Hello all. I am a newbie who needs help. My have an ACER 4420-5963 running XP sp3. Yesterday my wife opened IE (default page is www.titantv.com) and was hit with a virus. AVAST said it was N.EXN and Win32-Rootkit-gen. After spending all day yesterday on your sight I was successful in removing (I thought) everything. Last night I had no problems surfing the net. This morning I opened IE (default page is www.titantv.com). When I went to change the schedule time on the titantv sight the AVAST alarm went off with N.EXN again. I immediately took precautions following the 8 steps again. I have the laptop running again. However before opening IE again I'd like someone to look at the logs and tell me if there are pieces of N.EXN left on the system. I did some research this morning and found the N.EXN can use IE vulnerabilities to launch. Or is there something going on between titantv.com and my PC that is getting compromised. Anyway I appreciate a sight like this being willing to help. Thanks

There are two mbam logs. The first one (11-34-32) I ran in safe mode and the other in normal mode.

Attached Files

	hijackthis.log (10.2 KB, 3 views)
	mbam-log-2009-11-29 (11-34-23).txt (1.9 KB, 1 views)
	mbam-log-2009-11-29 (11-34-51).txt (2.1 KB, 2 views)
	SUPERAntiSpyware Scan Log - 11-29-2009 - 11-59-15.log (2.1 KB, 2 views)

With the PC on the N.EXN executed again. AVAST notified me and I unplugged the ethernet cable. I was able to trace the N.EXN to windows/prefech. The file is N.EXN-178DFB6C.pf

Any ideas what's going on?

Welcome to TechSpot, jdarwin. I'll help with the malware.

FYI, if you have to run Malawarebytes or Superantispyware in the future, each has a line you should check for removal of the items found. I see you went back into Mbam- did you also remove in SAS? If not, update.scan, check the line for removal.

If you did/do have "N.EXN" it's a Banking Info Stealer. You should change all of your passwords right away and monitor any online financial transactions.

I am concerned though as to how it got in the prefetch folder if Avast found and quarantined it. When Windows starts up, certain processes and programs must load. The files needed to start these are stored in the Prefetch folder. Windows automatically looks there for those files. But it is safe to delete the prefetch files as follows:

Right click on Start> Explore> Windows> Click on the Prefetch folder on the left> files will be listed on the right> Click on Edit> Select All> Click on File> Delete.....Delete them all- don't look for that one file.

Now, about the malware, you still have the original Vundo malware. Please do the following:

Please download VundoFix.exe HERE and save to your desktop:

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the ‘Fix Vundo’ button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Please attach the C:\vundofix.txt in next reply

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Rescan with HiJackThis and paste the new log in the next reply..

I'll check the logs and determine the next step.

Hi Bobbye, Thanks for taking on my problem. Yes I use this laptop for all my online banking... so my next step is to change all my passwords.

I DL'd vundofix and ran it. Vundofix said it could not find any files. I tried to attach the log... but the log is empty. My guess is because it is an empty txt file techspot.com won't UL it. I keep getting an error msg. when I try to UL it.

I cut and pasted the the highjackthis results from the rescan. However techspot won't accept the post telling me I've used too many characters (I'm limited to 10k characters - the HJT log is 10373 characters). I've attached the highjackthis log.


Please let me know what I need to do next. Thank you again for all your help. I find it hard to believe there is such a website as this to help the unknowing. You guys are GREAT!

Attached Files

hijackthis.log (10.1 KB, 1 views)

Sorryt you had so much problem with the log!

There are a couple of entries I'll have you remove, but there is still a Vundo process to dig out:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach both the Combofix report and Eset log. Hopefully they will reach those processes. Remember, I haven't seen N.EXN, so we'll see if it shows up in the online scan.

Don't worry- I'll have you remove all of the cleaning tools when we're finished and set new clean restore point!

Buddye, I've attached the two files you requested. I must apologize for screwing up the eset log. I forgot to uncheck the remove button before scanning. I hope it still gives you what you want. I'll check back tomorrow pm to see if there is anything else I need to do. Again thanks for all the help.

Attached Files

	log.txt (1.9 KB, 1 views)
	ComboFix.txt (15.3 KB, 2 views)

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL
  C:\WINDOWS\system32\hereporu.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
-------------------------

Please reopen HijackThis to 'do system scan only.' Optional removals are in green. Check each of the following if present:

C:\DOCUME~1\WOODST~1\LOCALS~1\Temp\RtkBtMnt.exe
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL> Optional
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL> Optional

Close all Windows except HijackThis and click on "Fix Checked."

Optional Removal> Foistware. Regarding the ZoneAlarm Spyblock: The program has no visible window. It is able to monitor Internet browser. File spyblock.dll is not a Windows system file. spyblock.dll is able to record inputs. Therefore the technical security rating is 55% dangerous.

The ZoneAlarm Spyblocker Spyblock is prechecked on installation. This doen't not tell the user that the SskBar Toolbar and Search are included. The blocker itself "might" be useful, but we do not recommend using the Ask bat or search. So I am recommending that you uninstall this.
From Sunbelt:
Images from Sunbelt can be found here
:http://sunbeltblog.blogspot.com/2007...ccumbs-to.html

If you did decide to remove the spyblocker:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to Start> Settings> Control Panel> Add/remove Programs> Uninstall the following:
ZoneAlarmSB

Right click on Start> Explore> My Computer> Local drive (C)> Programs> look for and right click on the ZoneAlarmSB folder> Delete.

If you do not see this listed separately in Windows explorer> click on the ZoneAlarm Folder and expand> find ZoneAlarmSB> right click> Delete.

I'd like to bring you attention to this process which is running. It is a legitimate entry. Because it involves rmote access, if you're not using it, it should be disabled:
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

LogMeIn Free gives you remote control of your PC or Mac from any other computer with an Internet connection.

Rescan with HijackThis and include new log

Bobbye, I performed all the tasks you requested. I HJT and removed the following;

C:\DOCUME~1\WOODST~1\LOCALS~1\Temp\RtkBtMnt.exe THIS DID NOT SHOW UP

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL> Optional REMOVED

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL> Optional REMOVED

I removed SPYBLOCK using revo uninstaller. The windows add/remove pgm could not find the pgm.

The remote access pgm is called TEAMVIEWER. We use it at work to allow me to access my office PC from home.

Below is the OTMoveit log.

Let me know what I need to do next... Thanks

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL not found.
File/Folder C:\WINDOWS\system32\hereporu.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Woodstock
->Temp folder emptied: 1147833 bytes
->Temporary Internet Files folder emptied: 298103 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 100817079 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 33024 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 100.01 mb


OTM by OldTimer - Version 3.1.2.0 log created on 12012009_185817

Files moved on Reboot...
C:\Documents and Settings\Woodstock\Local Settings\Temp\~DFB276.tmp moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_1a4.dat not found!
File C:\WINDOWS\temp\ZLT0234a.TMP not found!

Registry entries deleted on Reboot...

Likely removed when you ran OTMoveIt as it emptied the temp files.

Please do the following in the order I have set up:

1. Delete the current Eset log
2. Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

3. Open Avast. Delete the files in quarantine. Run full system scan with Avast and save new log. Attach to new reply.

Empty the Recycle Bin

4. Rescan with updated Eset and include new log.

5. Rescan with HijackThis and give me new log- you forgot this one

Report any problems you are not having regarding original problem. If all are clear, I'll have you clean up and finish.

Bobbye,

Attached are three files. The HJT log, the Eset log and a log of the AVAST chest files found on a rescan.

When I tried to uninstall combofix AVAST alerted me to Win32elf-MZG and Win32:zbot-MKK

AVAST did a rescan and found 51 instances of these viruses. So I thought I should send you a log of the virus chest.

After AVAST did it's scan I ran the Eset scan and HJT. The logs are posted. Let me know what's up. I wasn't expecting to get hit with 51 instances of these viruses.

Thanks for the continued support.

Attached Files

	hijackthis.log (10.0 KB, 1 views)
	log.txt (793 Bytes, 1 views)
	AVASTchestFILES.txt (9.0 KB, 1 views)

From Avast:

From Avast:

http://forum.avast.com/index.php?topic=51647

You are going to need to spend some time on the Avast forum and support. None of the entries I checked from the Avast log were malware. False Postive information and link above.

Also on Avast:
What a crazy way to run an antivirus program! I couldn't ind anything on "Category 1"

Since Eset came up clean- it would show 'quarantine' items, I think this log is not a log of malware entries. Consider changing your AV program that more clearly present infections and quarantines instead of a 'storage bin' like Avast!

Combofix has caution about this site:
inetnum: 77.74.48.96 - 77.74.48.127
netname: NL-SOFTSOL
descr: Soft Solutions Inc.
country: NL

Is this familiar to you? Please check the following Service and make sure Startup Type is set to Manual, not Automatic:
Start> Run> type in services,msc> double click on Background Intelligent Transfer Service (BITS) and set to Manual.

Bobbye,

AVAST apparently updated to VPS - 091203-1 and no longer sees these two viruses.

If you don't think AVAST is engineered that well, do you have an alternate suggestion? I'm running the freeware versions of AVAST and ZoneAlarm.

I set the Background Intelligent Transfer Service (BITS) to Manual as suggested.

I've never heard of NL-SOFTSOL. To my knowledge I don't use it. How do I prevent it access my laptop? Please advise.

BTW The laptop is running better than it ever has, thanks to you.

The comment I made about Avast was more personal opinion. I did not know and was surprised to read that Avast sometimes uses it's program for "storage". In my opinion, the only entries seen in the AV log should be for malware- not stored files. Then if there is any question about a False Positive, you don't have to sort through malware vs stored to investigate.

We recommend both Avast and Avira. But having to deal with logs from both, I find the Avira log mire compact, easier to interpret and understand. In case you want to check it out:

Avira Free

For the NLSoftsol IP: 77.74.48.96 - 77.74.48.127
Open ZoneAlarm> sites to block> enter 77.74.48.96 - 77.74.48.127

I cane easily find Softsol on the internet- this one is in the Netherlands. I couldn't find any 'good or bad' but if there is any doubt, I suggest you block it in the firewall. If you have any connection problem that might involve this site in the future, you can unblock it.

Now that the Avast False Positives have been resolved, are you having any remaining problem?

I am running ZoneAlarm 8.0.298.000 It is the free version. I cannot find a location in ZA to block sites. Maybe I'm not looking in the right places?

The laptop is running great. No problems This is a great website and I really appreciate you volunteering your time to help.

I did read the instructions in ZA. The only options I have in the drop down is "TRUSTED" and "INTERNET". There is no "BLOCK" option. Do I need to reinstall ZA? Any suggestions?

Hi guys.

I have also followed the 8 step removal, but am still getting the same problems. I apologise in advance if I may be a slow understanding things but I will try my hardest. Any help would be greatly appreciated.

I attach my logs.

Phill

Attached Files

	virus report.txt (173 Bytes, 1 views)
	SUPERAntiSpyware Scan Log - 12-05-2009 - 12-52-56.log (9.9 KB, 1 views)
	mbam-log-2009-12-05 (11-43-37).txt (1.1 KB, 1 views)
	hijackthis.log (8.6 KB, 1 views)

jdarwin, you can block it through your browser:

Internet Explorer:
Click on either Tools or Control Panel to choose Internet Options> then choose Security tab> Restricted Zone> Sites> type in *.77.74.48.96 > Add> Apply> OK.

Note: The * followed by the dot acts as a wild card in case another IP in their range is used, so be sure to type as I've shown.
you should also be seeing Trusted sites and restricted sites.

Let me know how that goes.
--------------------------------------------------------------

Phil, you did a good job with the logs, but it is in your best interest to start a separate thread for you problem. Each thread is specific for the person who starts it and any information given is for that system only. It can be very confusing to try and handle more than one set of directions within the same thread.

Please title you thread Win32Heur/AVG.

But there are 4 things you can do:

1. Delete the quarantined file in AVG

2. Delete the temp files:
TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

3. Update AVG to v9 if you plan to continue using it. After the update, please do a full system scan. Save the log and attach that new log to your new thread.

4. Get control over the Tracking Cookies:
Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Empty the Recycle Bin

The redirecting by malware is a frequent problem but the causes are not the same. Describe what types of sites you are being redirected to.

I'll know better where to go next after I see the new AV log.

Please add this to your thread: "Starting new thread per Bobbye after update and clean temps."

It becomes too confusing to anyone who may view the thread later to see different sets of instructions.
------------------------------------------------------------------------

Bobbye, Everything is fine now. Do I need to uninstall all the AV and scanning SW you had me DL? Let me know. Otherwise I think we're done. Thanks

jdarwin, you can remove the cleaning tools and old restore points:

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.
Let me know if I can be of help in the future.