Problem with n.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by shtyra, Apr 3, 2010.

  1. shtyra

    shtyra Private E-2

    Hello all. I am having a problem removing Vundo/variant. Some basics first; I run the following on my laptop, Windows XP, Avira free edition, Malwarebytes free edition, Zonealarm firewall free edition and SuperAntispyware Professional edition.

    My problem started yesterday after n.exe requested permission from ZoneAlarm to access. I denied permission but as soon as I did that IE windows started popping up. (I run Firefox) I immediately closed my browser figuring an infection. I tried to run Malwarebytes and the .exe file was missing. I then tried to run SuperAntispyware Professional edition, which ran fine, and it popped up 24 infections all with Vundo/variant or some variation of. I quarantined all, rebooted and ran the program again, it ran clean. I then ran Avira free edition antivirus and it ran clean. I reinstalled Malwarebytes and ran that and it detected 6 Vundo variation, which I quarantined. Ran again, clean. Ran SuperAntispyware again, it ran clean.

    I then opened Firefox and checked a few sites (known news sites approved by McAfee siteadvisor) and in about 1/2 hour n.exe requested permission again. I denied the request and IE windows started popping up. Hibernated for the night and in the morning I googled n.exe to find it is a known malware/spyware and rather nasty. I made sure SAS, MWB and Avira were updated and tried to run MWB. Of course the .exe was missing. I ran SAS and the same 24 detections as yesterday popped up. It was like deja vu. I followed yesterdays process of running SAS, Avira and MSB until clean. I then navigated to where ZoneAlarm told me n.exe was located and it was still there. I scanned the file with all three and none detected it as malicious. Which would be fine, except I'm still having reinfections and I suspect n.exe is the cause.

    Help! Any advice on how to get rid of this nasty bugger?
     
    shtyra, Apr 3, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this aother user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, Apr 3, 2010
    #2
  3. shtyra

    shtyra Private E-2

    Hello again. I've read the Read and completed all the steps. Attached to this post are my ComboFix log, MG log and rootrepeal log.
     

    Attached Files:

    shtyra, Apr 3, 2010
    #3
  4. shtyra

    shtyra Private E-2

    Hi there, it's me. :) Attached to this post are my SAS log and my MWB log. Both ran clean. I have the logs from the original infection this morning prior to the clean if you need them.

    All seems to be running fine (may be too soon to tell) except for something keeps trying to access on of my from the net. May or may not be random. I'd really like to access my online banking to check my balance (make sure all is fine), but I'm nervous now even after running clean scans. From what I read about n.exe, it's used to gather passwords etc.

    Thanks for any assistance, you guys are a life savers!
     

    Attached Files:

    Last edited: Apr 3, 2010
    shtyra, Apr 3, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You attached the RootRepeal program instead of the log, which is here:
    C:\Documents and Settings\Owner\My Documents\Rootrepeallog_040310.txt

    If you need to check your accounts, please use a different computer to change your online passwords.

    In the meantime, let's do this:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\system32\firugoti.dll.tmp
c:\windows\system32\guvuvara.dll.tmp
c:\windows\system32\zivahesu.dll.tmp
C:\WINDOWS\system32\dibojeho
C:\WINDOWS\system32\firugoti.dll.tmp
C:\WINDOWS\system32\instutil.dll
C:\WINDOWS\system32\zivahesu.dll.tmp
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 4, 2010
    #5
  6. shtyra

    shtyra Private E-2

    Hi Tim! Thank you so much for you help, it is much appreciated. Sorry about attaching RootRepeal, I have attached the actual log to this post.

    I have also followed your other instructions and have attached the other requested logs.

    As of this afternoon (pre this run of ComboFix) I was still having problems with n.exe. I was checking this thread for response and also checked another news site and n.exe requested access to the net. I denied and immediately Avira popped up a malware detection:

    I closed my browser, disconnected from the net and started running through the Read First steps (CCleaner, SAS, and MWB). CCleaner must have deleted it because SAS and MWB both ran clean. I reconnected to the net and found your response and followed your instructions. Also of note, earlier today my printer was missing. It was installed yesterday as I printed all of the instructions for Read First, Windows Cleaning, etc. But, when I went to print your new post I got an error message saying printer not found. I checked the printers folder and no printers were installed. Since I ran ComboFix and MGTools, it seems to have reappeared. Strange.

    I will wait to do any online banking until I get an all clear from you as I don't have access to another computer.

    I have a question for you. I am fairly diligent with protection. I run the paid version of SAS with real time protection enabled. I run Avira AntiVirus, with AntiVir Guard enabled and I run Zone Alarm set to high. I also run McAfee Site Advisor and do not visit unverified sites. Why am I having such a problem with infection? I suspect I got this nasty bugger from Twitter. I know the exact page I was visiting at the time and that page addy popped up when the IE windows started popping up. The last time I had an infection I got it from Facebook and haven't used FB since. Is there anything else I can run to actively protect myself?

    Again, thank you so much for you time and help. :)
     

    Attached Files:

    shtyra, Apr 4, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your system. The most important thing you can do is keep your protection software updated. You also may wish to run Spyware Blaster.

    Let's just finish up then.'

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 5, 2010
    #7
  8. shtyra

    shtyra Private E-2

    Thanks Tim, you guys rock! I think I will run Spyware Blaster before I do my online banking, just to be safe. I update all my protection programs every time I log on. I will follow your clean up instructions as well.

    One more thing. If n.exe shows up again (reinstalls) should I post on this thread or start a new one?

    Again, I can't thank you enough for your time and help. :)
     
    shtyra, Apr 5, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The thread will stay open incase you need additional help. But after a few weeks, you would need to download all the removal tools fresh with new updates and run them again.

    Hope all is well. And you are quite welcome.
     
    TimW, Apr 5, 2010
    #9
  10. shtyra

    shtyra Private E-2

    Hi Tim, guess who! So I think I'm reinfected. Here is what happened, today I was doing some surfing. I had several tabs open, this site, bleepingcomputer, malwarebytes forum and dailykos. Zone alarm notified me that n.exn (it is n.exn, not n.exe like I posted previously, sorry) was trying to access the net. I denied access. A few seconds later, Avira notified me that TR/Dropper.gen was found in C:\Windows\temp\E8.tmp, access was denied. Immediately I shut down Firefox. (no random IE popups occurred this time like they did last time). I ran SAS, MWB, Avira, and ComboFix and there were no detections. (Logs attached) Before the scans, I navigated to windows\temp using My Computer and no E8.tmp file exists. I checked in Zone Alarm Program Control, and it lists n.exn here:

    File name C:\Documents and Settings\Owner\Local Settings\temp\n.exn
    Last policy update Not applicable
    Version
    Last modified date 4/7/2010 13:01:18
    File size 79 KB

    That's where it was last time. I ran CCleaner to delete all temp files after the scans (mainly to see if the scans would pick up n.exn and they didn't), and when I navigate there using My Computer it is no longer there.

    Is it possible there is something hidden in hard drive that keeps replacing it? How does it keep coming back if all the scans run clean?

    Any help/suggestions to solve the frustrating booger are much appreciated.
     

    Attached Files:

    shtyra, Apr 7, 2010
    #10
  11. shtyra

    shtyra Private E-2

    ComboFix and MGTools logs attached.
     

    Attached Files:

    shtyra, Apr 7, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    A few things to remove, but not sure if it is related.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

SecCenter::
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

File::
C:\WINDOWS\Route32.INI
C:\WINDOWS\BOXERJAM.INI
C:\Documents and Settings\Owner\Local Settings\temp\Acr25E5.tmp
C:\Documents and Settings\Owner\Local Settings\temp\JET4DF7.tmp

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] "PendingFileRenameOperations"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Apr 8, 2010
    #12
  13. shtyra

    shtyra Private E-2

    Re: Problem with n.exn

    Hi Tim, as always, thanks for your help. Attached find the Combofix and MGTools logs. I ran the SAS online scan as requested and it ran clean.

    I have searched all the major sites (Norton, McAfee, Avira, MWB, SAS) and could find no information on n.exn. I did find info here
    http://www.prevx.com/filenames/X9654805306640233-X1/N.EXN.html
    I have never heard of Prevx before, but the info they have on n.exn scares the beejeebus out of me. I am seriously considering reformatting and reinstalling, but I've never done it before and don't even know that I can. I don't have Microsoft XP disks, all I have is the disk that came with the laptop. It is labeled "Gateway, Microsoft Windows XP Home Edition, Operating System Disk". Is this something you could help with, and if not maybe a different forum here?

    Of note: I am experiencing no odd behavior, no redirects, no popups, task manager runs fine, windows update runs fine, updates to security software run fine and the actual programs run fine. I have had no notices today from ZoneAlarm that n.exn has tried to access the net and I have been surfing all day researching this. I have not visited the site I was on when I got the notification. I'm actually afraid to go back there since that's where I was the two times n.exn tried to access the net. That may be just a coincidence. I contacted their tech to tell them the situation and they suspect they may have a rogue ad. Their tech was the one that suggested I reformat, although I was leaning that way after my research.

    What is your advice?
     

    Attached Files:

    shtyra, Apr 8, 2010
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can not trust anything that PrevX posts about infected files. They are notorious for giving false positives. Do a search for most any system file and it is likely PrevX will report it as malware.

    Your logs are clean. There is certainly no need to reformat! Since you know what site infected you and did the proper thing in alerting them to it, you have done the right thing.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 9, 2010
    #14
  15. shtyra

    shtyra Private E-2

    Thanks for the info on Prevx. That would explain why none of the majors (Norton, McAfee, Avira, AVG, SAS, MWB, etc) had anything on n.exn.

    So I'm safe to do my online banking and bill pay from this machine?

    I dug out my old (about two years old) Desktop from storage in preparation for reformatting. Thought it was best I had some way of accessing the net if I needed it. I'm in the process of Read First process right now and have discovered some minor infections. I'll post the logs in a new thread. Even though I don't need to reformat my laptop, I mind as well finish cleaning the desktop. I just may keep it up and running and use it for my banking, being the paranoid type.

    Thanks for all your help and especially your time. :)
     
    shtyra, Apr 9, 2010
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Although I do not think your banking was compromised, it is always best to use a different computer to change your online passwords. Then just keep an eye on your accounts. You most likely do not need to alert the bank, but it is always a safe step to do just in case. Explain that your computer was compromised and that you want to be safe rather than sorry. You can probably have them change passwords over the phone.
     
    TimW, Apr 10, 2010
    #16
  17. shtyra

    shtyra Private E-2

    Sorry it's taken a while to reply, life got in the way. ;)

    I called my bank and changed my password when this all started. Better safe than sorry. I ran the normal weekly scans this morning (SAS, MWB and Avira) like I always do and all ran clear.

    Thanks for all your time and help, you're awesome. :clap
     
    shtyra, Apr 14, 2010
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Again, you are most welcome. Safe surfing. :)
     
    TimW, Apr 15, 2010
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds