1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Weird trojan after reinstalling XP

Discussion in 'Virus & Other Malware Removal' started by Bullshot, Sep 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Bullshot

    Bullshot Thread Starter

    Joined:
    May 29, 2004
    Messages:
    7
    Hi,

    Over the last few months my computer has developed the annoying habit of restarting itself before Windows manages to load. What happens is that during the loading screen (or sometimes during the BIOS), the machine makes a flicking noise like it's being turned off, and the monitor puts iteslf into standby mode. The PC is still on, and occasionally tries to access the CD or floppy drive, but other than that it seems completely hung, meaning I have to press the restart button and try again.
    It was just a nuisance at first, but it's been getting progressively worse over the last few weeks, to the point where yesterday it restarted so many times during startup that my Windows installation became corrupted, and I was forced to reformat and reinstall.

    Something odd seems to be going on, though, because since I reinstalled Windows, I seem to have somehow picked up a virus or something, and it's a tough little bugger. I first noticed I was getting disconnected a lot from the Internet, and whenever I tried to reconnect I would be bombarded with connections boxes wanting me to connect so some obscure service I had never heard of...
    I also noticed that I was getting redirected to porn sites at random, so I installed and updated Norton, and ran a full scan. It turned up about five viruses, four of which were put in quarantine, but one of which (W32.Randex.gen) Norton was unable to deal with. I restarted in Safe Mode and scanned again, and this time Norton was able to quarantine it. I also went into the registry and deleted the values that related to the virus (wuam.exe and wuamgrd.exe), but the damn thing is still there in some form. Norton isn't picking it up any more, but the registry entries are still running, and I still keep getting asked to connect to dodgy-sounding services. I've run Ad-Aware and Spybot: Search and Destroy, and they both picked up and removed a few entries, but the problem is still there.

    Any ideas? I'd really appreciate any information on how to get rid of this, as it's really bugging me. What's really weird is that before I reinstalled Windows, I didn't have any viruses (as far as I knew), and yet I seem to have picked up a really nasty one within an hour of reformatting. I don't know whether the restarting during startup thing is due to the virus, or whether it's a seperate problem, but I'd also appreciate any information on dealing with that, as it's still happening and I really don't want to have to reformat yet again. Here' my HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:21:35, on 16/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wupdt32x.exe
    C:\WINDOWS\System32\wuamgrd.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hattrick.co.uk/tickets/index_tickets.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RemHelp] remhelp.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Corel Network monitor worker (HKLM)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
    O9 - Extra button: Corel Network monitor worker (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34



    Thanks, :)

    Ben
     
  2. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Hi, fix these -

    O4 - HKLM\..\Run: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe


    Then boot to safe mode and delete these -

    C:\WINDOWS\System32\wupdt32x.exe
    C:\WINDOWS\System32\wuamgrd.exe


    Then get the latest version of HijackThis (v1.98.2) from here -

    http://www.aumha.org/downloads/hijackthis.exe

    Run the new version and post a new log in this thread.

    Also, have you updated Windows XP with critical updates since you re-installed it? It looks like you don't have the SP1 update so you should get that at least, plus all other critical updates from here, with the exception of SP2 -

    http://windowsupdate.microsoft.com/

    I'd suggest holding off from installing SP2 until your pc has been cleaned up and all malware removed, as I believe that installing SP2 on an infected machine can be problematic.
     
  3. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    If your machine restarts sometimes while still in the BIOS POST, there is more going on than a virus. Nothing on your machine could be affecting things at that point, except a boot-sector virus very late in the POST process. That part may be hardware related, so concentrate on getting rid of any viruses and deal with the other problem later if it doesn't get solved in the process.

    During a reinstallation, you should disconnect your internet connection if broadband because there are many times during the process where you are unprotected by anything during reboots, etc. Before firewalls and AV have been installed, there are open windows of opportunity through the internet connection.

    Have you attempted the manual removal procedure?

    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html
    http://vil.nai.com/vil/content/v_100401.htm
     
  4. Bullshot

    Bullshot Thread Starter

    Joined:
    May 29, 2004
    Messages:
    7
    Thanks for your reply.

    OK - done what you suggested. Inesallted new version of HijackThis, fixed the processes you mentioned and then went into Safe Mode and deleted the registry entries you listed. Also installed SP1, but it seems this thing just won't die. Here's my new log:

    Logfile of HijackThis v1.98.2
    Scan saved at 14:17:45, on 16/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\wuamgrd.exe
    C:\WINDOWS\System32\wupdt32x.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hattrick.co.uk/tickets/index_tickets.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RemHelp] remhelp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wupdt32x.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] wupdt32x.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file)
    O9 - Extra button: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file) (HKCU)
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\Resources\IntraLaunch.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34


    Any ideas? :( I fix the wuamgrd.exe and wupdt32x.exe entries, but they just keep coming back, and I keep being asked to dial up to a dodgy server when I disconnect from the internet...
     
  5. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
  6. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
  7. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Hi Elvandil, thanks for the information re: W32/RBot-A. Reading the Sophos information looks like W32/RBot-A is called W32.Randex.gen by Symantec, and I notice that Bullshot mentioned in his first post that his NAV had detected W32.Randex.gen but possibly not cleaned it out successfully.

    Reading the Symantec information on W32.Randex.gen, as here -

    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html

    - it advises that any files detected as W32.Randex.gen should be submitted to Symantec for further analysis, using the NAV 'Scan and Deliver' function -

    http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031615501306?OpenDocument&src=sec_doc_nam

    The Symantec information states that "W32.Randex.gen is a generic detection for the W32.Randex family of worms" which leads me to think that perhaps there's a high rate of new variants appearing, hence the request to submit files for analysis.

    My inclination would be to submit both those suspect files "wupdt32x.exe" and "wuamgrd.exe" to Symantec even if they're not being detected currently as W32.Randex.gen.

    Also I'd suggest installing a software firewall. e.g. Zone Alarm free version, and looking for any suspicious processes trying to connect to the net, particularly anything that looks like "wupdt32x.exe" and "wuamgrd.exe." At least that might prevent the backdoor components from working until the infection can finally be cleaned out.

    http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
     
  8. Bullshot

    Bullshot Thread Starter

    Joined:
    May 29, 2004
    Messages:
    7
    Thanks guys! I finally managed to get rid of it using Anti-Spy. So far, so good. :) (y)

    I tried submitting the file to Symantec, but it said it was rejected because they already know about it. Should I submit it anyway?

    Thanks for all your help.

    PS My machine is still restarting itself before Windows loads up. I'm guessing it's a seperate problem (probably a hardware issue) and as such deserves its own thread, but if anyone has any idea what the problem could be, I'd appreciate it, because the idea of reinstalling Windows yet again does NOT appeal to me. Thanks :)
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274595

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice