Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Seem To Be Under Attack With The Bravo-g Trojan. Removal So Far Impossible...


  • Please log in to reply
6 replies to this topic

#1 Helpneededurgent

Helpneededurgent

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 16 August 2008 - 08:09 AM

Yesterday I found my firewall blocking a suspicious application on one of my systems. I checked it and after a lot of snooping found that I had the Bravo-G trojan. Since Avast doesn't detect it yet, I decided to follow the list of entry changes Sophos noted it as making, manually repair them, and remove all files associated with it.

Everything was great until 15 minutes later, when my computer suddenly rebooted, and it was 100% back.

So, I pulled the plug, and decided to quarantine that system for the time being. I pulled a completely clean box out of storage, firewalled it, then connected it to the internet, meaning to check again this morning to see if anyone had a fix for the trojan yet.

15 minutes later, THIS box rebooted, and had the trojan. This was a clean windows install. It had connected once to google. No applications from the infected system had run on it.

My question is, how the hell is it getting on to my other systems? And is there ANY way to remove it? Given that it's infecting totally clean systems, is it a direct attack on me? If so, and they're bypassing my firewall to get this crap on to my system, can I trust that my firewall is in fact stopping the trojan from dialling out?

BC AdBot (Login to Remove)

 


m

#2 Helpneededurgent

Helpneededurgent
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 16 August 2008 - 08:17 AM

Well crap, just checked and even though my firewall was set to block it, it was still allowing traffic through.
Terminated the process via my firewall (Since it's hijacked my task manager) but I'm going to have to keep an eye on it 100% of the time now. I can't go away from the computer for more than 30 seconds without turning it off, in case this thing reactivates.



*edit* okay, I think I've identified why it was rebooting - there's a LOT of incoming traffic I just blocked. My guess is that's something broadcasting to the trojan. Which also supports the idea that someone's been sneaking in and sticking this on my system. I'd guess they're just broadcasting to my ISP's full range of IPs.

Edited by Helpneededurgent, 16 August 2008 - 08:34 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,587 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 PM

Posted 16 August 2008 - 08:50 AM

Troj/Bravo-G: More Information

If you're using Windows 2000/XP, please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Helpneededurgent

Helpneededurgent
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 16 August 2008 - 09:17 AM

I'm on it. Just going to let my ubuntu download finish then I'll get to work on this. That way I can install that on my other system while I'm busy cleaning this one, which should prevent further such problems from occurung in the future.

#5 Helpneededurgent

Helpneededurgent
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 16 August 2008 - 10:32 AM

SDFix: Version 1.216
Run by Administrator on 16/08/2008 at 15:41

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services :


E:\WINDOWS\system32\Microsoft\backup.ftp Found

Checking files:

Genuine:
E:\WINDOWS\system32\Microsoft\backup.ftp
E:\WINDOWS\system32\tftp.exe
E:\WINDOWS\system32\dllcache\tftp.exe

Dummy:
E:\WINDOWS\system32\ftp.exe
E:\WINDOWS\system32\dllcache\ftp.exe

Files copied to SDFix\Backups

Restoring files if backups are found

Final Check:

Genuine:
E:\WINDOWS\system32\Microsoft\backup.ftp
E:\WINDOWS\system32\ftp.exe
E:\WINDOWS\system32\tftp.exe
E:\WINDOWS\system32\dllcache\ftp.exe
E:\WINDOWS\system32\dllcache\tftp.exe



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

E:\DOCUME~1\WASHUC~1\LOCALS~1\Temp\tmp43.tmp - Deleted
E:\WINDOWS\system32\TFTP2140 - Deleted
E:\WINDOWS\system32\Microsoft\backup.ftp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 16:21:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="E:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:a8,e5,ba,57,a9,72,a3,99,07,40,69,b0,95,ad,14,c4,27,f3,04,33,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,ca,66,e4,fa,bc,4f,80,93,de,1f,5e,da,ba,ec,9f,5c,ec,..
"hdf12"=hex:78,ba,c9,d7,cf,7b,87,56,f0,1a,86,a3,42,6e,a7,74,1f,e9,cc,88,88,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:c0,2e,f7,17,c6,ff,0f,d1,5f,de,4a,ea,2a,c0,93,3e,bc,a0,3c,77,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:46,3b,be,6d,16,dc,f0,17,b3,65,65,83,09,b4,68,ff,85,f6,13,67,f0,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,34,13,df,fa,b5,1d,d4,99,54,f3,1e,e4,48,8b,aa,c4,da,..
"khjeh"=hex:78,cd,0e,06,4b,e2,e6,f5,6f,34,00,a5,15,46,31,ca,93,79,bc,be,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:39,50,28,06,b6,34,1c,be,68,a5,d5,c6,f9,97,1d,f4,bb,42,3c,7c,1c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="E:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:a8,e5,ba,57,a9,72,a3,99,07,40,69,b0,95,ad,14,c4,27,f3,04,33,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,ca,66,e4,fa,bc,4f,80,93,de,1f,5e,da,ba,ec,9f,5c,ec,..
"hdf12"=hex:78,ba,c9,d7,cf,7b,87,56,f0,1a,86,a3,42,6e,a7,74,1f,e9,cc,88,88,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:c0,2e,f7,17,c6,ff,0f,d1,5f,de,4a,ea,2a,c0,93,3e,bc,a0,3c,77,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:46,3b,be,6d,16,dc,f0,17,b3,65,65,83,09,b4,68,ff,85,f6,13,67,f0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,34,13,df,fa,b5,1d,d4,99,54,f3,1e,e4,48,8b,aa,c4,da,..
"khjeh"=hex:78,cd,0e,06,4b,e2,e6,f5,6f,34,00,a5,15,46,31,ca,93,79,bc,be,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:39,50,28,06,b6,34,1c,be,68,a5,d5,c6,f9,97,1d,f4,bb,42,3c,7c,1c,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"DisplayName"="DAEMON Tools"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

Remaining Files :


File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 16 Aug 2008 98,816 ..SHR --- "E:\WINDOWS\system32\NMBgMonitor.exe"


Finished!




Ran the app, ran through the full process in safe mode fine, but after it rebooted the comp out of safe mode and back into normal mode and began performing the final stage of the check, it started getting the registry editing disabled errors constantly again (No surprise as this trojan reinserts those registry entries on every boot, something I discovered after 30 minutes spent painstakingly removing them all manually).

I'm guessing the only antivirus currently capable fo fixing it is the sophos one then? It's not ideal to have to quarantine my entire network until my own antivirus gets an update for it, but it's proving impossible to manually remove.

And seeing as how it's infecting every clean system I connect to the internet, I'm beginning to suspect that one of my friends made the right call when he suggested it's hiding in the memory of my modem, and is getting into every system I connect to the modem that way...

Edited by Helpneededurgent, 16 August 2008 - 10:33 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,587 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 PM

Posted 16 August 2008 - 10:55 AM

Sometimes another piece of malware which has not been detected protects other files (which have been detected) so they cannot be permanently deleted. Others are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. This infection will require further investigation and probably the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Helpneededurgent

Helpneededurgent
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 16 August 2008 - 11:02 AM

I'll run HJT on my other system - the first one that got infected, then on this one which it isn't installed on yet.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users