| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 69942 | 2006-06-17 05:15:00 | backdoor.bretlibot.w | pine-o-cleen (2955) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 463820 | 2006-06-17 05:15:00 | Hi, I am helping a guy out with a virus problem on his pc. AVG resident shield came up with a message that said he had a trojan virus named 'backdoor.bretlibot.w' and that it couldn't be fixed or quarantined. He then did a full system scan with no result. I've done a few google searches with no results. Should he be worried about this? What else can be done? |
pine-o-cleen (2955) | ||
| 463821 | 2006-06-17 05:17:00 | where is the file located? did you set the full scan to scan ALL files? |
tweak'e (69) | ||
| 463822 | 2006-06-17 06:41:00 | Please download HijackThis (www.cyberanswers.org). It will create a directory folder for you in C\Program files. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help determine what,if any, spyware/malware is on your computer. | Pancake (6359) | ||
| 463823 | 2006-06-18 04:52:00 | Logfile of HijackThis v1.99.1 Scan saved at 3:42:45 p.m., on 18/06/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V 1.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis 1.99.1\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = xtramsn.co.nz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [DriverDB] svcmdx32.exe O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB002" /M "Stylus C45" O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V 1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500" O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V 1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB003" /M "Stylus CX1500" O4 - HKLM\..\Run: [ControlDiskTsk] winzrs32.exe O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ProtocolModuleCmd] svchon32.exe O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DriverDB] svcmdx32.exe O4 - HKCU\..\Run: [ControlDiskTsk] winzrs32.exe O4 - HKCU\..\Run: [ProtocolModuleCmd] svchon32.exe O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\winampXP.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: &Search - bar.mywebsearch.com O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
pine-o-cleen (2955) | ||
| 463824 | 2006-06-18 04:57:00 | . . . again I see another puter dependent on Symantec to give the owner a false sense of security . Go get it Eddy! |
SurferJoe46 (51) | ||
| 463825 | 2006-06-18 05:22:00 | Hi . . . yes its the W32/Brepibot SHOW HIDDEN FILES AND FOLDERS . To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK Please start by going into SAFE MODE . During reboot, tap the F8 key . Select Safe Mode and then run "Hijack This" Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes . Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT . O4 - HKLM\ . . \Run: [DriverDB] svcmdx32 . exe O4 - HKLM\ . . \Run: [ControlDiskTsk] winzrs32 . exe O4 - HKCU\ . . \Run: [DriverDB] svcmdx32 . exe O4 - HKCU\ . . \Run: [ControlDiskTsk] winzrs32 . exe O4 - HKCU\ . . \Run: [ProtocolModuleCmd] svchon32 . exe O4 - HKCU\ . . \Run: [startkey] C:\WINDOWS\system32\winampXP . exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - . imgfarm . com/images/nocach . . . up1 . 0 . 0 . 8-2 . cab" target="_blank">ak . imgfarm . com Open Windows Explorer and delete the following highlighted file/s if they are present C:\WINDOWS\system32\svcmdx32 . exe C:\WINDOWS\system32\winampXP . exe C:\WINDOWS\system32\winzrs32 . exe C:\WINDOWS\system32\svchon32 . exe c:\Windows\System32\csrnvrt . exe c:\Windows\System32\cstsm . exe Reboot . . . . . . . . . . . . . . . . . . Check these reg keys for any of the above files and delete them if found HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WindowsDiskLog" = anyabovefile HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WindowsDiskLog" = anyabovefile Download the trial version of Ewido Security Suite ( . ewido . net/en/download/" target="_blank">www . ewido . net) When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu" . Launch Ewido Security Suite (there should be an icon on your desktop doubleclick it) . The program will now go to the main screen . You will need to update ewido to the latest definition files . On the left hand side of the main screen click update and then click on Start Update . The update will start and a progress bar will show the updates being installed . If you have problems with the updater, you can use this link to manually update ewido . . ewido . net/en/download/updates/ . " target="_blank">www . ewido . net Do not run a scan yet . When you have done this, boot into Safe Mode (restart your PC and keep tapping F8 while it restarts) . Run Ewido Security Suite now . Click on Scanner and click Complete System Scan and the scan will begin . During the scan it will prompt you to clean files, click OK . When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK . When the scan is finished, click the Save report button at the bottom of the screen . Save the report to your desktop and close Ewido Security Suite . Please post its log here along with a new HJT log . |
Pancake (6359) | ||
| 1 | |||||