Author Topic: Horrible Win32: Downloader NUA Trojan. Please Help!  (Read 5166 times)

0 Members and 1 Guest are viewing this topic.

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Horrible Win32: Downloader NUA Trojan. Please Help!
« on: April 07, 2012, 06:44:20 PM »
Hi Guys,

On Thursday my laptop became infected with a horrible trojan virus and I simply cannot get rid of it.

Its called: Win32: Downloader NUA Trj

What it does:
WILL NOT let me into safe mode atall
Won NOT let me open certain programs like IE
Every 15 Seconds or so or if I try to open a program I will get Avast popping up saying "Trojan Horse Blocked" its not always in the same place though, it moves from program to program, (I've tried to find it but can never locate it)
Opening some programs like VLC results in this error message "error 0xc0000005"

What I did about it:
Plenty of boot scans, sometimes Avast finds it, sometimes not
ran Malware Bytes, Superantispyware, and Spybot search and destroy several times (they like avast were all updated before they ran) again sometimes they found the virus sometimes not.
I have also ran the AVG recovery disc but that didn't seem to do anything.
Uninstalled and reinstalled Avast to simply check I didn't have a fake version running. That too produced no effect

I do have another pc to work from so if you want to suggest something I should download I can. I'm figuring getting into safe mode might be the key but when I try the computer comes up with a blue error message and then powers off again. Whats equally weird is I have disconnected from the internet and avast still pops up telling me its blocked the Trojan Horse.

I hope you guys can help and any help is much appreciated.

Thanks

Jamie


Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1558
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #1 on: April 08, 2012, 08:57:17 AM »
welcome to the forum.

this needs further investigation of a expert please fallow this guide and post the results here so one of our expert can have a look on it.

http://forum.avast.com/index.php?topic=53253.0
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #2 on: April 08, 2012, 01:57:07 PM »
Hey, attached are the logs you asked for. Hope I have done it right.

Thanks very much for your help,

Attached is the OTL log and heres the MBR Log

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2012-04-08 12:27:10
-----------------------------
12:27:10.843    OS Version: Windows 5.1.2600 Service Pack 3
12:27:10.843    Number of processors: 1 586 0xD08
12:27:10.843    ComputerName: USER-2B3AC7FA18  UserName: User
12:27:12.812    Initialize success
12:27:13.921    AVAST engine defs: 12040800
12:27:20.953    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
12:27:20.953    Disk 0 Vendor: Hitachi_HTS541080G9AT00 MB4OA61A Size: 76319MB BusType: 3
12:27:22.968    Disk 0 MBR read successfully
12:27:22.968    Disk 0 MBR scan
12:27:23.015    Disk 0 Windows XP default MBR code
12:27:23.015    Disk 0 scanning sectors +156280320
12:27:23.046    Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
12:27:23.046    Disk 0 PE file @ sector 156280345 !
12:27:23.093    Disk 0 scanning C:\WINDOWS\system32\drivers
12:27:34.187    Service scanning
12:27:35.468    Modules scanning
12:27:40.093    Disk 0 trace - called modules:
12:27:40.093    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:27:40.453    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f14ab8]
12:27:40.453    3 CLASSPNP.SYS[f7687fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86fa7940]
12:27:41.390    AVAST engine scan C:\WINDOWS
12:27:46.015    AVAST engine scan C:\WINDOWS\system32
12:29:35.531    AVAST engine scan C:\WINDOWS\system32\drivers
12:29:45.750    AVAST engine scan C:\Documents and Settings\User
12:29:49.140    File: C:\Documents and Settings\User\Air8gE9  **INFECTED** Win32:Downloader-NUA [Trj]
12:35:29.031    File: C:\Documents and Settings\User\uxIzuN3  **INFECTED** Win32:Downloader-NUA [Trj]
12:35:29.156    File: C:\Documents and Settings\User\XLUTFs3  **INFECTED** Win32:Downloader-NUA [Trj]
12:35:35.703    AVAST engine scan C:\Documents and Settings\All Users
12:37:00.515    Scan finished successfully
12:46:39.875    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
12:46:39.875    The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

Offline DonZ63

  • Poster
  • *
  • Posts: 469
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #3 on: April 08, 2012, 03:21:15 PM »
This sucker looks like it's brand new variant.

See this for info: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1018857#none

McAfee indicates a bootrec /fixmbr is required. See removal instructions.

Since Avast is finding it, is it being quarratined?
AMD QUAD 945, 8 GB, NVidia GTS 450, 3 HDDs
Dual boot, MBAM Pro - both OSes, WIN 7 x64 SP1, NAV 2012, IE9; XP SP3, NIS 2011, IE8

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #4 on: April 08, 2012, 04:27:27 PM »
hey,

I will follow MCafee's instructions. Avast is "blocking" it, not sure if that means its being quanrantined. I assume it is because its not causing me more issues.

Thanks for your help, I will reply again as soon as the MBR clean has finished.

Jamie

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #5 on: April 08, 2012, 04:53:42 PM »
Ok ran the MBR Fix. It built a new partition (whatever that means) but still virus pops up and still get the error when launching programs. Any ideas?

Thanks again

Offline adotd

  • Sr. Member
  • ****
  • Posts: 277
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #6 on: April 08, 2012, 05:04:19 PM »
Hey jibbyreznor

can you post all logs please, our malware expert is currently offline. he should be here hopefully soon. ;)

Anthony

Happy easter

« Last Edit: April 08, 2012, 05:08:23 PM by adotd »

Offline DonZ63

  • Poster
  • *
  • Posts: 469
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #7 on: April 08, 2012, 05:06:04 PM »
They frown on anyone giving malware removal advice in this forum other than one of the Avast malware specialists; Essexboy, Jeff, or Oldman. So your going to have to wait till one of them respond.
AMD QUAD 945, 8 GB, NVidia GTS 450, 3 HDDs
Dual boot, MBAM Pro - both OSes, WIN 7 x64 SP1, NAV 2012, IE9; XP SP3, NIS 2011, IE8

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #8 on: April 08, 2012, 05:08:29 PM »
Which logs? I've already posted the OTD and MBr one.

Offline adotd

  • Sr. Member
  • ****
  • Posts: 277
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #9 on: April 08, 2012, 05:12:36 PM »
Can you attach the malwarebytes log please 8)

Anthony

Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #10 on: April 08, 2012, 05:33:24 PM »
Hi,

Please download TDSSKiller
  • Double-click to run TDSSKiller.exe
  • Press Change Parameters
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click on the Start Scan button
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
    • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • Copy and paste the log in your next reply
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach its contents on your next reply.
----------

Offline polonus

  • Avast √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 31665
  • malware fighter
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #11 on: April 08, 2012, 05:36:06 PM »
Hi DonZ63,

Do not give a misreprentation of the facts here. To set things straight- in malware removal routines only qualified removal experts that has been trained officially and sufficiently, like indeed essexboy, oldman, jeffce and some others here, are allowed to guide in and through malware cleansing routines that should be guided in this way.
These officially qualified removal experts have no connection to avast, they are volunteers and users of the avast programs like the others here, but they have been trained through various special online anti-malware universities or boot-camps and are members of Unite for instance, the membership of which organization is a webwide guarantee that the person is a qualified removal expert, and knows what he/she is doing.
This to prevent that untrained users may do more damage than good. The other side of the coin is natuarally that the malware removal experts here will build up a gigantic expertise with all the different sorts of malware that has to be cleansed. Just like others here build up expertise in cold reconnaisance anaysis of malware  through url-scanning methods (Asyn, Pondus, spg Scott, !Donovan, etc.),

polonus
« Last Edit: April 08, 2012, 05:45:06 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #12 on: April 08, 2012, 06:18:02 PM »
Ok attached is the TDSS Killer Log. Just to add after I ran this my CD Drive has now dissapeared! Said something about lower registries moved. Any ideas how I can get it back?

Thanks again

Jamie

Offline jibbyreznor

  • Newbie
  • *
  • Posts: 19
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #13 on: April 08, 2012, 07:04:06 PM »
Heres my latest Malware Bytes Log. Hope you guys now have all the info you need.

Jamie

Offline pennylane909

  • Jr. Member
  • **
  • Posts: 23
Re: Horrible Win32: Downloader NUA Trojan. Please Help!
« Reply #14 on: April 08, 2012, 07:24:23 PM »
Hi

I have the exact same trojan and have no idea how to get rid of it :( It seems to be moving around my computer, avast is picking it up but can't pin it down

Apart from formatting I have no clue how to get rid of this thing, it has already destroyed some files and programs

Please help!