Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bravo-g Trojan Infection. Keeps Installing Immediately On Every Clean Computer I Connect To The Internet.


  • This topic is locked This topic is locked
3 replies to this topic

#1 Helpneededurgent

Helpneededurgent

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 16 August 2008 - 11:25 AM

Tried a manual removal but obviously missed something as it reinstalls itself every time I reboot.
Others on the forum suggested SDFix, but it gets halfway through running and needs to reboot the system, whereupon the trojan reinserts the registry entries preventing the editing of the registry, and so when the system restarts to complete the work of SDFix, it cannot repair the registry.

I've manually fixed EVERYTHING listed in the Sophos article on this trojan, but it reinserts itself on reboot still. It even installs itself on every computer I hook up to my cable modem, suggesting to one friend that it may be residing in my modem's internal memory. I know this trojan's only two days old, but it'd be nice if someone would release a fix for it soon, so if anyone does, could someone let me know please?

In the meantime I'm going to hope someone can spot what it's using to reinfect my system from this log, and then maybe I can get my system back under my control.

Note: I terminate and delete NMBGMonitor.exe every time windows boots up, right away.
I also immediately order my firewall to block ndisuio.sys, as if I do not, my machine will reboot 15 minutes after loading, and the trojan will be restored. Unfortunately, while blocking this file keeps the trojan from reinstalling (I'm guessing someone's broadcasting to the trojan through it) it also prevents any other computers and consoles on my network from accessing the internet, as they all connect through this box, and seem to require it for connecting.

As for the "Why are you using SP1?" question - this rig is my retro gaming rig, which I hooked up after my other system got the trojan. SP2 breaks a lot of my old games. I'm currently switching my other system, the one the network usually connects through, to use Ubuntu, which I'm installing as we speak, since using windows ICS *IS* just a bad idea, I know... A proper proxy running on the Ubuntu box should be a LOT safer.


*Edit* Also - some entires from my attempt to install Avira seem to still be there, don't know why as it cancelled the install with an error several weeks ago. Oh well.

Any and all help appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:53, on 16/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\WINDOWS\sttray.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Winamp\Winampa.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\BitLord\BitLord.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NMBgMonitor.exe] E:\WINDOWS\system32\NMBgMonitor.exe
O4 - HKLM\..\Run: [SDFix] E:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "E:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [AtiTrayTools] "E:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - E:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: TVersityMediaServer - Unknown owner - E:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5172 bytes

Edited by Helpneededurgent, 16 August 2008 - 11:27 AM.


BC AdBot (Login to Remove)

 


m

#2 Helpneededurgent

Helpneededurgent
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 18 August 2008 - 11:22 AM

Okay, it is STILL reinstalling itself. No matter how many registry entries I clean out and temp-files it creates I delete, it keeps reinstalling itself. I thought I'd killed it off completely, my registry was all fixed and I'd rebooted safely several times, with no sign of the trojan, then BOOM! 30 minutes ago I get a "Remote call procedure terminated unexpectedly, the system is shutting down" message. I knew the moment I saw it that it was this again.

Unsurprisingly, THIS time when it rebooted, I had registry editing and task manager once again disabled and my firewall was once again blcoking NMBgMonitor.exe

This time round I've created a dummy read only file after deleting it, in the hope that might prevent it from restoring itself. But this thing is COMPLETELY out of control now. This is quite possibly the worst trojan I've EVER encountered in the last 20 years... And still as far as the internet seems to be concerned, there is no fix.


*edit* I relaise you're not recommended to post replies but the edit time on the original post had expired and new developments have occured, so I want all the info to be available.

Edited by Helpneededurgent, 18 August 2008 - 11:26 AM.


#3 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:08:51 PM

Posted 29 August 2008 - 05:20 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
DM

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:51 AM

Posted 04 September 2008 - 04:45 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users