backdoor.afcore.bm infection

Hi,

I have been lurking around here for a few days now, trying to gather info on how to rid myslf of this stupid trojan.

AVG tells me that i'm infected but ofcourse cannot delete it. The trojan contains a run command within it to unintsall it'self

{{THIS IS AN ENGINEERING SAMPLE - USE AT YOUR OWN RISK
Please type in your command shell: rundll32 <path to this DLL>,Uninstall}}

but when i try this windows reports that it cannot find the module. Working in either safe mode or normal don't make a difference and neither ad-aware or spybot pick this up. I've downloaded and scaned with TDS-3(fantastic proram by the way). TDS reports that infact i have two of the same trojans.....avg picked up one and missed an identical file in the same folder TDS cannot do anything about them though. There also appear to be no reg entries in the run folder that are relating to it like with the other varients, though i've not found specific info on this one.

Aside from unknown network activity my system has not been doing anything unusual. Setting up a firewall seems to have put a stop to this anyway.

Any help would be much apricated.

Edit: TDS Also comes up reporting that i have an msrexe.exe somewhere. This has been deleted but comes back with each reboot.

Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 12:51:39 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\Program Files\dtemp\DTemp.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\Soulseek\slsk.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65764608-8CE0-4090-891E-4585D27E0870}: NameServer = 203.109.252.42,203.109.252.43
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6A602C1-883B-4277-B7C6-0D283E77D441}: NameServer = 203.109.252.42,203.109.252.43
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7BBA0D7-D03F-4C2C-8B91-6680E4FB84DE}: NameServer = 203.109.252.42,203.109.252.43

 

Quick update, i have managed to get the uninstall command line to work. Still unable to remove the files however.

 

Hi kid6o6,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

Then reboot into safe mode and delete the file.

I see no sign of AFlooder (which I think is the one you mean:
https://www.wilderssecurity.com/showpost.php?p=99532&postcount=8 )
being active. You can always select the file after the TDS scan and submit it through the program.

Regards,

Pieter

 

Thanks for your help Pieter, I am trojan Free now. How is it you knew those two reg entries were what needed to be removed?

 

Hello kid6o6,

Could you post a new log for us to look at to make sure everything is gone.

 

here you go. Looking at it i'm not so sure about being completly clean.Those .ocx files are unfamiliar. But i'll let you guys decied.

Logfile of HijackThis v1.97.7
Scan saved at 12:01:01 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DC++\DCPlusPlus.exe
E:\apps\HijackThis.exe
C:\PROGRA~1\Grisoft\AVG6\avgw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65764608-8CE0-4090-891E-4585D27E0870}: NameServer = 203.109.252.42,203.109.252.43
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6A602C1-883B-4277-B7C6-0D283E77D441}: NameServer = 203.109.252.42,203.109.252.43
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7BBA0D7-D03F-4C2C-8B91-6680E4FB84DE}: NameServer = 203.109.252.42,203.109.252.43

 

Hello,

Log looks good.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
https://www.wilderssecurity.com/showthread.php?t=27971

Happy Surfing!

He knew what to remove by seeing lots of logs and knowing what to remove.
One clue is that this one:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

See the (no file). No reason to keep that one.