NOD32 newheur_pe trojan?

budking · September 7, 2008, 10:20pm

ok i noticed the other day that i somehow stumbled upon a virus of some sort. a process was running and saying it had created an error and must close every minuet or so. the process was called lssmon.exe. when i opened my task manager i noticed duplicates of another similar porcess called lsassmrg.exe under my user name and one process named lsass.exe in my system files ( i dunno if this last process is related) anyway i did a search for the two files lssmon and lsassmrg and found 2 files for each so i ended all the processes and deleted the files. lssmon is gone now for good but i still have lsassmrg and lsass files on my computer i dunno if their windows files or part of the virus. at this point i decided to get NOD32 and spybot S&D and glary registry repair and a-squared. unfortunately all these haven’t been able to do anything with the exception of EOD32 it found files and quarantined them. including my firefox.exe and iexplorer.exe. it said all the files were unknown newheur_pe virus. all it does is quarantine them and has no fix. i restored firefox so i can get to you guys but when i open a firefox session i get this message : D:\WINDOWS\system32\spool.exe. i dunno if that’s the root of all this or what. i cant find it at all. ive tried registry repairs and spyware removers nothing does it and i cant find the files for this thing on my own. if you guys could help that would be great. i did download hijack this if that would be any help to you guys although i dunno how to use it as im not familiar with it at all. any help or insight would be greatly appreciated.

system · September 8, 2008, 11:12am

Hi budking & Welcome to the forums!

Please download Malwarebytes’ Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to

* Update Malwarebytes' Anti-Malware
* and Launch Malwarebytes' Anti-Malware

then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

Josh

budking · September 8, 2008, 8:56pm

Hi and thanks for the welcome 3xist. my post might have been a little confusing but thanks for the reply i will try this and let you know how it goes im downloading the program now!

system · September 8, 2008, 8:58pm

No problem!

Thanks
Josh

budking · September 8, 2008, 9:28pm

ok i ran the scan and it didnt find anything. thing is every time i open up the internet my antivirus gives me these two messages:
9/8/2008 2:26:26 PM Real-time file system protection file D:\WINDOWS\system32\spool.exe probably unknown NewHeur_PE virus cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Mozilla Firefox\firefoxe.exe.

and then

9/8/2008 2:26:26 PM Real-time file system protection file D:\Program Files\Internet Explorer\iexplor.exe probably unknown NewHeur_PE virus cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Mozilla Firefox\firefoxe.exe.

i dunno what it is and thus far nothing can delete it. oh heres my malwarebytes log:

Malwarebytes’ Anti-Malware 1.27
Database version: 1130
Windows 5.1.2600 Service Pack 3

9/8/2008 2:25:06 PM
mbam-log-2008-09-08 (14-25-06).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 100853
Time elapsed: 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

i dunno fi any of this will help

budking · September 9, 2008, 5:25am

hey i figured this might help you guys out

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:21 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
C:\a-squared Free\a2service.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\CSRLT.EXE
C:\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mudfall.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - (no file)
O3 - Toolbar: (no name) - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - (no file)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “D:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [CSRLT.EXE] D:\WINDOWS\system32\CSRLT.EXE
O4 - HKLM..\Run: [egui] “C:\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
O4 - HKLM..\RunOnce: [MSBLT.EXE] D:\WINDOWS\MSBLT.EXE
O4 - HKCU..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Ares\chatServer.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

–
End of file - 5592 bytes

system · September 9, 2008, 6:51am

This is from Rednose (one of the forum members):

I found this about the 04 items CSRLT.EXE and MSBLT.EXE :
http://www.bleepingcomputer.com/forums/index.php?s=2871051781008610adc97fa3973685f7&showtopic=168052&st=0&p=937978&#entry937978

It seems that SAS can remove them Smiley

And ofcource you can fix the 2 dead 02 items Wink

Thx Red!

Josh

Rednose · September 9, 2008, 7:07am

Fix a dead 02 and a dead 03 item that is :

O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - (no file)
O3 - Toolbar: (no name) - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - (no file)

My mistake :-[

Greetz, Red.

budking · September 9, 2008, 8:18am

thanks for the replys guys but i dunno exactly how to fix these 2 problems. will this take care of the unknown newheur_pr virus?

budking · September 9, 2008, 9:11am

hey guys i followed the directions in the post of the link but im still getting the same two warnings when i open firefox:

9/9/2008 2:09:57 AM Real-time file system protection file D:\Program Files\Internet Explorer\iexplor.exe probably unknown NewHeur_PE virus cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Mozilla Firefox\firefoxe.exe.

9/9/2008 2:09:57 AM Real-time file system protection file D:\WINDOWS\system32\spool.exe probably unknown NewHeur_PE virus cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Mozilla Firefox\firefoxe.exe.

i dunno whats going on

system · September 9, 2008, 9:14pm

Hi budking.

Go to this professional malware removal forums: http://www.spywarewarrior.com/index.php

Register and sign up there, post your Hijack log.

Josh

budking · September 10, 2008, 6:10pm

hey guys when you say fix the 02 and 03 problem do you mean run hijack this and then check the 02 and 03 problem and hit the fix selected problem?

alaertsxan · September 10, 2008, 6:18pm

Yep

Xan

budking · September 10, 2008, 7:40pm

ok i ran the repairs on the 02 and 03 and heres my new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:00 PM, on 9/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
C:\a-squared Free\a2service.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mudfall.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “D:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [egui] “C:\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
O4 - HKLM..\Run: [CSRLT.EXE] D:\WINDOWS\system32\CSRLT.EXE
O4 - HKCU..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Ares\chatServer.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

–
End of file - 5397 bytes

problem is im still getting these two messages from NOD32 when i open firefox

9/10/2008 12:36:09 PM Real-time file system protection file D:\Program Files\Internet Explorer\iexplor.exe probably unknown NewHeur_PE virus cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Mozilla Firefox\firefoxe.exe.

9/10/2008 12:36:09 PM Real-time file system protection file D:\WINDOWS\system32\spool.exe probably unknown NewHeur_PE virus cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Mozilla Firefox\firefoxe.exe.

what is this newheur_pe ■■■■?