Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans Have Got In!


  • Please log in to reply
12 replies to this topic

#1 the s clause

the s clause

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 12 February 2008 - 02:45 AM

Hi.

Looked around a bit to see if I was posting in the right cyber hole. Apologies if I have trampled on some cool discussion about the ethics of trojans.

I'm operating Microsoft XP Home edition and I can't quite remember much before the blind panic when I switched on the computer to get loads of warning messages saying it was infected. Not sure that my firewall is current. Anyhoo, BraveSentry was being offered but seemed crazy to type in creditcard # to get the support. Did it tho'. Desperate. Seemed to address alot of the problems. A friend suggested AVG and I've switched to that now. Computer is running quite a bit groggy and every time I log onto the internet I get 2 repeat messages about virus detected c:\WINDOWS\system32\dbmsrpcnm.dll Trojan horse Generic9. AJYG and c:\WINDOWS\system32\docprop2s.dll Virus identified Obfustat.ADXW (it happens at other times too although I'm not exactly sure when and why). When the dialogue box comes up I click HEAL and am asked to reboot the computer to complete the process (dialogue box flashes up 3 times for each malware in quick succession). Sometimes I do, sometimes I dont. I tried sending to vault but got a warning message about damaging something or other...This has been going on for a few weeks now as i procrastinate and hope the virus will JUST GET HEALED!

Today I really noticed how slow the computer is and checking the taks manager the cpu is perpetually running at 100% and running 70 odd programs when I've got nothing but task manager open. doesn't seem right and I'm ready to blame the nasty bugs rather than my dell.

Heeeeeelp. Will continue to investigate the discussions to see if this hasn't been addressed elsewhere. I a newby and a bit untechnical, realising I need to get a bit more savvy if i'm going to stay in this game.

cheers,

S :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 12 February 2008 - 08:34 AM

Welcome to BC the s clause

Please follow the instructions in BC's self-help tutorial: How to remove Brave Sentry.

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 the s clause

the s clause
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 13 February 2008 - 02:18 AM

Thanks quietman7 :flowers: I'm onto it - will let you know how I go. i expect i should cancel my credit card asap... :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 13 February 2008 - 08:55 AM

Ok. Don't forget to post the logs I requested.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 the s clause

the s clause
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 19 February 2008 - 02:50 AM

Hey quietman7. It's been some weekend. I did remember to print the instructions before attempting "How to Move Brave Sentry". Unfortunately in knocked out my internet connection (error 720) for the next stage and it didn't ask about the registry. to cut al long story short-ish I imported Vundo Fix, VirtumundoBegone, ATF Cleaner and SUPERAntiSpyware Free via flash memory.

I went through the process reasonably methodically. I still get the trojan warning from AVG. Logs are as follows:


[02/17/2008, 18:47:19] - VirtumundoBeGone v1.5 ( "F:\VirtumundoBeGone.exe" )
[02/17/2008, 18:47:58] - Detected System Information:
[02/17/2008, 18:47:58] - Windows Version: 5.1.2600, Service Pack 2
[02/17/2008, 18:47:58] - Current Username: Sophie (Admin)
[02/17/2008, 18:47:58] - Windows is in NORMAL mode.
[02/17/2008, 18:47:58] - Searching for Browser Helper Objects:
[02/17/2008, 18:47:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2008, 18:47:58] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[02/17/2008, 18:47:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2008, 18:47:58] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[02/17/2008, 18:47:58] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[02/17/2008, 18:47:58] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[02/17/2008, 18:47:58] - BHO 4: {64A2927F-0B65-469A-9FE3-867DCF4E6DCC} ()
[02/17/2008, 18:47:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2008, 18:47:58] - Checking for HKLM\...\Winlogon\Notify\dbmsrpcnm
[02/17/2008, 18:47:58] - Key not found: HKLM\...\Winlogon\Notify\dbmsrpcnm, continuing.
[02/17/2008, 18:47:58] - BHO 5: {8D4FC226-9F2F-4CF6-ADF2-011B154A899F} ()
[02/17/2008, 18:47:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2008, 18:47:58] - Checking for HKLM\...\Winlogon\Notify\docprop2s
[02/17/2008, 18:47:58] - Key not found: HKLM\...\Winlogon\Notify\docprop2s, continuing.
[02/17/2008, 18:47:58] - Finished Searching Browser Helper Objects
[02/17/2008, 18:47:58] - Finishing up...
[02/17/2008, 18:47:58] - Nothing found! Exiting...

[02/18/2008, 9:53:56] - VirtumundoBeGone v1.5 ( "F:\VirtumundoBeGone.exe" )
[02/18/2008, 9:54:05] - Detected System Information:
[02/18/2008, 9:54:05] - Windows Version: 5.1.2600, Service Pack 2
[02/18/2008, 9:54:05] - Current Username: Sophie (Admin)
[02/18/2008, 9:54:05] - Windows is in SAFE mode.
[02/18/2008, 9:54:05] - Searching for Browser Helper Objects:
[02/18/2008, 9:54:05] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/18/2008, 9:54:05] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[02/18/2008, 9:54:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/18/2008, 9:54:05] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[02/18/2008, 9:54:05] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[02/18/2008, 9:54:05] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[02/18/2008, 9:54:05] - BHO 4: {64A2927F-0B65-469A-9FE3-867DCF4E6DCC} ()
[02/18/2008, 9:54:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/18/2008, 9:54:05] - Checking for HKLM\...\Winlogon\Notify\dbmsrpcnm
[02/18/2008, 9:54:05] - Key not found: HKLM\...\Winlogon\Notify\dbmsrpcnm, continuing.
[02/18/2008, 9:54:05] - BHO 5: {8D4FC226-9F2F-4CF6-ADF2-011B154A899F} ()
[02/18/2008, 9:54:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/18/2008, 9:54:05] - Checking for HKLM\...\Winlogon\Notify\docprop2s
[02/18/2008, 9:54:05] - Key not found: HKLM\...\Winlogon\Notify\docprop2s, continuing.
[02/18/2008, 9:54:05] - Finished Searching Browser Helper Objects
[02/18/2008, 9:54:05] - Finishing up...
[02/18/2008, 9:54:05] - Nothing found! Exiting...


and...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2008 at 12:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:49:29

Memory items scanned : 533
Memory threats detected : 0
Registry items scanned : 5697
Registry threats detected : 14
File items scanned : 43863
File threats detected : 3

MyWay Search Assistant Computers
HKLM\Software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable
C:\PROGRAM FILES\MYWAYSA\SRCHASDE\DESRCAS.DLL
HKLM\Software\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\Programmable
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKU\S-1-5-21-2089184603-4022188186-1018378550-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{4D25F926-B9FE-4682-BF72-8AB8210D6D75}

Trojan.BraveSentry
C:\Documents and Settings\Sophie\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Documents and Settings\Sophie\Start Menu\Programs\Brave-Sentry

Cheers,

the s clause

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 19 February 2008 - 08:19 AM

I still get the trojan warning from AVG

Is the warning related to the same two .dll files?
c:\WINDOWS\system32\dbmsrpcnm.dll
c:\WINDOWS\system32\docprop2s.dll

If so, do this:

Download FileASSASSIN.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
  • Select the bad .dll file to delete by dragging it onto the text area or select it using the (...) browse button.
  • Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
  • Click delete and the removal process will begin.
  • Repeat the steps to delete the other bad .dll file.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 the s clause

the s clause
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 21 February 2008 - 01:55 AM

Thanks. It is the same .dll files so i'll gve the FileASSASIN a go. Would this expalin why the CPU is constantly running at 100% or is that something else?

Cheers, S

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 21 February 2008 - 08:13 AM

If the CPU is running at 100% you will need to do further investigation to identify what process is responsible. You can download and use Process Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 the s clause

the s clause
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 25 February 2008 - 09:52 PM

Hey quietman7. thanks for sticking this out with me.

I tried running FileASSASIN and it didn't pick up anything (I don't think). The only .dll files were FileAssassin ones. Still i get the AVG warnings about c:\WINDOWS\system32\dbmsrpcnm.dll
c:\WINDOWS\system32\docprop2s.dll which I opt to "heal" rather than 'move to the vault', for fear of doing more damage. The pop ups are mostly annoying although I expect they are endemic of something worse. I meant to say that when i did the initial 'How to remove Brave Sentry' with Smitfraudfix I got through 9 steps but didn't get prompted to clean the registry. I got a message saying "Registry editing has been disabled by your administrator". I thought i had administrator rights as the user and I logged on as the user that I was when I got infected. Do you think that there could be something in that?

The other thing to note is that when I right click on local C: along with Explore and Search there is something like Ioeuoe - but not exactly that because it is all accented and foreign looking (without being foreign). This was also on my flash drive at one time that later goet swept clean by my work computer.

I will now try and check what's going on with the CPU.

Cheers

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 26 February 2008 - 09:31 AM

Please download MsnCleaner.zip and save to you Desktop. (in addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.)
  • Extract (unzip) the file to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the "Deleted" button.
  • Reboot normally and post the contents of MsnCleaner.txt in your next reply.
Also from what you describe, it appears part of your issues are related to a flash drive infection. Symptoms include when right-clicking a drive, the context menu for OPEN and EXPLORE options contain strange characters or text next to it.

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive before we begin!

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 the s clause

the s clause
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 03 March 2008 - 09:37 PM

Hi,

Sorry it's taken me so long to get back to you. A series of errors and difficulty accessing the net...anyhoo....I ran MSN cleaner and got the following message (as you suspected)

- Logfile MSNCleaner 1.5.5 by www.forospyware.com
- Created Logfile: 28/02/2008 on 9:48:02 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 1
Deleted file: 1
Undeleted Files: 0

C:\autorun.inf <--- Deleted

Host file Restored

However, that didn't solve the pop-ups or the CPUat 100%. I used Process Explorer which was fantastic once i figured out how it worked. It seemed to indicate that Windows Explorer was running the CPU at 94 - 98%. When i looked at the threads there was one in particular wil...(sorry, a bit all over the shop - i took down the details but haven't managed to bring it with me to give to you). Anyway. when suspending this program the cpu very quickly reverted to much more sensible functioning it seemed to me (20-25%). Naturally, being a virus I suspect that this 'thread' isn't all bad so I was reluctant to delete it. Needless to say, when I shut down and restart the thread resumes it's usual behavior ( :thumbsup: mental note to self to bring info to give you better detail.
At this stage I am pretty frustrated so have sent the computer off to be looked at by professionals and hopefully have the virus removed as well as my savings (not so pleased about). thanks for listening, and I'll do you the courtesy of following through with the left behind details as well as the progress of the clean up by the professionals.

Thanks Quietman7 :flowers:

the s clause

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 04 March 2008 - 07:43 AM

Your welcome and please do provide us an update.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 the s clause

the s clause
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:australia
  • Local time:11:52 AM

Posted 06 March 2008 - 03:16 AM

Hi quietman7.

That thread that I was talking about was wsil32.dll+0x1000. Not sure if that makes sense. Meanwhile the computer is still in the shop and the technician is a bit baffled (he says), saying that the computer won't even accept his antivirus software and seems to regenerate even after removing and cleaning the hard drive, but he's reluctant to reformat so....nasty strain by the sounds of it..I could be back sooner than I think. Looking forward to just having the time to surf and not deal with being caught in this rip, as it were. living off borrowed computers is hell. A tough but value lesson is being learnt.

Ciao.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users