Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log (was Infected W/ Bravesentry.exe & Smithfraud And Others)


  • Please log in to reply
1 reply to this topic

#1 walnuts312

walnuts312

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:03:29 AM

Posted 09 February 2008 - 11:23 AM

Hi. I have a computer n00b for a boss. He is constantly getting the server infected with a virus (not like i can yell at him, he does own the place. lol)

Anyways. This latest one was quite the challenge. It was some trojan he picked up (claimed to be an email)

Its the bravesentry.exe
(i also found smithfraud-c as well. and a host of others.)

It had a nasty habit of constantly rebooting the pc after login. Made killing the destructive process with ProcessExplorer quite difficult (since bravesentry disables the taskmanager during infection). but i was able to end the constant reboot loop with an msconfig error. (Its a win2000 machine, so msconfig is not here. By attempting to run it, an error came up (obviously) but is kept the bravesentry (i think thats what was doing it anyways) from rebooting me immediately. Then i killed the processes w/ ProcessExplorer and then was able to get AVG and SpyBot-SD back up and running (trojan kept them from autostarting. so i had no protection after reboot).

I have been cleaning this off for a few hours now. I have run AVG and Spybot-SD. I'm about to run Ad-Aware 07. And i have a hijackthis v2.0.2 logfile for you.

The machine is a dell Optiplex GX60
Win 2000 Pro
Service Pack 4

Here is the hijack logifle
**********************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:42 AM, on 2/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\PVSW\bin\w3sqlmgr.exe
C:\PVSW\bin\ntbtrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\PVSW\bin\NTDBSMGR.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Administrator\Desktop\procexp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Killbox.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.acehardware-acenet.com/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8670] command /c del "c:\Program Files\BraveSentry\BraveSentry.lic"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6148] cmd /c del "c:\Program Files\BraveSentry\BraveSentry.lic"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3716] command /c del "c:\Program Files\BraveSentry\BraveSentry0.bs"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8026] cmd /c del "c:\Program Files\BraveSentry\BraveSentry0.bs"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9951] command /c del "c:\Program Files\BraveSentry\BraveSentry2.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9397] cmd /c del "c:\Program Files\BraveSentry\BraveSentry2.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2376] command /c del "c:\Program Files\BraveSentry\BraveSentry3.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7590] cmd /c del "c:\Program Files\BraveSentry\BraveSentry3.dll"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: qodz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.acehardware-aceonline.com
O15 - Trusted Zone: *.acehardware-eaglevision.com
O15 - Trusted Zone: *.acehardware-vendors.com
O15 - Trusted Zone: *.aceservices.com
O15 - Trusted Zone: *.acehardware-acenet.com (HKLM)
O15 - Trusted Zone: *.acehardware-aceonline.com (HKLM)
O15 - Trusted Zone: *.acehardware-eaglevision.com (HKLM)
O15 - Trusted Zone: *.acehardware-vendors.com (HKLM)
O15 - Trusted Zone: *.aceservices.com (HKLM)
O16 - DPF: AceIESecuritySettings - http://ww2.acehardware-acenet.com/Controls...itySettings.CAB
O16 - DPF: {12345678-0000-0000-0000-000000000000} - http://ww2.acehardware-acenet.com/ACENET/C...ls/EVUpdate.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://imagemax.aceservices.com/aspweb/Applets/OBXViewer.cab
O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} (AceExplorer Control) - http://ww2.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://ww2.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab
O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0 (OLEDB)) - http://ww2.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137092684171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173619137921
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://imagemax.aceservices.com/aspweb/Applets/OBXSelect.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} (ACENET Control) - http://ww2.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D4A97620-8E8F-11CF-93CD-00AA00C08FDF} (Microsoft ActiveX Image Control 1.0) - http://ww2.acehardware-acenet.com/ACENET/c...ft/MSpert10.cab
O16 - DPF: {E2454650-4D87-11D2-B8B2-0000C00A958C} (FarPoint Spread 3.0) - http://ww2.acehardware-acenet.com/ACENET/c...30/spr32x30.inf
O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{212B63AA-EFC1-47F2-B1DE-FA2369110093}: NameServer = 192.168.22.1,24.92.226.176
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\bin\w3sqlmgr.exe
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\bin\ntbtrv.exe

--
End of file - 7526 bytes


**************************

As i said, i have been doing the cleaning on this machine. But i know this is one of those bastards that if you miss one thing, it will come back as it was. Makes it more fun i guess. So there may be things that i have already cleaned.

Any help with the logfile, or other knowledge with this trojan would be greatly appreciated.

this is the info that i was currently using to rid myself of this problem.
http://www.2-spyware.com/remove-brave-sentry.html

Thanks for your time
-Walnuts
"The man who smiles when things go wrong has thought of someone to blame it on." - Robert Bloch

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 16 February 2008 - 04:39 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users