PDA

View Full Version : Cabro and Nerte Trojan

konki6
26 Jan 2006, 6:32am
Hey, I'm running a computer with Windows 98 and I had Spybot S&D run a check on my registry and it found files from both the Cabro and Nerte Trojan. I reformated my computer a few days ago and I guess the Trojans came in before I finished updating my 2004 version of Nortion Internet Security. Everything I've read on how to remove these Trojans says to allow Norton to do it, however Norton doesn't recognize that they're there and I can't seem to get any anti-virus or anti-spyware software on my computer to update. I tried to do both the manual update on Norton (Intelligent updater or whatever it's called) and run a scan in Safe Mode but that didn't work. ^_^

I haven't downloading Hijack this or Adaware, I didn't know if they could get corrupted during the download. Am I just being paranoid? Is a Hijack this log needed in this case?

Thank you very much for taking the time to read this. XD
Trogan
26 Jan 2006, 6:53am
If you reformatted your computer, then all Spyware and Viruses will have been wiped away.

Can you download both HijackThis and Ad-Aware on your computer. Scan with Ad-Aware and then post a log by HijackThis. :)
konki6
26 Jan 2006, 8:07pm
If you reformatted your computer, then all Spyware and Viruses will have been wiped away.

Can you download both HijackThis and Ad-Aware on your computer. Scan with Ad-Aware and then post a log by HijackThis. :)

Thanks for your reply. ^_^ It seems that the Trojans came in after I reformatted. I guess I didn't update my antivirus software quick enough. :D

here is my hijack this! log;


logfile of HijackThis v1.99.1
Scan saved at 3:06:04 PM, on 1/26/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3DBBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home


The "startup" tool in Spybot S&D identified these problems;

Current filename:Rundll32.exe,powrprof.dll, LoadCurrentPwrScheme
Database status: not required - virus, spyware, malware or other resource hog
Value: LoadPowerProfile
Filename:ASDAPI.EXE

Description:
Added by the CABRO TROJAN. Not to be confused with the valid LoadPowerProfile entry where the command is Rundll32.exe powrprof.dll

------

Current filename:C:\WINDOWS\scanregw.exe/autorun
Database status: not required - virus, spyware, malware, or other resource hog
Value: ScanRegistry
Filename:nsrvnt.exe

Description: Added by the NERTE TROJAN! Not to be confused with the real ScanRegistry, which is a vital Window program. This version has the executable as nsrvnt.exe and not scanregw.exe

Also, whenever I try to use the "immunize" function in Spybot S&D there are always 6 protcections possible. I don't know if that means anything or not.

Thanks. XD
Trogan
26 Jan 2006, 10:31pm
What SpyBot version do you have?
Also, whenever I try to use the "immunize" function in Spybot S&D there are always 6 protcections possible. I don't know if that means anything or not.
After clicking Immunize on the left, do you click Immunize again?


Your log isn't showing anything.
Can you run these online scans.

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php

- Once you are on the BitDefender site, click the I Agree button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- If you get a Confirm File Replace message to overwrite a file, click Yes
- When download is complete, click the Click here to scan button
- BitDefender will download the latest virus signatures.
- The scan will automatically start

- Once the scan is complete, click Close
- On the box that appears, press Click here to view the report button
- Chose either Send Report or Don’t send - It is your choice!
- Paste the entire contents of the scan here from the new window
SpywareShooter
26 Jan 2006, 10:54pm
Those two entries are legit in WinME anyways... they should be in 98 too but I'm not as familiar with 98 as I am with 95/ME/XP.
konki6
27 Jan 2006, 8:26am
Thank you for the replies.

........................................................
my new hijack this! log;

Logfile of HijackThis v1.99.1
Scan saved at 2:54:22 AM, on 1/27/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\GAIM\GAIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3DBBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
...................................................................................

BitDefender log;

BitDefender Online Scanner
Scan report generated at: Fri, Jan 27, 2006 - 02:50:53
Scan path: A:\;C:\;D:\;E:\;
Statistics

Time 00:26:14
Files 31863
Folders 786
Boot Sectors 2
Archives 392
Packed Files 830

Results

Identified Viruses 2
Infected Files 2
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 0

Engines Info
Virus Definitions 253993
Engine build AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins 13
Archive plugins 38
Unpack plugins 4
E-mail plugins 6
System plugins 1

Scan Settings

First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions

Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes
Scanned File

Status
E:\Misc. Files\Buttons.exe
Infected with: Joke.Buttons
E:\Misc. Files\Buttons.exe
Disinfection failed
E:\Misc. Files\Buttons.exe
Delete failed
E:\Misc. Files\Cool Game.exe
Infected with: Joke.Slippery.A
E:\Misc. Files\Cool Game.exe
Disinfection failed
E:\Misc. Files\Cool Game.exe
Delete failed

...................................................................................

Active Scan
Incident
Status
Location

Spyware:Cookie/Microsofte Not disinfected C:\WINDOWS\Cookies\rebecca nurse@microsofteup.112.2o7[1].txt
Spyware:Cookie/Atlas DMT
........................................................................................

Hmmm, I guess I should throw away the disk in my E: drive, right?

[I]//After clicking Immunize on the left, do you click Immunize again?//

Yes, and after I click "check again" it always tells me that there is an additional 6 protections and to immunize again. I immunize repeatedly with the same result. Does it mean anything?

//Those two entries are legit in WinME anyways... they should be in 98 too//

Hmmmm, I looked up the filenames "ASADPI.EXE" and "NSRVNT.EXE" on the internet before posting here and the results I got back said that they were malware. So do you think that it's a mistake in Spybot S&D?^_^

Thanks to everyone who took the time to reply. :D
Trogan
27 Jan 2006, 9:52am
Your HJT log is still clean.

I wouldn't worry about the Immunize problem. SpyBot keeps telling me that I have 445 files unprotected and doesn't change, no matter how times I press "check again" button.

I don't think you are infected but if you want, we can do other scans.

Let me know :)
konki6
5 Feb 2006, 12:07am
Sorry for it taking a while to reply.

I don't think you are infected but if you want, we can do other scans.

No, if my hijack this! log is clean I'm happy. Thank you very much for your time. :D

Anyway, what do you think is up with Spybot S&D saying that there was evidence of Trojans on my computer? Do you think that it's a bug in Spybot S&D or do you think that the Trojans used to be on my computer and got removed by Norton Antivirus without me noticing?

Thanks. :D
Trogan
5 Feb 2006, 12:36am
What does SpyBot find? Can it remove them?

If SpyBot finds traces of CoolWWWSearch or similar, then that is nothing to worry about :)