Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Antivirus 2009, which turned into another one, and now it's that nfr.dll error, and malarebytes and superantispy got their butts kicked


  • This topic is locked This topic is locked
25 replies to this topic

#1 thefactualopinion

thefactualopinion

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 March 2009 - 12:53 PM

Hi, this is my first time actually needing to go beyond just reading the site and following along--this is my third virus problem in a few years, the first two were resolved easily with Malwarebyte's Anti-Malware. The computer is a Dell Laptop, it's a few years old. (Hey, no jokes! My mom gave it to me, and she's a sweet lady!)

I'm going to be as detailed as I can, although i'm sure there's information I'm leaving at since I've been working steadily on this since last night.

I had the MS Antivirus 2009 program show up on my computer--the virus that puts up fake, intimidating scans, wants me to sign up for their protection and then goes on to mess up my browser. (I use Mozilla Firefox.) It also opens pop-up ads in Internet Explorer.

I ran Malwarebyte's Anti-Malware, and it got rid of the MS Antivirus 2009 problem, but the Mozilla hijack continued. After looking around on Bleeping Computer a bit, I tried another program--SuperAntiSpy--and that got rid of a bunch of infections as well. That's when another version of the fake scan thing started showing up, something called Spyware 2009 Windows. SuperAntiSpy got rid of that as well. I tried to do a system restore to a point when I knew the computer was clear--didn't work.

THE CURRENT PROBLEM:
When the computer opens up, the following window appears:

RUNDLL
"Error loading nfr.dll
The specified module could not be found."

Also, when I try to go to some websites on Mozilla Firefox, it claims I'm running through a "proxy server"--websites that have decent levels of security won't let me view the page.

Right now, I'm running the program Kaspersky Anti-Virus 2009, which has found quite a bit of stuff already. (I'm doing a full scan that's been running for almost two hours now.)

I had been looking at a page on this site that referred to something similar:
http://www.bleepingcomputer.com/forums/t/206164/error-loading-nfrdll/

And that's why I was running Kaspersky Anti-Virus 2009--it seemed to handle the stuff that the previous programs hadn't.

Anyways, any help would be appreciated!

BC AdBot (Login to Remove)

 


#2 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 March 2009 - 03:49 PM

Little update: Kaspersky didn't fix this, and now there is a second error warning that shows up, reads like this:

Error Loading
c:\windows\ywequ.dll


Upon restart, this dialog box opens, and a couple of seconds later, the one mentioned above shows up as well. Now I'm running out of programs and remedies, and I'm at a loss.

#3 Guest_tylerisdabest_*

Guest_tylerisdabest_*

  • Guests
  • OFFLINE
  •  

Posted 06 March 2009 - 03:54 PM

are there any other fakers running ? witch ones?

#4 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 06 March 2009 - 03:57 PM

are there any other fakers running ? witch ones?


The fake spyware programs? They haven't run at all since I used that SuperAntiSpyware program. That seemed to kill them off, now it's just the internal browser hijack, the proxy server, and these dll warnings at the beginning. General slowness to, but I guess that's too be expected.

#5 Guest_tylerisdabest_*

Guest_tylerisdabest_*

  • Guests
  • OFFLINE
  •  

Posted 06 March 2009 - 05:16 PM

try a fresh scan with those 2

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:33 AM

Posted 07 March 2009 - 11:20 AM

Update MBAM before scanning, do a full scan of all drives but cd/dvd ones and post that log.
Chewy

No. Try not. Do... or do not. There is no try.

#7 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 07 March 2009 - 02:22 PM

Sorry not to respond earlier, the scan is taking longer than usual. It got a million times better--and this morning it gota million times worse. Real trickster, this one.

#8 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 March 2009 - 03:17 PM

Here's the log file. I changed the part that said my full name to USER just cause, you know, it's the Internet. I wasn't sure whether to post the Scan log or the Repair Log--after I ran the scan and saved the log I used the Malware "Delete selected" option, restarted the computer when Malware told me too, and I booted up and didn't see the error messages or the Spyware Protect 2009 tray icon, or any of the Spyware Protect 2009 pop up warning boxes. Came to the bleeping computer site and posted this.

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2

3/7/2009 3:07:17 PM
mbam-log-2009-03-07 (15-07-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132588
Time elapsed: 1 hour(s), 27 minute(s), 57 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7qmj0e76r (Rogue.AntivirusXP2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqenokahubozerah (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\USER\Local Settings\Temp\ie89.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\agosehih.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\USER\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> No action taken.

#9 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 March 2009 - 04:25 PM

UPDATE!

On my wife's computer right now, as my browser is unable to access the bleepingcomputer forum, or the bleepingcomputer website. I'm also unable to open and start up Malware's scan anymore. Whatever this thing is, it's mean. For the hell of it, since I'm unable to do anything else, i'm running an AVG virus scan, since the computer seems to allow that. It's already got some infections on the results. Any advice would be much appreciated, i'm totally lost on this.

#10 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 March 2009 - 06:13 PM

I gave up on the AVG scanning, it was behaving really oddly, trying to shut down itunes and stuff. I read on this site that I could rename the Malware start up file as a work around, that did the trick and it's running now. I have to go out for a bit but will post my logs when I return. This is hellish, I can't get any work done and keep having to kick my wife off her computer. Any help would be appreciated.

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:33 AM

Posted 07 March 2009 - 06:30 PM

Let's not infect her computer, if you are using a usb drive please immunize it and her computer

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

I would like you to start using this cleaner before running scans

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

You can switch back to using quick scan with MBAM

You need to stay off the internet with the infected computer, it's updating malware quicker than you can clean it.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#12 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 March 2009 - 11:40 PM

Hi there, I've followed all your instructions--I'm writing this from my wife's computer, mine is disconnected and currently running the Dr. Web Scanner. (I used your clean-up immunization method for the USB flash I've been transferring stuff with. Downloading onto the computer hasn't worked since this morning anyway.)

Not sure how long the Dr. Web Scanner will take on a Complete--the Express found nothing--but just an fyi that the computer seems to have deleted Malware Malbytes following the last complete scan--I was transferring ATF Cleaner from the USB flash when I saw the Malware Malbytes program icon disappear off the desktop. Before you gave me the instructions to run the Dr. Web thing, I had run another Malware complete scan, and I have the log for that if you'd like me to post it.

#13 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 08 March 2009 - 12:30 AM

Okay, just an fyi update: i have to go to bed, so i'm going to leave the Dr. WEb Scanner running in safe mode. It's been at it for an hour now.

Here's some background on my system, in case it helps:

Windows XP, running on a Dell Laptop.
Only installed malware/spyware/clean up programs right now are Ccleaner, the ATF cleaner, Dr. Web Anti-Virus, and the disappearing Malware Malbyte's program. I've tried SuperAntispy, the AVG overall suite and Kaspersky's antivirus/antispyware. Although i uninstalled those last three programs, I've noticed that Dr. Web gets stuck scanning their archived files for a while--not sure if I failed to uninstall them correctly, but figured I should mention that I'd done other stuff before starting with bleepingcomputer. (I am only going to follow the instructions put up on this topic from now on, obviously what I've been doing isn't working.)
Computer has been disconnected from the internet since your response advised me to do that.

I think that's it? I'm not sure how the virus showed up, I was just doing regular internet stuff at trusted sites, windows firewall was up, i didn't get any weird email attachments...guess that's just how it rolls.

Thanks for your help so far. Feels good to have somebody who knows this stuff.

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:33 AM

Posted 08 March 2009 - 09:26 AM

Are you sure that computer is physically disconnected from the internet?

Malware can be tricky
Chewy

No. Try not. Do... or do not. There is no try.

#15 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 08 March 2009 - 02:27 PM

Yes, I'm sure it's disconnected, but only after I read your post advising me to do so. It's not wireless, and I pulled the cord.

Here's the Dr. Web report from the complete scan ran in Safe Mode:

mailpv.exe;C:\Documents and Settings\USER\Desktop\images for tfo\mailpv;Tool.MailPassView;Incurable.Moved.;

That's it, unfortunately. Mailpv.exe isn't a virus, but it's an old program I used once last year, so i let the Dr. Web move it just to be safe. The Scan took about 9.5 hours.

Prior to the Dr. Web and ATF cleaning, My malwarebytes anti-malware caught a ton of stuff, here's what it resulted in:

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2

3/7/2009 10:52:56 PM
mbam-log-2009-03-07 (22-52-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132002
Time elapsed: 34 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
C:\WINDOWS\Temp\7F35.tmp (Backdoor.KeyStart) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdahak (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqenokahubozerah (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\7F35.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\rnjbnms.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\UAC6987.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\ieE.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\7AFE.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\Temporary Internet Files\Content.IE5\R7DU607P\FlashPlayer[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\U73BNA4N\725f[1].exe (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\UACjbavbrpd.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\UACpqlrssgf.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\UACtlwekchy.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\UACwxiqlttr.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\UACkixnrjlq.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\12A9.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4F3E.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\58D4.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC4272.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Ywequ.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\idifuyiw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\crypts.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\UACkmkvmpjx.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\UACwfeecxoy.dat (Trojan.Agent) -> Delete on reboot.
--------------------------------

For now, I'm going to hold off on hooking it back up to the Internet until you tell me to give it a try. Right now it's just sitting there following the reboot with nothing happening--no new icons, no pop ups.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users