trojan.startup.nameshifter.hn

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I followed this discussion for this infection reported by MS Antipyware.
My issue is similar to the described problems with popups, I downloaded the
Mcafee tool. After running the Mcafee tool I got to a point where it is ready
to reboot and it appears to be done, I power down the system, ran MS
Antispyware it reports that the infection is still there.

Did this process more than once, similar results.

Any suggestions for other solutions or do I need to reload the whole system?

Thanks in advance,
Flavio
 
CounterSpy has removed multiple adware it detected and did stop the annoying
popups.

When I reboot and scan with MSAS it reports that
trojan.startup.nameshifter.hn is still present in my system, see log below:

Spyware Scan Details
Start Date: 12/4/2005 8:52:38 PM
End Date: 12/4/2005 8:58:22 PM
Total Time: 5 mins 44 secs

Detected Threats

Trojan.Startup.NameShifter.HN Trojan more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}



While MSAS claims to remove the adware, after reboot the nameshifter is
detected again. Same registry key.

Should I be concerned about this? I am no longer getting popups.


thanks,
ff
 
Hi Flavio

Have you tried to scan in safe mode with Microsoft Antispyware, Thanks for
posting the Nameshifter location on your system as it shows Namshifter.hn is
a Trojan Conhook variant. Conhook tries to connect to a malicious web site
and then download more files which usually is the Vundo infection so its
possible you also had this on your system which would account for the pop ups
if they were promoting winfixer,

Try performing a scan in safe mode with Microsoft Antispyware and see if it
can clear the problem. Next open Microsoft Antispyware and click on Advanced
Tools then goto System Explorer's and click IE BHO's, click each of the BHO
entries listed and then look on the right pane where it shows the details, If
you find one which has this under Technical Details then left click the entry
and on the right pane choose Permanently remove this BHO

CLSID: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}

If you still have problems install Ewido and run a full scan with that as it
may be able to fix any remaining entries :

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe
Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.

Reboot back to normal mode.

Here's abit more info on Trojan Conhook

http://www.sophos.com/virusinfo/analyses/trojconhookn.html

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=48117

Regards

Andy
 
Andy,
thanks for the follow-up.
I followed your detailed steps, unfortunately the infection remains.
In MSAS, when I try to delete the BHO's they simply come back 5 seconds
later. I have narrowed it down to 2 dll's that will not go away,
c:\windows\system32\ pmnnk.dll and wvuro.dll

I ran the vundofix utilities (Mcafee, Symantec, spyware warrior) without
success.

Here is a HijackThis log file showing some detail:

Logfile of HijackThis v1.99.1
Scan saved at 1:30:36 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} -
C:\WINDOWS\System32\wvuro.dll

O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\f4l00e3meh.dll
(file missing)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\en8ql1l51.dll
(file missing)
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\SYSTEM32\pmnnk.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\e020lafm1d2a.dll
(file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\ir4ml5h11.dll (file
missing)
O20 - Winlogon Notify: tuvut - tuvut.dll (file missing)
O20 - Winlogon Notify: wvuro - C:\WINDOWS\System32\wvuro.dll


I have tried to remove these manually(normal boot and safe mode), system
says it is being used by another program. If I remove any references from the
registry they are restored as fast as I delete them.

Is there another way that I can manually or otherwise remove these files?

thanks,
flavio
 
Hey Flavio

The Hijack Log shows you have Vundo, Trojan Conhook and traces of the
Look2me infection, The fixtools from Symantec and other do not remove this
when there is more than one Vundo file active, run Vundofix twice to remove
vundo's files and fix the entries with Hijack This and then run SpySweeper as
that will remove any look2me files or traces of Vundo that remain. If you
have any Questions or Problems then let us know and I will help where I can,

We need to run Vundofix twice as Vundo stores backups spelt backwards so we
could take both the dll files out on the first go but then you would have to
enable hidden files and folders and search for the backup files, Running it
twice will mean we can remove the infected files and the backups then just
use Spysweeper to clean up.

Copy this to notepad and save it so you can still view it in safe mode

Please download Webroot's SpySweeper from HERE

http://www.webroot.com/downloads/

(It's a 2 week free trial):

Click the Free Trial link on the right - next to "SpySweeper for Home
Computers" to download the program.

Install it.

Once the program is installed, it will open.

It will prompt you to update to the latest definitions, click Yes.

Once the definitions are installed, close SpySweeper for now.


Please download VundoFix.exe to your desktop.

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files

This will create a VundoFix folder on your desktop.

After the files are extracted, please reboot your computer into Safe Mode.

(Reboot and tap the F8 key until a menu appears. Use your up arrow key to
highlight Safe Mode then hit enter)

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.

It should look like this

----------------------------------------------------
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
----------------------------------------------------

At this point press enter one time.

Next you will see:

----------------------------------------------------
Please Type in the filepath as instructed by the forum staff
and then press enter:
----------------------------------------------------

At this point please type the following file path (make sure to enter it
exactly as below!):

C:\WINDOWS\System32\wvuro.dll

Press Enter to continue with the fix.

Next you will see:

---------------------------------------------------
Please type in the second filepath as instructed by the forum
staff then press enter:
---------------------------------------------------

At this point please type the following file path (make sure to enter it
exactly as below!- Note this is the above filename spelt backwards):

C:\WINDOWS\SYSTEM32\oruvw.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open
automatically please open it manually.

In HiJackThis, please place a check next to the following items and click
FIX CHECKED:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} -
C:\WINDOWS\System32\wvuro.dll

O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\f4l00e3meh.dll
(file missing)

O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\en8ql1l51.dll
(file missing)

O20 - Winlogon Notify: pmnnk - C:\WINDOWS\SYSTEM32\pmnnk.dll

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\e020lafm1d2a.dll
(file missing)

O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\ir4ml5h11.dll (file
missing)

O20 - Winlogon Notify: tuvut - tuvut.dll (file missing)

O20 - Winlogon Notify: wvuro - C:\WINDOWS\System32\wvuro.dll

After you have fixed these items, close Hijackthis.

Press enter to exit the program then manually reboot your computer back into
safe mode again. Once your machine reboots please continue with the
instructions below.

Run Vundofix again

open the VundoFix folder and doubleclick on KillVundo.bat

It will show this again:

-------------------------------------------------
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
-------------------------------------------------

press enter one time.

Next you will see:

-------------------------------------------------
Please Type in the filepath as instructed by the forum staff
and then press enter:
-------------------------------------------------

At this point please type the following file path (make sure to enter it
exactly as below!):

C:\WINDOWS\System32\pmnnk.dll

Press Enter to continue with the fix.

Next you will see:
--------------------------------------------------
Please type in the second filepath as instructed by the forum
staff then press enter:
--------------------------------------------------

At this point please type the following file path (make sure to enter it
exactly as below!- Again its the above filename spelt backwards):

C:\WINDOWS\System32\knnmp.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it doesnt then open it
manually.

In HiJackThis, check for the same entries again as some may still show with
file missing, please place a check next to any of the following items that
still exist and click FIX CHECKED:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} -
C:\WINDOWS\System32\wvuro.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\f4l00e3meh.dll
(file missing)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\en8ql1l51.dll
(file missing)
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\SYSTEM32\pmnnk.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\e020lafm1d2a.dll
(file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\ir4ml5h11.dll (file
missing)
O20 - Winlogon Notify: tuvut - tuvut.dll (file missing)
O20 - Winlogon Notify: wvuro - C:\WINDOWS\System32\wvuro.dll

After you have fixed these items, close Hijackthis & Press enter to exit the
program.

Run Disk Cleanup to remove temp and unused files from your system, Goto
Start Menu then run and type

cleanmgr

press ok then place checks next to temporary file and recycle bin and press
ok again to remove them.

manually reboot your computer.

Once your machine reboots run Spysweeper

Open SpySweeper, click Sweep on the left side.

Click the Start button.

When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button
again to remove the entries

Let me know how it goes or if you have any problems

Andy
 
Hi Andy,
sorry for the delay, I just got my hands back on this laptop.
I ran through the outlined procedure, it fails to remove pmnnk.dll and
wvuro.dll

Spysweeper will scan only, must purchase to remove files identified. Is
there another copy I am not aware of?

Below is what remains after I scan with HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:56 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\vundofix\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} -
C:\WINDOWS\System32\wvuro.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\SYSTEM32\pmnnk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: wvuro - C:\WINDOWS\System32\wvuro.dll

I will try other utilities meanwhile and advise if successful.

Thanks for your help,
Flavio
 
OK, it is fixed!
It appears that these two files (pmnnk.dll and wvuro.dll) are loaded into
memory very early in the boot process, trying to remove them with any utility
simply fails as they protect themselves well.
I booted from the OS CD, got to the command prompt and was then able to
remove these files manually. Rebooted ran HijackThis to cleanup all
remaining traces of infection.

Hope this helps anyone who has similar issue.

Flavio
 
Hi Flavio

Your right about SpySweeper, They seem to have removed the 2 week free trial
and now only offer the free scan which doesnt remove anything unless you pay
them, Its hard to understand why they have done that as I think alot more
people would pay to use the scanner if they could have a free trial first to
remove infections.

Its strange that VundoFix didnt seem to have removed any files from your
system as they still appeared in the HJT log , the line O20 - Winlogon
Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll is SpySweepers so if
its part of the free trial it should go when you uninstall SpySweeper.

I was going to suggest using Killbox's replace with dummy on reboot feature
then list all the possible backward spelt filenames to use Killbox on but
have just noticed you have replied saying its fixed :o) Good work Flavio , Im
still not sure why Vundofix didnt touch the files but will have to check the
previous posts to see if its the same filenames or if they regenerated but
Its good to hear you was able to remove the junk. Hopefully some of the other
Antispyware scanners will be able to remove this soon to give an alternative
if Vundofix fails.

Thanks for letting us know you got it fixed

All The Best

Andy
 
Back
Top