to find the path "c:\System Volume Information". Don’t know if it’s normal…

“System volume information” is where the restore points are kept.
Don’t worry about it for now.
When the cleanup is complete, and all is working normally, it will be advisable to turn system restore off, reboot, then turn it back on.
That will clear all system restore points, and with them, any malware.

The only way I know of that malware can infect you from system restore is if you actually use a restore point that is infected. (So don’t.)

You know you can attach images and txt files (up to 200K, I think) directly to the forum post?
See “additional options” at the bottom left of a reply window.

Could you re-run OTS but this time do not check the all users box

The good news is that there are no apparent rootkits

Ok, that worked:)

Here is the log:

http://www.mediafire.com/?wdvnomjo0vl

I see that you have run a fair few tools - could you post the combofix log, it should be at c:\combofix

During this run you will lose all processes as they are closed, this is normal

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> winstart.bat -> C:\WINDOWS\winstart.bat
[Files/Folders - Modified Within 30 Days]
NY -> winstart.bat -> C:\WINDOWS\winstart.bat
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

I have added the Combofix log as attachment.

I ran OTS following your instructions and it was very short indeed.
After a few seconds I got blue screen and when the computer rebooted itself this message was displayed:

http://img12.imageshack.us/img12/5593/errorreport.jpg

I’ll try it again after this post.

[UPDATE] The exact same thing happened again.

Also, I keep seeing this message on each reboot:

http://img187.imageshack.us/img187/96/imgerror.jpg

And afterwords I have to go through the same procedure again with RegRun.

What is the status now as the winstart bat was a malware file

Unless regrun has started adding it as part of their programmes - although I have no indication of that