Jump to content


Photo

Stubborn Trojan Virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 DenMan

DenMan

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 July 2004 - 09:45 AM

Tried FAQ

Ran latest version following:
Shredder
AdAware
Spybot S&D
AboutBuster
Avast!
Firewall - ZoneAlarm

Within hours receive notification of virus in C:\Temp of install2.exe and /or bdl1045.exe

This is th HijackThis log -

Logfile of HijackThis v1.98.0
Scan saved at 10:18:30 AM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Bill\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {7BD65CE4-148F-40AB-8216-940065DB6A62} - C:\WINDOWS\msrrjowh.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud5.sports.s...lgcst1010_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb028.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...7ebad4bf17236ad
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.easports....py/iesnoopy.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....21/cpbrkpie.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos....plorer1_9us.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave...ic/CMonline.dll

Any help would be appreciated.

#2 DenMan

DenMan

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 July 2004 - 10:32 AM

The names of the two files are bdl14025.exe and installer2.exe

In my rush I typed them wrong.

#3 trojansr4weiners

trojansr4weiners

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 August 2004 - 01:45 AM

Just to document this trojan for anyone doing a search on the web for files bdl14025.exe , msbb.exe , optimize.exe , and installer2.exe :

Somehow, I was redirected to websites www2.flingstone.com and static.flingstone.com where these executables were in the URL so it downloaded it into my c:\temp and c:\temprorary internet files directories. I ran Ad-Aware and it identified these as malware installing small apps in subdirectories it created: c:\program files\internet optimizer and c:\program files\bullseye network The vendor description that Ad-Aware gave was 180solutions and Bulleye Network. Ad-Aware quarantined these files and asked me to reboot so that it could check the registry. On reboot, Ad-Aware highlighted about 17 registry keys and values that were added and prompted me to remove them. I also ran "msconfig" command line from Task Manager to see what was added recently at Startup. A new command line was added using rundll32.exe to open a file called bridge.dll in c:\windows\system32. I unchecked this so it wouldn't run at Startup again, but it didn't matter because Ad-Aware had already deleted the bridge.dll file. Also, I noticed that my startup web page was changed, so you might want to point it to open a blank page in Internet Options just in case it redirects you to that trojan again. I ran a retail version of McAfee Anti-Spyware and it said my PC was clean now.

I don't know if I'll have the same problems tomorrow with these files appearing again, but it looks like Ad-Aware added a fix recently so you might want to update the Ad-Aware database list first before running it.

And you know why this happened? Because I turned off my ZoneAlarm firewall, McAfee Anti-Spyware, and McAfee AV so it wouldn't interefere with a video editing program I was running at the time. But I forgot to turn them back on when I signed in!!! Oh well, you live and learn. :p Hope this helps the next guy who has this problem!

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 August 2004 - 04:11 AM

Hi,
Looks like you still have some issues ...

First thing to do is ...

Download Posted Image VX2 Cleaner
To install: double-click "plvx2cleaner.exe" follow the prompts.

Note: do not run Vx2 Cleaner yet, just install.

Next:

Posted Image Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open programs and browsers, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O2 - BHO: jimmyhelp.CBrowserHelper - {7BD65CE4-148F-40AB-8216-940065DB6A62} - C:\WINDOWS\msrrjowh.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - (no file)
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - (no file)
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb028.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...7ebad4bf17236ad
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/L2M.cab


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\msrrjowh.dll <--this file
C:\Program Files\WindUpdates <--this folder

While still in Safe Mode run Ad-Aware and fix everything it finds.
Then run Vx2 Cleaner.
To use: open Ad-Aware, click "Add-ons", highlight "VX2 Cleaner", click "Run Tool"

Restart normally and then ...

Download Posted Image VX2Finder
Run Vx2Finder click on the click to find VX2.BetterInternet button.
Then click Make log.

Copy and paste the contents of the log into your next reply here.

Next: Download Posted Image HijackThis! 1.98.2

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 October 2004 - 05:41 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button