Avast WEBforum

Other => Viruses and worms => Topic started by: jibbyreznor on April 07, 2012, 06:44:20 PM

Title: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 07, 2012, 06:44:20 PM

Hi Guys,

On Thursday my laptop became infected with a horrible trojan virus and I simply cannot get rid of it.

Its called: Win32: Downloader NUA Trj

What it does:
WILL NOT let me into safe mode atall
Won NOT let me open certain programs like IE
Every 15 Seconds or so or if I try to open a program I will get Avast popping up saying "Trojan Horse Blocked" its not always in the same place though, it moves from program to program, (I've tried to find it but can never locate it)
Opening some programs like VLC results in this error message "error 0xc0000005"

What I did about it:
Plenty of boot scans, sometimes Avast finds it, sometimes not
ran Malware Bytes, Superantispyware, and Spybot search and destroy several times (they like avast were all updated before they ran) again sometimes they found the virus sometimes not.
I have also ran the AVG recovery disc but that didn't seem to do anything.
Uninstalled and reinstalled Avast to simply check I didn't have a fake version running. That too produced no effect

I do have another pc to work from so if you want to suggest something I should download I can. I'm figuring getting into safe mode might be the key but when I try the computer comes up with a blue error message and then powers off again. Whats equally weird is I have disconnected from the internet and avast still pops up telling me its blocked the Trojan Horse.

I hope you guys can help and any help is much appreciated.

Thanks

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: mikaelrask on April 08, 2012, 08:57:17 AM

welcome to the forum.

this needs further investigation of a expert please fallow this guide and post the results here so one of our expert can have a look on it.

http://forum.avast.com/index.php?topic=53253.0

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 01:57:07 PM

Hey, attached are the logs you asked for. Hope I have done it right.

Thanks very much for your help,

Attached is the OTL log and heres the MBR Log

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2012-04-08 12:27:10
-----------------------------
12:27:10.843    OS Version: Windows 5.1.2600 Service Pack 3
12:27:10.843    Number of processors: 1 586 0xD08
12:27:10.843    ComputerName: USER-2B3AC7FA18  UserName: User
12:27:12.812    Initialize success
12:27:13.921    AVAST engine defs: 12040800
12:27:20.953    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
12:27:20.953    Disk 0 Vendor: Hitachi_HTS541080G9AT00 MB4OA61A Size: 76319MB BusType: 3
12:27:22.968    Disk 0 MBR read successfully
12:27:22.968    Disk 0 MBR scan
12:27:23.015    Disk 0 Windows XP default MBR code
12:27:23.015    Disk 0 scanning sectors +156280320
12:27:23.046    Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
12:27:23.046    Disk 0 PE file @ sector 156280345 !
12:27:23.093    Disk 0 scanning C:\WINDOWS\system32\drivers
12:27:34.187    Service scanning
12:27:35.468    Modules scanning
12:27:40.093    Disk 0 trace - called modules:
12:27:40.093    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:27:40.453    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f14ab8]
12:27:40.453    3 CLASSPNP.SYS[f7687fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86fa7940]
12:27:41.390    AVAST engine scan C:\WINDOWS
12:27:46.015    AVAST engine scan C:\WINDOWS\system32
12:29:35.531    AVAST engine scan C:\WINDOWS\system32\drivers
12:29:45.750    AVAST engine scan C:\Documents and Settings\User
12:29:49.140    File: C:\Documents and Settings\User\Air8gE9  **INFECTED** Win32:Downloader-NUA [Trj]
12:35:29.031    File: C:\Documents and Settings\User\uxIzuN3  **INFECTED** Win32:Downloader-NUA [Trj]
12:35:29.156    File: C:\Documents and Settings\User\XLUTFs3  **INFECTED** Win32:Downloader-NUA [Trj]
12:35:35.703    AVAST engine scan C:\Documents and Settings\All Users
12:37:00.515    Scan finished successfully
12:46:39.875    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
12:46:39.875    The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: DonZ63 on April 08, 2012, 03:21:15 PM

This sucker looks like it's brand new variant.

See this for info: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1018857#none

McAfee indicates a bootrec /fixmbr is required. See removal instructions.

Since Avast is finding it, is it being quarratined?

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 04:27:27 PM

hey,

I will follow MCafee's instructions. Avast is "blocking" it, not sure if that means its being quanrantined. I assume it is because its not causing me more issues.

Thanks for your help, I will reply again as soon as the MBR clean has finished.

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 04:53:42 PM

Ok ran the MBR Fix. It built a new partition (whatever that means) but still virus pops up and still get the error when launching programs. Any ideas?

Thanks again

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: adotd on April 08, 2012, 05:04:19 PM

Hey jibbyreznor

can you post all logs please, our malware expert is currently offline. he should be here hopefully soon. ;)

Anthony

Happy easter

(http://4.bp.blogspot.com/_J5KONx1-3Ks/S97gIxk4E3I/AAAAAAAAAKk/ab7_get2H-s/s320/images-4.jpeg)

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: DonZ63 on April 08, 2012, 05:06:04 PM

They frown on anyone giving malware removal advice in this forum other than one of the Avast malware specialists; Essexboy, Jeff, or Oldman. So your going to have to wait till one of them respond.

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 05:08:29 PM

Which logs? I've already posted the OTD and MBr one.

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: adotd on April 08, 2012, 05:12:36 PM

Can you attach the malwarebytes log please 8)

Anthony

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 08, 2012, 05:33:24 PM

Hi,

Please download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)

• Double-click to run TDSSKiller.exe
  
• Press Change Parameters
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
• Click on the Start Scan button
  
  • Only if Malicious objects are found then ensure Cure is selected
    
  • Then click Continue > Reboot now
    
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    
• Copy and paste the log in your next reply
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach its contents on your next reply.
  

----------

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: polonus on April 08, 2012, 05:36:06 PM

Hi DonZ63,

Do not give a misreprentation of the facts here. To set things straight- in malware removal routines only qualified removal experts that has been trained officially and sufficiently, like indeed essexboy, oldman, jeffce and some others here, are allowed to guide in and through malware cleansing routines that should be guided in this way.
These officially qualified removal experts have no connection to avast, they are volunteers and users of the avast programs like the others here, but they have been trained through various special online anti-malware universities or boot-camps and are members of Unite for instance, the membership of which organization is a webwide guarantee that the person is a qualified removal expert, and knows what he/she is doing.
This to prevent that untrained users may do more damage than good. The other side of the coin is natuarally that the malware removal experts here will build up a gigantic expertise with all the different sorts of malware that has to be cleansed. Just like others here build up expertise in cold reconnaisance anaysis of malware  through url-scanning methods (Asyn, Pondus, spg Scott, !Donovan, etc.),

polonus

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 06:18:02 PM

Ok attached is the TDSS Killer Log. Just to add after I ran this my CD Drive has now dissapeared! Said something about lower registries moved. Any ideas how I can get it back?

Thanks again

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 07:04:06 PM

Heres my latest Malware Bytes Log. Hope you guys now have all the info you need.

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: pennylane909 on April 08, 2012, 07:24:23 PM

Hi

I have the exact same trojan and have no idea how to get rid of it :( It seems to be moving around my computer, avast is picking it up but can't pin it down

Apart from formatting I have no clue how to get rid of this thing, it has already destroyed some files and programs

Please help!

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: pennylane909 on April 08, 2012, 07:27:16 PM

Also i ran the TDSKILLER and found 5 threats.... none curable

:(

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: DonZ63 on April 08, 2012, 07:27:49 PM

Quote

Hi DonZ63,

Do not give a misreprentation of the facts here

Lighten up, dude. I meant Avast forum malware specialist. My mistake. Go have a cool one and chill out.

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: Pondus on April 08, 2012, 07:28:20 PM

@pennylane909.

You need to start your own topic...

Follow the guide here and attach the logs
http://forum.avast.com/index.php?topic=53253.0

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: essexboy on April 08, 2012, 07:28:54 PM

Hi pennylane909 could you run aswMBR and OTL as per this thread and start your own topic... As soon as you have posted I will have a look see
http://forum.avast.com/index.php?topic=53253.0

Back to Jeff  ;D

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 08, 2012, 07:44:41 PM

Hi jibbyreznor,

Rerun TDSSKiller and when you get to the new log please attach that.  :)

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 07:48:18 PM

Attached is the TDS Log Jeffe

Thanks again for your help

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 08, 2012, 07:52:09 PM

No...I meant run a new scan with TDSSKiller and attach the new log.  Sorry if I didn't explain well enough.  :)

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 08:06:54 PM

Sorry mate didn't realise you wanted a new one. Here it is. It didn't find anything.
Still no CD drive, have no idea whats happened there!

Thanks again.

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: pennylane909 on April 08, 2012, 08:27:48 PM

Sorry i posted it in this because i have the exact same virus....

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 08, 2012, 08:30:18 PM

Quick Update, CD Drive has returned. Used Microsofts FIXIT program and it has returned :) Virus remains though.

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 08, 2012, 10:49:50 PM

Hi jibbyreznor,

Seeing as how you seem to have Ramnit this may be very tricky.  Ramnit is a file infector and there is no telling the degree to which your system is infected unfortunately.  This is only my opinion, but if it were my system and I were infected with Ramnit I would format and reinstall my operating system.  If you would like to continue and attempt to clean your system do the following:


Please download the following programmes to your desktop:

Dr Web Live CD (http://www.freedrweb.com/livecd/)

ImgBurn (http://www.filehippo.com/download_imgburn/)

Install IMGBurn

• Double click Dr Web
• IMGBurn will open
• Burn the ISO to a cd

• Reboot the infected computer with the CD in the drive
• Ensure that the first boot device is CD - If you are not sure about that then see this page (http://www.hiren.info/pages/bios-boot-cdrom) for instructions
  
• As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif)

• Use arrow keys to select  DrWeb-LiveCD (Default)
• When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif)

• The programme will now scan for and cure/delete any malware that it finds.  Allow it to do so 
• Once completed reboot to normal windows
• No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 09, 2012, 02:44:20 PM

Hi,

I ran DR.Web it picked up some stuff then cured or quarantined it.  But the issues still remain. I have attached the latest OTL log for you to take a look at.

Thanks again for your help,

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 09, 2012, 03:04:18 PM

Hi,


Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
5. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.
---------

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 09, 2012, 04:30:55 PM

Hi, ran combifix, attached is the log. Not sure if running it was meant to solve anything, but it hasn't.

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 09, 2012, 04:54:42 PM

Hi,

Let's see to what extent Ramnit has infected your system.

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


[list=1]

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan (http://eset.com/onlinescan)

• Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
• Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
  

• Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
  
• Click the Start button.
  
• Accept any security warnings from your browser.
• Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
  
• Make sure that the option "Remove found threats" is Unchecked
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin

scanning your computer. Please be patient as this can take some time.

• When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
  
• Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
  
• Push the Back button.
  
• Push Finish
  

http://www.eset.com/onlinescan/
----------

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jibbyreznor on April 09, 2012, 07:07:39 PM

heres the eset log,

Thanks again,

Jamie

Title: Re: Horrible Win32: Downloader NUA Trojan. Please Help!
Post by: jeffce on April 09, 2012, 08:06:34 PM

Hi jibbyreznor,

Your system is seriously infected with Ramnit.  With the capabilities of Ramnit we may never be able to remove it all and get a clean system.  I would advise a complete reinstall of your operating system.  I hate to be the bearer of bad news.  :(