Odd NAR.vbs issue

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DtM, May 10, 2009.

  1. DtM

    DtM Private E-2

    For a while my computer performance has been degrading, and for a while I've been having a recurring issue of nar.vbs worm being present on my system despite my attempts to delete it. I am not so much concerned with the system performance, input would be nice, but now I am just concerned with getting rid of nar.vbs.

    It was in my C:\ drive and I've multiple times to delete it and it would come back. I followed the directions and ComboFix found it and deleted it. I followed the next steps and downloaded Avira and it found nar.vbs again! It popped up just about every time I tried to download something or install something as I was completing the steps listed on this forum. Avira also found a trojan that ClamWin was unable to find. Thanks! :cool

    The issue I had was after following the further prevention steps some weird things also came up. For example one time I restarted the computer and it was choked up. I had to ctrl+alt+del to restart the computer. The next times I was having issues with accessing my computer's C: drive. I could not get to it, and it was giving me some error message that it could not access the script nar.vbs .

    Undeterred I continued, and I did the disable AutoRun patch. Now I can access my C drive in my computer fine. And Avira does not immediately pop up to say nar.vbs is coming up (it was happening every minute or so previously). I am running an Avira scan to see if it finds nar.vbs again. Did that fix the problem? What is going on with my computer? Is everything okay?

    Attached are my logs. Thanks in advance!
     

    Attached Files:

    DtM, May 10, 2009
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thanks for your patience during this time.

    Thanks, Kes
     
    Kestrel13!, May 13, 2009
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Why are you not currently being protected by any anti virus or a third party firewall?? (ClamWin is not a realtime AV)

    Was AVIRA installed after obtaining the logs? Your new logs will show what's going on anyway...



    1. Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    2. Now we need to use ComboFix to remove a bunch of malware files and also to tidy up your registry a little.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

Driver::
gkmixern

File::
C:\nar.vbs
c:\windows\Nar.vbs
c:\docume~1\ANDYES~1\LOCALS~1\Temp\gkmixern.sys
c:\windows\popcinfot.dat


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dbbb24e-7e33-11da-a463-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f3c2b4a-7f23-11da-a768-0015f20abd31}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aebd6e6e-9bed-11dd-ab00-0015f20abd31}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"nar"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=-
"Steam"=-
"updateMgr"=-
"swg"=-
"MsnMsgr"=-
"EA Core"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=-
"QuickTime Task"=-
"SunJavaUpdateSched"=-
"iTunesHelper"=-
"ClamWin"=-
"WorkFlow"=-
"NvCplDaemon"=-
"Alcmtr"=-
"NvMediaCenter"=-
"ResChangerXP"=-
"Profiler"=-
"SaiMfd"=-
"DAEMON Tools-1033"=-
"nar"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log Combofix

    4. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, May 14, 2009
    #3
  4. DtM

    DtM Private E-2

    Hello.

    I was not protected by anti virus or third party firewall, keyword being was. Right now I use Avira AntiVir, Agnitum Outpost Firewall, and I run BOClean.

    Actually AntiVir is pretty good at running its guard, Combofix wanted to disable it but was unable to, and even after the restart I tried to disable it manually but I was not able to because despite trying to disable that and BOClean I still had a bunch of registry, driver, and memory edits that I had to manually allow anyway :cool

    Up until now I thought that I had only BOClean running and that I would just use AntiVir to scan biweekly.

    In regards to any problems, I am not sure if this qualifies as one (it might be a good thing), but for O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs there was no entry to fix.

    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - , etc. had java after and I selected them to be fixed as told.

    Aside from this, no real problems as far as I could tell.

    Performance for my computer has been much improved, most of it was related to a cooling issue that I fixed, but I am glad to receive your help in getting these little bugs out of the system too.

    Here are the files.
     

    Attached Files:

    DtM, May 15, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I would advise you to uninstall Avira and run ccleaner (with registry) then reinstall it....

    Your logs are clean :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, May 15, 2009
    #5
  6. DtM

    DtM Private E-2

    Thank you.

    Couple of last questions.

    Should I keep SuperAntiSpyrare and Malwarebytes Anti-Malware if I am using Avira AntiVir? It seems as though it might be redundant.

    Other than that I have followed all the steps and hopefully should do a good job of keeping my system bug free :cool
     
    DtM, May 17, 2009
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good evening.

    Yes indeed SUPERantispyware and MalwareBytes are well worth keeping installed. I have them both on my machine (free versions, not paid for)

    You can update > and scan with each every so often. :)
     
    Kestrel13!, May 17, 2009
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds