Weird trojan after reinstalling XP

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Bullshot

Thread Starter
Joined
May 29, 2004
Messages
7
Hi,

Over the last few months my computer has developed the annoying habit of restarting itself before Windows manages to load. What happens is that during the loading screen (or sometimes during the BIOS), the machine makes a flicking noise like it's being turned off, and the monitor puts iteslf into standby mode. The PC is still on, and occasionally tries to access the CD or floppy drive, but other than that it seems completely hung, meaning I have to press the restart button and try again.
It was just a nuisance at first, but it's been getting progressively worse over the last few weeks, to the point where yesterday it restarted so many times during startup that my Windows installation became corrupted, and I was forced to reformat and reinstall.

Something odd seems to be going on, though, because since I reinstalled Windows, I seem to have somehow picked up a virus or something, and it's a tough little bugger. I first noticed I was getting disconnected a lot from the Internet, and whenever I tried to reconnect I would be bombarded with connections boxes wanting me to connect so some obscure service I had never heard of...
I also noticed that I was getting redirected to porn sites at random, so I installed and updated Norton, and ran a full scan. It turned up about five viruses, four of which were put in quarantine, but one of which (W32.Randex.gen) Norton was unable to deal with. I restarted in Safe Mode and scanned again, and this time Norton was able to quarantine it. I also went into the registry and deleted the values that related to the virus (wuam.exe and wuamgrd.exe), but the damn thing is still there in some form. Norton isn't picking it up any more, but the registry entries are still running, and I still keep getting asked to connect to dodgy-sounding services. I've run Ad-Aware and Spybot: Search and Destroy, and they both picked up and removed a few entries, but the problem is still there.

Any ideas? I'd really appreciate any information on how to get rid of this, as it's really bugging me. What's really weird is that before I reinstalled Windows, I didn't have any viruses (as far as I knew), and yet I seem to have picked up a really nasty one within an hour of reformatting. I don't know whether the restarting during startup thing is due to the virus, or whether it's a seperate problem, but I'd also appreciate any information on dealing with that, as it's still happening and I really don't want to have to reformat yet again. Here' my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 12:21:35, on 16/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wupdt32x.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hattrick.co.uk/tickets/index_tickets.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wupdt32x.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wupdt32x.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wupdt32x.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Corel Network monitor worker (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34



Thanks, :)

Ben
 
Joined
Dec 23, 2003
Messages
262
Hi, fix these -

O4 - HKLM\..\Run: [Microsoft Update Machine] wupdt32x.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wupdt32x.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wupdt32x.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe


Then boot to safe mode and delete these -

C:\WINDOWS\System32\wupdt32x.exe
C:\WINDOWS\System32\wuamgrd.exe


Then get the latest version of HijackThis (v1.98.2) from here -

http://www.aumha.org/downloads/hijackthis.exe

Run the new version and post a new log in this thread.

Also, have you updated Windows XP with critical updates since you re-installed it? It looks like you don't have the SP1 update so you should get that at least, plus all other critical updates from here, with the exception of SP2 -

http://windowsupdate.microsoft.com/

I'd suggest holding off from installing SP2 until your pc has been cleaned up and all malware removed, as I believe that installing SP2 on an infected machine can be problematic.
 
Joined
Aug 1, 2003
Messages
51,988
If your machine restarts sometimes while still in the BIOS POST, there is more going on than a virus. Nothing on your machine could be affecting things at that point, except a boot-sector virus very late in the POST process. That part may be hardware related, so concentrate on getting rid of any viruses and deal with the other problem later if it doesn't get solved in the process.

During a reinstallation, you should disconnect your internet connection if broadband because there are many times during the process where you are unprotected by anything during reboots, etc. Before firewalls and AV have been installed, there are open windows of opportunity through the internet connection.

Have you attempted the manual removal procedure?

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html
http://vil.nai.com/vil/content/v_100401.htm
 

Bullshot

Thread Starter
Joined
May 29, 2004
Messages
7
Thanks for your reply.

OK - done what you suggested. Inesallted new version of HijackThis, fixed the processes you mentioned and then went into Safe Mode and deleted the registry entries you listed. Also installed SP1, but it seems this thing just won't die. Here's my new log:

Logfile of HijackThis v1.98.2
Scan saved at 14:17:45, on 16/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\wupdt32x.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hattrick.co.uk/tickets/index_tickets.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wupdt32x.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wupdt32x.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wupdt32x.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file)
O9 - Extra button: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3A10888E-F933-4FD6-92DE-2C12341D4AA5} - (no file) (HKCU)
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\Resources\IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0010D5E7-4CED-4F6E-9879-4E921354B9C8}: NameServer = 194.74.65.69 194.72.9.34


Any ideas? :( I fix the wuamgrd.exe and wupdt32x.exe entries, but they just keep coming back, and I keep being asked to dial up to a dodgy server when I disconnect from the internet...
 
Joined
Dec 23, 2003
Messages
262
Hi Elvandil, thanks for the information re: W32/RBot-A. Reading the Sophos information looks like W32/RBot-A is called W32.Randex.gen by Symantec, and I notice that Bullshot mentioned in his first post that his NAV had detected W32.Randex.gen but possibly not cleaned it out successfully.

Reading the Symantec information on W32.Randex.gen, as here -

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html

- it advises that any files detected as W32.Randex.gen should be submitted to Symantec for further analysis, using the NAV 'Scan and Deliver' function -

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031615501306?OpenDocument&src=sec_doc_nam

The Symantec information states that "W32.Randex.gen is a generic detection for the W32.Randex family of worms" which leads me to think that perhaps there's a high rate of new variants appearing, hence the request to submit files for analysis.

My inclination would be to submit both those suspect files "wupdt32x.exe" and "wuamgrd.exe" to Symantec even if they're not being detected currently as W32.Randex.gen.

Also I'd suggest installing a software firewall. e.g. Zone Alarm free version, and looking for any suspicious processes trying to connect to the net, particularly anything that looks like "wupdt32x.exe" and "wuamgrd.exe." At least that might prevent the backdoor components from working until the infection can finally be cleaned out.

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
 

Bullshot

Thread Starter
Joined
May 29, 2004
Messages
7
Thanks guys! I finally managed to get rid of it using Anti-Spy. So far, so good. :) (y)

I tried submitting the file to Symantec, but it said it was rejected because they already know about it. Should I submit it anyway?

Thanks for all your help.

PS My machine is still restarting itself before Windows loads up. I'm guessing it's a seperate problem (probably a hardware issue) and as such deserves its own thread, but if anyone has any idea what the problem could be, I'd appreciate it, because the idea of reinstalling Windows yet again does NOT appeal to me. Thanks :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top