Jump to content

Infected By: Trojan.spambot.pbfrv2


Recommended Posts

Guest Reimar
Posted (edited)

One of my computer is infected by: Trojan.Spambot.PBFRV2 since 11.23 this morning. I found 1 Explanation at the Internet but in polish language and I don't understand this.

Anyone know this Trojan?

Searches by Avast, Symante and so: No Results!

Edited by Reimar
Posted

Nothing on the one care site. Where do you think it may have come in from? We can stay away until we get the updates for it.

Posted

Try google for just PBFRV2 as it comes up with plenty of sites. The first page appears to be in french and my search shows 10 pages of hits.

I don't know if it's the same trojan but it may point you in the right direction.

Posted
One of my computer is infected by: Trojan.Spambot.PBFRV2 since 11.23 this morning. I found 1 Explanation at the Internet but in polish language and I don't understand this.

Anyone know this Trojan?

Searches by Avast, Symante and so: No Results!

This sounds like the 2020search spyware. One of its' dropped files is pbfrv2.dll

Quote from Spyware data

Threat Name: 2020Search

Downloads and installs software without user knowledge or permission. Displays advertisements when searching. Redirects all toolbar searches to go through search.shopnav.com

Most antivirus software will not find it, it is not a virus. Get yourself a good spyware detector like SPYBOT and keep it up to date.

Posted

FOUND THIS hope it helps

Slagent, Trojan.Spambot.PBFRV2 and other detected on your computer! It’s highly recommended to scan the system immediately to remove all spyware and adware

Logfile of HijackThis v1.99.1

Scan saved at 10:36:08, on 18.8.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Avast\aswUpdSv.exe

C:\Program Files\Avast\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Avast\ashDisp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\DOCUME~1\Ivan.P\LOCALS~1\Temp\frmwrk.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\center.exe

C:\WINDOWS\system32\eror.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avast\ashMaiSv.exe

C:\Program Files\Avast\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\center2.exe

C:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centrum.cz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - D:\Programy\TRANSLAT\WEBIE.DLL

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "D:\Programy\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Ivan.P\LOCALS~1\Temp\frmwrk.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQ\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - D:\Programy\TRANSLAT\WEBIE.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Guest Reimar
Posted

Thanks for the replies!

It is NOT the pbfrv2.dll file! This file didn't exist!

At the same moment as the infection occurs I was getting a file named frmwrk.exe installed which I can't delete. Every time I delete this file it came back from some nowhere the only way to avoid the running of this file is to rename with different extension eg. .old

An other problem is that the trojan was adding someting to the explorer.exe file! I'll try to copy the file from an other installation and replace the infected one.

I get also a hidden Spyware program running which I couldn't find until now! It looks like it came from MS but didn't! Next time it starts up I'll make a screenshot from it. May this trojan was bundled with this software!!

I checked the comp with 5 different Anti-Spy progs but didn't find anything! Same with Anti Virus even online scanning. I used the whole day for this actions.

I'll attach a Picture of one screen he shows up many times.

post-33339-1187970769_thumb.jpg

Guest Reimar
Posted
Take a look at http://www.bleepingcomputer.com/startups/newentries.html Do a search for frmwrk.exe

This leads to a sophos site http://www.sophos.com/security/analyses/trojdwnldrgwv.html

The sophos site has a IDE file for download "Detected by All versions of Sophos Anti-Virus. Included in our products from September 2007 (4.21)"

Thanks Farma, will try Sophos! Unfortunate Sopghos didn't have any info about the Trojan.

This looks like really a new "beast"! The only info I found was on an polish forum which I can't read!!

Posted

I'm clutching at straws here. During my searches for pbfrv2 the cross in the red circle was mentioned a few times. This was in the results i found mentioning pbfrv2.dll and associated with temp files. I guess you have cleared your temp files.

Guest Reimar
Posted
I'm clutching at straws here. During my searches for pbfrv2 the cross in the red circle was mentioned a few times. This was in the results i found mentioning pbfrv2.dll and associated with temp files. I guess you have cleared your temp files.

All of them are cleared and nothing left.

Just run a scan with Sophos but that will need app. 2 h!! Will see1

Thanks alot for your info and hopefully it helps!

Posted

alot of this looks related to a problem I had with a scam install of spy-sheriff which demanded money to remove it. When it comes to the warning and the spoof spyware hidden. bells go off. solution for me was to clean the drive because it had cauht me right after an install so nothing lost everything to gain, but a program SmitfraudFix.exe and its mentioned at http://www.bleepingcomputer.com/ is the one that is used to remove that so it might work for you.

Guest Reimar
Posted
alot of this looks related to a problem I had with a scam install of spy-sheriff which demanded money to remove it. When it comes to the warning and the spoof spyware hidden. bells go off. solution for me was to clean the drive because it had cauht me right after an install so nothing lost everything to gain, but a program SmitfraudFix.exe and its mentioned at http://www.bleepingcomputer.com/ is the one that is used to remove that so it might work for you.

Thanks for your info but unfortunate SmtFraud isn't work with Windows Vista!

Guest Reimar
Posted
I recently got r id of a very nasty Spyware with similar behaviour by running Dr. Web's Cureit. Might want to try it out, it's free:

Cureit

Hope it helps!

Sunny

That was the first one I've tried!! No luck and no luck with any other software until right now!

If I don't find a way today, I'll reformat and install!!

Thanks for you info.

Cheers

Guest Reimar
Posted
If I don't find a way today, I'll reformat and install!!

Do you have a restore point (that you can restore back to) PRIOR to the infection?

Even that didn't works! was starting Vista from DVD and try to restore but not possible!

Posted

About twenty minutes ago, I also got hit by this same virus (with all the same symptoms). It pops up with a symbol in my taskbar, a white X in a red circle, and opens up a fake Windows security message that "Trojan.Spambot.PBFRV2" is on my computer, yada yada. It also pops up with a program when you click on the taskbar icon that SCANS YOUR COMPUTER automatically (I right clicked to possibly remove). The program is called SpywareSoftStop, complete bullshit that I did obviously not download.

The virus also stops me from accessing Windows Task Manager (admin disabled rights) and stops me from running system restores. I also have a "frmwrk" file in my Temporary Files that automatically copies itself when changed.

For me, this popped up when I was running Windows Blinds (right after downloading a skin from WinCustomize.com). I had the same WindowsBlinds on my comptuer prior to this occurance. That's right. Prior. Did I fail to mention I had a similar problem, with a virus that did most of these, prior to me removing Windows XP and reformating and repairing three times already? :o My computer originally had this occur when I was downloading a file off of another site (I don't recall the site). It stopped me from accessing the internet, and revoked admin rights (when you restart the computer, you can't even open up explorer.exe). The obvious answer to this would be that I transferred over the virus when I put files back on the computer, but I made sure I knew what I was transferring over when I did... nothing was there. The only files I copied over were my music (which has been running on two different computers with no problem, no new downloads- have had all the files for months to years), two videos (same, nothing wrong with them, have had them for months), and a few installation files (that I again have run on two computers, both even since this has happened). I really am at a loss to what could be happening, the only answer I can derive is that I need to get a new hard drive. Help!

Posted
One of my computer is infected by: Trojan.Spambot.PBFRV2 since 11.23 this morning. I found 1 Explanation at the Internet but in polish language and I don't understand this.

Anyone know this Trojan?

Searches by Avast, Symante and so: No Results!

Now things become clearer. It seems the OP is not infected at all by the virus he quoted, but has got hold of a piece of software which (falsely) claims to have detected the virus, etc.

Hijack this is probably the best place to start, but they can be :o to get rid of.

Posted

I hope this helps

Information found on http://www.extradisambiguator.co.uk/scanakbs.php?m=R0

(X)R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://spywaresoftstop . com/

Rogue/Suspect software. Aggressive, deceptive advertising

Fix using: HijackThis

Information from http://www.spywarewarrior.com/rogue_anti-spyware.htm

Product - Spyware Soft Stop

Domain - spywaresoftstop . com

Comments - spywaresoftstop-cash . com app plants the very files it falsely detects as malware (1); aggressive, deceptive advertising (1); false positives work as goad to purchase [A: 4-17-06 / U: 4-17-06]

Posted

Nice folks that writes trojans surely check them up with all antivirus s/w before dropping them into the Net stream.

Once you caught something new - your PC is officaly infected, works as a bot, or whatever, and the only cure is to reformat, or leave it closed for a few weeks until some AV company will come up with solution.

The only way is to prevent infection.

Congatulations with new trojan, don't waste time and re-install W$

Posted

What is strange is that this allows me to still access the internet (I have three computers, this one is fine), but it caps it out at .05 kb/s... could they be any meaner? It also doesn't allow me to run installation programs or use discs, so I can't install Nero to burn my non infected files to a DVD... :o

Posted (edited)

To kill and prevent spread you may want to run nuke an option in the eraser program. http://heidi.ie/eraser/ In will overwrite everything on the drive 3 times it leaves nothing and nowhere for anything to hide. drive will be clean. Then get out OEM stuff, and hope that none of your backed up data has been infected. May want to keep some of your newer downloads in Isolation for awhile and not put them back on right away. Not seeing any other options out there. edit forgot to add. You can download the eraser on other PC and then put the nuke on a flash or floppy and boot into it. Once it starts it can not be stopped it runs in ram and cleans the drive. (nuked)

Edited by RKASA
Posted

Have you used the computer 'search' option to locate the trojan file?

Would it be hiding somewhere in your Sun Java folder?

If you can see the file and it replicates itself after deleting it, you could try deleting it again, then go into your System Restore Settings and turn it off, reboot your system.

(this will remove all restore points but refreshes the folder, hopefully without the trojan file.)

Then, return to the folder where you found the trojan to see whether it is still there. If not there, turn on your System Restore and create another restore point.

If it is still there, then go to plan B.

Guest Reimar
Posted

Dear all. Thanks for all of your replies.

Unfortunate there was nothin which worked! Even the info I was getting from the Internet wasn't help in any point.

In the meantime I was able to stop the working of this trojan. This I done by renaming the file frmwrk.exe to frmwrk.old because by changing the main name frmwrk to something else or deleting the file replicating itself again and I didn't found the sourcefile until now. All on the system back to normal except I can't open the Taskmanger of Windows Vista but I use a different Taskmanager anyway.

Hopefully there will be a remove tool in the near future. For the next time I'll keep that system alive and will try to find out where the source file is hiding himself.

Again thanks to all!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...