Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm_rbot.fjx Or Trojan-rbot-gr Keep Coming Back, Help! Thanks!


  • Please log in to reply
11 replies to this topic

#1 justsometallguy

justsometallguy

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 02 August 2007 - 02:57 AM

Hey I'm still pretty new to this site, but I posted a thread in the "Am I Infected? What Do I Do?" (http://www.bleepingcomputer.com/forums/topic102174.html) and read around a bit. My concern is that I kept getting a popup from Trend Micro Antivirus saying it found "worm_rbot.fjx" even though I had already quarantined and deleted it. It keeps popping up every so often, but doesn't always appear on full system scans. In addition, I have Spy Sweeper and it has discovered "trojan-rbot-gr" a few times. Same story, I quarantine and delete, but it seems to come back. When I search Google for either one, I get no help at all.

I downloaded Ad-Aware and Spybot - Search and Destroy like this site recommended and was able to scan successfully once with each. However, when I turned my computer back on later it kept freezing up after loading Windows. I eventually just had to boot in Safe Mode and uninstall the 2 programs.

Now I'm at the point where I don't know what to do. Based on the HijackThis log file, can anyone tell me if I've actually gotten rid of the trojan/worm? Are they different or the same thing? It seems like some programs call the same malware by different names. Any help would be greatly appreciated. Thanks in advance!

justsometallguy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:28 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
c:\Recyclers\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Messsaanger - Unknown owner - c:\Recyclers\svchost.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6633 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 02 August 2007 - 12:22 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum justsometallguy :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Recyclers

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

----------------------------------------------------

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop Messsaanger
sc delete Messsaanger

Restart your pc.

----------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 justsometallguy

justsometallguy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 02 August 2007 - 02:46 PM

Thank you for helping out Richie, I really appreciate it. However, I now have a bigger problem. Everything went fine until I started Combofix. It was running fine, then Spy Sweeper popped up and asked if I wanted to block or unblock it and I clicked unblock. Again everything went fine for a bit, then it restarted on its own and now Windows won't load. Everytime it tries, it resets itself. I've tried loading it in Safe Mode and with the Last Known Good Configuration and the same results. I'm not sure what to do now...I really hope it's something that can be fixed!

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 02 August 2007 - 03:02 PM

Strange,if you have the Microsoft Windows XP installation disk try a Repair Install.

Configure your computer to start from the CD-ROM drive if its not already.
[Boot into the BIOS and set your CD-Rom drive as first boot device].
For more information about how to do this,refer to your computer's documentation or contact your computer manufacturer.
Then insert your Microsoft Windows XP Setup CD,and restart your computer.
When the 'Press any key to boot from CD' message is displayed on screen, press a key.
Press ENTER when you see the message to setup Windows XP now, and then press ENTER displayed on the 'Welcome to Setup' screen.
Do not choose the option to press R to use the Recovery Console.
In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.
Follow the instructions on the screen to complete Setup.
Posted Image
Posted Image

#5 justsometallguy

justsometallguy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 02 August 2007 - 06:04 PM

And if I can't get my hands on a copy of the install disc? :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 02 August 2007 - 06:20 PM

If you don't have your own copy of XP,try and borrow a copy off a friend or relative,make sure its exactly the same thats installed on your pc,XP Home Edition or Professionall,Service Pack2.

Are you able to boot into Safe Mode or not:
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in 'Safe Mode with Command Prompt'.
At the prompt type or copy and paste:
%systemroot%\system32\restore\rstrui.exe
Then press Enter,follow the onscreen instructions. .

Edited by RichieUK, 02 August 2007 - 06:22 PM.

Posted Image
Posted Image

#7 justsometallguy

justsometallguy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 02 August 2007 - 08:06 PM

No, I can't boot in Safe Mode. I tried the F8 method and that didn't work either. I get to the menu (either the default one or the advance one by pressing F8) and am able to select the various Safe Mode methods or to start Windows normally, but none of them work after I hit enter. It starts trying to boot Windows, and the Windows screen appears, but it restarts before the desktop is shown. I don't have any copy that I can easily get my hands on. I will try a few other friends and see if they have a copy. If I can't get one though, is there anything else I can do? Thanks again for all your help.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 02 August 2007 - 08:18 PM

I notice its an HP pc you have,not sure borrowing an XP disk will work,you could try it anyway.
Do you have the HP recovery discs for Windows XP.
Posted Image
Posted Image

#9 justsometallguy

justsometallguy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 02 August 2007 - 08:25 PM

No, I lost them...lucky me. So last year when I reformatted I used a friend's XP Home disc and unfortunately he has since moved. I'm still waiting to hear back from one guy to see if he has a disc, but if not, I may be out of luck.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 02 August 2007 - 08:35 PM

Ok,let me know how you get on,post back into this topic,and good luck :thumbsup:
Posted Image
Posted Image

#11 justsometallguy

justsometallguy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 02 August 2007 - 11:04 PM

Well, I can't find anyone with an XP Home disc. If I try it with an XP Pro disc, will it still work? At this point, I've got all my documents, pictures, and music so I'm not too concerned if I really mess something up. However, if possible I'd still like to keep everything I have on there and not have to reformat. Any advice? Thanks!

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 03 August 2007 - 07:11 AM

No,try it anyway,you've nothing to lose.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users