Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page constant pops up - braviax.exe spyware infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 03-21-2008, 04:44 PM   #1 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


constant pops up - braviax.exe spyware infection
hey there and thanks in advance for your guys help but heres my problem my computer has been running kinda sluggish lately and just today my mom went to t-mobiles web site and caught something. what happens is i get a pop up saying that my computer is infected and on the bottom right theres a red circle with a white x in the middle. it now i ran the spy ware scan that comes with yahoos toolbar as well as Ad - Aware and i cleaned a large amount of things but not this. so what i did to find it is i ran task manager and found an application running that didnt look familiar which was the braviax.exe i goggled it and sure enough im here...now i followed the steps that i came across on mcaffes site (eg. installation od dss and hijack this and spyware blaster) i noticed the files are in system 32 (i looked cause of the thread on mcaffe) and sure enough the files mentioned are there. here is the main.txt that i read was required Deckard's System Scanner v20071014.68
Run by Owner on 2008-03-21 17:01:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
101: 2008-03-21 22:01:09 UTC - RP331 - Deckard's System Scanner Restore Point
100: 2008-03-21 21:58:32 UTC - RP330 - Software Distribution Service 3.0
99: 2008-03-21 20:23:41 UTC - RP329 - System Checkpoint
98: 2008-03-20 19:24:44 UTC - RP328 - System Checkpoint
97: 2008-03-19 18:46:07 UTC - RP327 - Installed Java(TM) 6 Update 5


-- First Restore Point --
1: 2007-12-22 23:36:21 UTC - RP231 - Removed Nero 7 Demo


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:39 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [java] Keygen.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\RunServices: [java] Keygen.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: beers - {b8ea5f37-7327-4923-9808-8fd3b6f0d529} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 7857 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-15 01:26:42 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-01 02:00:16 332 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-21 17:02:32 0 d-------- C:\Program Files\Trend Micro
2008-03-21 16:54:44 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 13:42:53 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 12:39:58 0 d-------- C:\!KillBox
2008-03-21 04:04:57 0 d-------- C:\WINDOWS\LastGood
2008-03-19 13:46:56 12299 --a------ C:\Documents and Settings\Owner\Application Data\yzozu.vbs
2008-03-19 13:46:56 18288 --a------ C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
2008-03-19 13:46:55 15156 --a------ C:\WINDOWS\huroludyte.dll
2008-03-19 13:46:55 14102 --a------ C:\Documents and Settings\All Users\Application Data\urori.dll
2008-03-19 13:46:54 12352 --a------ C:\WINDOWS\ynylix.vbs
2008-03-19 13:46:54 10601 --a------ C:\Documents and Settings\All Users\Application Data\ahenely.reg
2008-03-19 13:46:53 11712 --a------ C:\WINDOWS\vofes.dll
2008-03-19 13:46:53 11955 --a------ C:\WINDOWS\system32\umuzaka.bin
2008-03-19 13:46:53 18583 --a------ C:\WINDOWS\system32\epoqy.pif
2008-03-19 13:46:53 12175 --a------ C:\WINDOWS\alazo.com
2008-03-19 13:45:52 0 d-------- C:\Program Files\WinReanimator
2008-03-19 13:41:20 6656 --a------ C:\WINDOWS\system32\users32.dat
2008-03-19 13:38:35 16384 --a------ C:\WINDOWS\system32\braviax.exe
2008-03-11 1419 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-11 14:05:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-04 18:20:36 0 d-------- C:\Program Files\GreenTechMobile
2008-02-23 11:09:49 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-23 11:09:47 0 d-------- C:\Program Files\NCH Software
2008-02-22 22:44:41 0 d-------- C:\Documents and Settings\Owner\dwhelper


-- Find3M Report ---------------------------------------------------------------

2008-03-21 14:08:15 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-21 12:28:18 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-19 14:33:06 0 d-------- C:\Program Files\Coupons
2008-03-19 13:50:12 0 d-------- C:\Program Files\Java
2008-03-19 13:46:53 0 d-------- C:\Program Files\Common Files
2008-03-19 13:46:53 17681 --a------ C:\Program Files\Common Files\yhepotic._dl
2008-03-15 17:36:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Canon
2008-03-11 15:14:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-03-11 1420 0 d-------- C:\Program Files\Common Files\Scanner
2008-03-11 14:05:19 0 d-------- C:\Program Files\Yahoo!
2008-02-28 16:20:57 1028 --a------ C:\Documents and Settings\Owner\Application Data\WavCodec.wff
2008-02-26 08:08:32 0 d-------- C:\Program Files\McAfee
2008-02-24 13:05:04 0 d-------- C:\Program Files\NCH Swift Sound
2008-02-23 11:10:26 1028 --a------ C:\Documents and Settings\Owner\Application Data\AVIEncoder.wff
2008-02-22 11:21:57 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-15 13:40:44 0 d-------- C:\Program Files\Research In Motion
2008-02-13 18:38:35 0 d-------- C:\Program Files\DivX
2008-02-12 03:08:41 0 d-------- C:\Program Files\ABC Amber BlackBerry Editor
2008-02-11 13:13:31 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-11 13:13:25 0 d-------- C:\Program Files\MySpace
2008-02-06 15:33:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-06 15:32:58 1158 --a------ C:\WINDOWS\mozver.dat
2008-02-06 15:30:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-06 15:30:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-02-06 15:28:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-02-05 17:47:41 0 d-------- C:\Program Files\Common Files\Ahead
2008-02-05 16:01:46 0 d-------- C:\Program Files\Canon
2008-02-05 14:41:53 34 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2008-02-05 14:41:47 7887 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2008-02-05 14:41:46 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-05 14:41:46 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2008-02-05 14:41:45 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-01-29 15:23:40 0 d-------- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-01-29 15:23:10 0 d-------- C:\Program Files\SoundSpectrum
2008-01-28 19:03:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Go!Zilla
2008-01-01 14:33:55 146 --a------ C:\lxcr


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/05/2005 02:22 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/05/2005 02:19 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/05/2005 02:23 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"NBKeyScan"="C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [04/03/2007 08:00 PM]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [04/03/2007 08:50 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 05:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 05:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"java"="Keygen.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"braviax"="C:\WINDOWS\system32\braviax.exe" [03/19/2008 01:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [10/28/2005 05:25 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 03:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"java"=Keygen.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [3/5/2006 7:43:54 AM]
BlackBerry Desktop Redirector.lnk - C:\Program Files\Research In Motion\BlackBerry\Redirector.exe [9/7/2006 1:53:10 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-03-21 17:03:36 ------------
Attached Files
File Type: txt extra.txt (14.3 KB, 1 views)
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-24-2008, 12:03 PM   #2 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Re: constant pops up - braviax.exe spyware infection
bump..
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-27-2008, 11:24 PM   #3 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Hi, welcome to TSF!

If you still need assistance, please post a fresh main.txt log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-28-2008, 02:17 PM   #4 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Re: constant pops up - braviax.exe spyware infection
Deckard's System Scanner v20071014.68
Run by Owner on 2008-03-28 15:16:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:34 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [java] Keygen.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\RunServices: [java] Keygen.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1206494539093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: beers - {b8ea5f37-7327-4923-9808-8fd3b6f0d529} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 7842 bytes

-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-27 13:47:01 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-27 13:46:48 0 d-------- C:\WINDOWS\LastGood
2008-03-21 17:02:32 0 d-------- C:\Program Files\Trend Micro
2008-03-21 16:54:44 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 13:42:53 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 12:39:58 0 d-------- C:\!KillBox
2008-03-19 13:46:56 12299 --a------ C:\Documents and Settings\Owner\Application Data\yzozu.vbs
2008-03-19 13:46:56 18288 --a------ C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
2008-03-19 13:46:55 15156 --a------ C:\WINDOWS\huroludyte.dll
2008-03-19 13:46:55 14102 --a------ C:\Documents and Settings\All Users\Application Data\urori.dll
2008-03-19 13:46:54 12352 --a------ C:\WINDOWS\ynylix.vbs
2008-03-19 13:46:54 10601 --a------ C:\Documents and Settings\All Users\Application Data\ahenely.reg
2008-03-19 13:46:53 11712 --a------ C:\WINDOWS\vofes.dll
2008-03-19 13:46:53 11955 --a------ C:\WINDOWS\system32\umuzaka.bin
2008-03-19 13:46:53 18583 --a------ C:\WINDOWS\system32\epoqy.pif
2008-03-19 13:46:53 12175 --a------ C:\WINDOWS\alazo.com
2008-03-19 13:45:52 0 d-------- C:\Program Files\WinReanimator
2008-03-19 13:41:20 16384 --a------ C:\WINDOWS\system32\users32.dat
2008-03-19 13:38:35 16384 --a------ C:\WINDOWS\system32\braviax.exe
2008-03-11 1419 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-11 14:05:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-04 18:20:36 0 d-------- C:\Program Files\GreenTechMobile


-- Find3M Report ---------------------------------------------------------------

2008-03-28 12:35:51 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-27 13:46:00 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-03-26 14:09:41 0 d-------- C:\Program Files\NCH Software
2008-03-24 23:41:52 94208 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-03-24 23:41:52 114688 --a------ C:\WINDOWS\system32\igfxpers.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-03-21 14:08:15 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-21 13:42:04 155648 --a------ C:\WINDOWS\system32\nerocheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-03-19 14:33:06 0 d-------- C:\Program Files\Coupons
2008-03-19 13:50:12 0 d-------- C:\Program Files\Java
2008-03-19 13:46:53 0 d-------- C:\Program Files\Common Files
2008-03-19 13:46:53 17681 --a------ C:\Program Files\Common Files\yhepotic._dl
2008-03-15 17:36:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Canon
2008-03-11 15:14:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-03-11 1420 0 d-------- C:\Program Files\Common Files\Scanner
2008-03-11 14:05:19 0 d-------- C:\Program Files\Yahoo!
2008-02-28 16:20:57 1028 --a------ C:\Documents and Settings\Owner\Application Data\WavCodec.wff
2008-02-26 08:08:32 0 d-------- C:\Program Files\McAfee
2008-02-24 13:05:04 0 d-------- C:\Program Files\NCH Swift Sound
2008-02-23 11:10:26 1028 --a------ C:\Documents and Settings\Owner\Application Data\AVIEncoder.wff
2008-02-22 11:21:57 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-15 13:40:44 0 d-------- C:\Program Files\Research In Motion
2008-02-13 18:38:35 0 d-------- C:\Program Files\DivX
2008-02-12 03:08:41 0 d-------- C:\Program Files\ABC Amber BlackBerry Editor
2008-02-11 13:13:31 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-11 13:13:25 0 d-------- C:\Program Files\MySpace
2008-02-06 15:33:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-06 15:32:58 1158 --a------ C:\WINDOWS\mozver.dat
2008-02-06 15:30:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-06 15:30:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-02-06 15:28:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-02-05 17:47:41 0 d-------- C:\Program Files\Common Files\Ahead
2008-02-05 16:01:46 0 d-------- C:\Program Files\Canon
2008-02-05 14:41:53 34 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2008-02-05 14:41:47 7887 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2008-02-05 14:41:46 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-05 14:41:46 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2008-02-05 14:41:45 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-01-29 15:23:40 0 d-------- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-01-29 15:23:10 0 d-------- C:\Program Files\SoundSpectrum
2008-01-28 19:03:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Go!Zilla
2008-01-01 14:33:55 146 --a------ C:\lxcr


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [03/24/2008 11:41 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"NBKeyScan"="C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [03/21/2008 01:42 PM]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [03/21/2008 01:42 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [03/21/2008 01:42 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 05:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [03/24/2008 11:41 PM]
"java"="Keygen.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [03/21/2008 01:42 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"braviax"="C:\WINDOWS\system32\braviax.exe" [03/19/2008 01:38 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/24/2008 11:41 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/24/2008 11:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [10/28/2005 05:25 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/21/2008 01:41 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [03/21/2008 01:42 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"java"=Keygen.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [3/5/2006 7:43:54 AM]
BlackBerry Desktop Redirector.lnk - C:\Program Files\Research In Motion\BlackBerry\Redirector.exe [9/7/2006 1:53:10 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""




-- End of Deckard's System Scanner: finished at 2008-03-28 15:17:04 ------------
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2008, 01:44 AM   #5 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Hi,

Please visit this webpage for download links, and instructions for running combofix:http://www.bleepingcomputer.com/comb...o-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txtalong with a new HijackThis log so we may continue cleaning the system.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2008, 02:16 PM   #6 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Thumbs Up Re: constant pops up - braviax.exe spyware infection
ok this is the combofix log that your resuested

ComboFix 08-03-30.2 - Owner 2008-03-30 15:01:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.569 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Program Files\WinReanimator
C:\Program Files\WinReanimator\data\daily.cvd
C:\Program Files\WinReanimator\htmlayout.dll
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\WinReanimator\pthreadVC2.dll
C:\Program Files\WinReanimator\un.ico
C:\Program Files\WinReanimator\unzip32.dll
C:\Program Files\WinReanimator\WinReanimator.cfg
C:\Program Files\WinReanimator\WinReanimator.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-27 13:47 . 2008-03-28 16:30 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-26 10:06 . 2005-09-20 09:31 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-03-21 17:02 . 2008-03-21 17:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 17:00 . 2008-03-21 17:00 <DIR> d-------- C:\Deckard
2008-03-21 16:54 . 2008-03-21 16:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 16:54 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-21 13:42 . 2008-03-21 14:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 13:42 . 2008-03-21 13:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-21 13:42 . 2008-03-21 13:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-21 13:42 . 2008-03-21 13:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-19 13:46 . 2008-03-19 13:46 18,816 --a------ C:\WINDOWS\system32\zepe.dl
2008-03-19 13:46 . 2008-03-19 13:46 18,583 --a------ C:\WINDOWS\system32\epoqy.pif
2008-03-19 13:46 . 2008-03-19 13:46 18,288 --a------ C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
2008-03-19 13:46 . 2008-03-19 13:46 16,602 --a------ C:\WINDOWS\lola.ban
2008-03-19 13:46 . 2008-03-19 13:46 15,156 --a------ C:\WINDOWS\huroludyte.dll
2008-03-19 13:46 . 2008-03-19 13:46 14,102 --a------ C:\Documents and Settings\All Users\Application Data\urori.dll
2008-03-19 13:46 . 2008-03-19 13:46 12,457 --a------ C:\WINDOWS\system32\wasajakur.ban
2008-03-19 13:46 . 2008-03-19 13:46 12,352 --a------ C:\WINDOWS\ynylix.vbs
2008-03-19 13:46 . 2008-03-19 13:46 12,299 --a------ C:\Documents and Settings\Owner\Application Data\yzozu.vbs
2008-03-19 13:46 . 2008-03-19 13:46 12,175 --a------ C:\WINDOWS\alazo.com
2008-03-19 13:46 . 2008-03-19 13:46 11,955 --a------ C:\WINDOWS\system32\umuzaka.bin
2008-03-19 13:46 . 2008-03-19 13:46 11,712 --a------ C:\WINDOWS\vofes.dll
2008-03-19 13:46 . 2008-03-19 13:46 11,001 --a------ C:\WINDOWS\akyhaj.dl
2008-03-19 13:46 . 2008-03-19 13:46 10,601 --a------ C:\Documents and Settings\All Users\Application Data\ahenely.reg
2008-03-11 14:06 . 2008-03-11 14:08 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-11 14:05 . 2008-03-11 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-04 18:20 . 2008-03-04 18:20 <DIR> d-------- C:\Program Files\GreenTechMobile
2008-02-23 11:09 . 2008-03-26 14:09 <DIR> d-------- C:\Program Files\NCH Software
2008-02-23 11:09 . 2008-02-23 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-22 22:44 . 2008-02-22 22:45 <DIR> d-------- C:\Documents and Settings\Owner\dwhelper
2008-02-15 13:31 . 2008-02-15 13:55 <DIR> d-------- C:\Documents and Settings\Owner\.nbi
2008-02-15 13:27 . 2008-02-15 13:31 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-02-14 15:07 . 2008-02-14 15:07 <DIR> d--h----- C:\Documents and Settings\Owner\InstallAnywhere
2008-02-12 03:07 . 2008-02-12 03:08 <DIR> d-------- C:\Program Files\ABC Amber BlackBerry Editor
2008-02-11 18:27 . 2008-03-15 17:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Canon
2008-02-11 13:13 . 2008-02-11 13:13 <DIR> d-------- C:\Program Files\MySpace
2008-02-11 13:13 . 2008-02-11 13:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-06 15:32 . 2008-02-06 15:32 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-06 15:30 . 2008-02-06 15:30 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-05 18:02 . 2008-02-05 18:02 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-05 14:41 . 2008-02-05 14:41 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-02-05 14:41 . 2008-03-11 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-02-05 14:41 . 2008-02-05 14:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-05 14:41 . 2008-02-05 14:41 47,360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 20:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-28 17:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-27 18:46 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-03-22 18:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 19:08 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-19 19:33 --------- d-----w C:\Program Files\Coupons
2008-03-19 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZangoSA
2008-03-19 18:50 --------- d-----w C:\Program Files\Java
2008-03-19 18:46 17,681 ----a-w C:\Program Files\Common Files\yhepotic._dl
2008-03-11 19:06 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-11 19:05 --------- d-----w C:\Program Files\Yahoo!
2008-02-26 13:08 --------- d-----w C:\Program Files\McAfee
2008-02-24 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-24 18:05 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-22 16:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 18:40 --------- d-----w C:\Program Files\Research In Motion
2008-02-13 23:38 --------- d-----w C:\Program Files\DivX
2008-02-06 20:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-02-06 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-06 15:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-05 21:01 --------- d-----w C:\Program Files\Canon
2008-01-29 20:23 --------- d-----w C:\Program Files\SoundSpectrum
2008-01-29 20:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-01-29 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 00:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\Go!Zilla
.
Files Infected - Win32.Agent.zb
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-03-21 13:41 4670704]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-03-21 13:42 8699904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-03-24 23:41 1404928]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"NBKeyScan"="C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-21 13:42 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-21 13:42 1603152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-03-21 13:42 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-03-24 23:41 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-24 23:41 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-24 23:41 114688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"java"="Keygen.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-03-21 13:42 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"D:\\juicy lemon\\juicy lemon\\limewire.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 06:26:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 07:00:16 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 1505
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-30 15:09:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 20:09:52
Pre-Run: 92,284,129,280 bytes free
Post-Run: 92,270,653,440 bytes free
.
2008-03-21 21:59:07 --- E O F ---




now here is the new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:08 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [java] Keygen.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1206494539093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: beers - {b8ea5f37-7327-4923-9808-8fd3b6f0d529} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 8455 bytes
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2008, 07:05 PM   #7 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
You don't have Window's Recovery Console installed. Whilst it may not be needed at this time, current infections tend to patch a lot of critical system files now, these often result to multiple problems and sometimes, they can cause unbootable machines. Having Window's Recovery Console installed on your machine will help you and I in case something goes wrong while we are in the process of cleaning your machine.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-31-2008, 12:03 PM   #8 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Re: constant pops up - braviax.exe spyware infection
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-01-2008, 06:53 PM   #9 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Hi,

Please turn off your mcafee antivirus as it may interfere with combofix while it's running.

*Uninstall the items in bold if found:

J2SE Runtime Environment 5.0 Update 14
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
These are all old java versions in your machine. You have the newest and the most secure version installed. These old versions will only serve as vectors for malware to enter your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.
_______

Combofix Deletions
  • Open notepad.
  • Copy and paste the text inside the code box below to notepad
Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/232471-constant-pops-up-braviax-exe-spyware-infection.html
SysRst::
Folder::
C:\Program Files\Coupons
C:\Documents and Settings\All Users\Application Data\ZangoSA
C:\Documents and Settings\Owner\Application Data\LimeWire
D:\Nero 8.2.8.0 Newest + WORKING Keygen
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"java"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b8ea5f37-7327-4923-9808-8fd3b6f0d529}"=-
Suspect::
C:\WINDOWS\system32\zepe.dl
C:\WINDOWS\system32\epoqy.pif
C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
C:\WINDOWS\lola.ban
C:\WINDOWS\huroludyte.dll
C:\Documents and Settings\All Users\Application Data\urori.dll
C:\WINDOWS\system32\wasajakur.ban
C:\WINDOWS\ynylix.vbs
C:\Documents and Settings\Owner\Application Data\yzozu.vbs
C:\WINDOWS\alazo.com
C:\WINDOWS\system32\umuzaka.bin
C:\WINDOWS\vofes.dll
C:\WINDOWS\akyhaj.dl
C:\Documents and Settings\All Users\Application Data\ahenely.reg
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log along with a fresh HijackThis log.
  • Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.
_______

On your next reply, please include a
  • Fresh HijackThis log.
  • combofix log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-07-2008, 06:27 AM   #10 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Question Re: constant pops up - braviax.exe spyware infection
i cant post the logs cause it tells me that the comment is to long and i dont want to post it wrong or incomplete so how should i do this?????????????
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-07-2008, 07:33 AM   #11 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Please attach the logs if you can't post them.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-08-2008, 11:58 AM   #12 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Re: constant pops up - braviax.exe spyware infection
ok now i have a new problem i tried to get the log from combofix after draging CFScript into it and all that happens is the blue screen comes up for a sec and does nothing. now i did do it the first time whe i said i could post it but the computer got shut off accendentaly when someone blew a fuse...i have the hijack this log but idk how to get combofix to run

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:07 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [java] Keygen.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1206494539093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: beers - {b8ea5f37-7327-4923-9808-8fd3b6f0d529} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 8357 bytes
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-08-2008, 07:53 PM   #13 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
I thought you already ran CFScript?

The version you have there has a bug... Delete your copy of combofix.exe then download a new one from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Follow the same instructions afterwards.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2008, 07:05 PM   #14 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Cool Re: constant pops up - braviax.exe spyware infection
ok i got it done i had mcaffe off while i ran the scan and i submitted the log you told me about (combofix) now here is the highjack this log (done today 4/10/08 and the combofix log has been attached

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:25 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1206494539093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 8197 bytes


ComboFix 08-04-10.5 - Owner 2008-04-10 19:55:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.509 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\ZangoSA
C:\Documents and Settings\Owner\Application Data\LimeWire
C:\Documents and Settings\Owner\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
C:\Program Files\Coupons

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-10 19:52 . 2008-04-10 19:52 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-10 11:17 . 2008-04-10 19:45 <DIR> d-------- C:\ComboFix(3)
2008-04-10 10:23 . 2008-04-10 19:45 <DIR> d--hs---- C:\RECYCLER(2)
2008-04-08 12:41 . 2008-04-08 12:43 <DIR> d-------- C:\ComboFix(2)
2008-04-08 12:37 . 2008-04-08 12:38 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-27 13:47 . 2008-04-02 18:36 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-26 10:06 . 2005-09-20 09:31 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-03-21 17:02 . 2008-03-21 17:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 17:00 . 2008-03-21 17:00 <DIR> d-------- C:\Deckard
2008-03-21 16:54 . 2008-03-21 16:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 16:54 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-21 13:42 . 2008-03-21 14:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 13:42 . 2008-03-21 13:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-21 13:42 . 2008-03-21 13:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-21 13:42 . 2008-03-21 13:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-19 13:46 . 2008-03-19 13:46 18,816 --a------ C:\WINDOWS\system32\zepe.dl
2008-03-19 13:46 . 2008-03-19 13:46 18,583 --a------ C:\WINDOWS\system32\epoqy.pif
2008-03-19 13:46 . 2008-03-19 13:46 18,288 --a------ C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
2008-03-19 13:46 . 2008-03-19 13:46 16,602 --a------ C:\WINDOWS\lola.ban
2008-03-19 13:46 . 2008-03-19 13:46 15,156 --a------ C:\WINDOWS\huroludyte.dll
2008-03-19 13:46 . 2008-03-19 13:46 14,102 --a------ C:\Documents and Settings\All Users\Application Data\urori.dll
2008-03-19 13:46 . 2008-03-19 13:46 12,457 --a------ C:\WINDOWS\system32\wasajakur.ban
2008-03-19 13:46 . 2008-03-19 13:46 12,352 --a------ C:\WINDOWS\ynylix.vbs
2008-03-19 13:46 . 2008-03-19 13:46 12,299 --a------ C:\Documents and Settings\Owner\Application Data\yzozu.vbs
2008-03-19 13:46 . 2008-03-19 13:46 12,175 --a------ C:\WINDOWS\alazo.com
2008-03-19 13:46 . 2008-03-19 13:46 11,955 --a------ C:\WINDOWS\system32\umuzaka.bin
2008-03-19 13:46 . 2008-03-19 13:46 11,712 --a------ C:\WINDOWS\vofes.dll
2008-03-19 13:46 . 2008-03-19 13:46 11,001 --a------ C:\WINDOWS\akyhaj.dl
2008-03-19 13:46 . 2008-03-19 13:46 10,601 --a------ C:\Documents and Settings\All Users\Application Data\ahenely.reg
2008-03-11 14:06 . 2008-03-11 14:08 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-11 14:05 . 2008-03-11 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 00:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 20:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-04-02 14:53 --------- d-----w C:\Program Files\Java
2008-03-31 16:09 --------- d-----w C:\Program Files\McAfee
2008-03-30 20:19 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-03-28 20:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-26 19:09 --------- d-----w C:\Program Files\NCH Software
2008-03-25 04:41 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-03-25 04:41 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-03-21 19:08 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-19 18:46 17,681 ----a-w C:\Program Files\Common Files\yhepotic._dl
2008-03-15 22:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-03-11 19:06 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-11 19:05 --------- d-----w C:\Program Files\Yahoo!
2008-03-04 23:20 --------- d-----w C:\Program Files\GreenTechMobile
2008-02-24 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-24 18:05 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-23 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-22 16:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-15 18:40 --------- d-----w C:\Program Files\Research In Motion
2008-02-13 23:38 --------- d-----w C:\Program Files\DivX
2008-02-12 08:08 --------- d-----w C:\Program Files\ABC Amber BlackBerry Editor
2008-02-11 18:13 --------- d-----w C:\Program Files\MySpace
2008-02-11 18:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-05 19:41 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.
Files Infected - Win32.Agent.zb
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-30_15.09.32.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieapfltr.dat
- 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 13:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 13:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack(2).dll
+ 2008-04-03 15:39:13 413,696 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi(3).dll
+ 2004-08-04 12:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr(3).dll
- 2007-12-31 15:36:07 274,168 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-11 00:47:45 274,168 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-03-14 05:31:24 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-03-14 05:31:28 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-03-14 07:04:46 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-03-11 13:25:09 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-03 17:29:14 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-11 13:25:09 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-03 17:29:15 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-09-29 00:17:41 189,724 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-04-11 00:47:18 719,756 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url(3).dll
+ 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon(3).dll
+ 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck(2).dll
+ 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet(3).dll
+ 2000-08-31 13:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 13:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2004-08-04 07:00 25600 C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2004-08-04 07:00 25600 {F6B29364-AF4E-4806-A473-E56D6442085A}\RP255\A0029204.dll
2004-08-04 07:00 25600 {F6B29364-AF4E-4806-A473-E56D6442085A}\RP363\A0042539.dll

C:\Documents and Settings\Owner\Appl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-03-21 13:41 4670704]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-03-21 13:42 8699904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-03-24 23:41 1404928]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"NBKeyScan"="C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-21 13:42 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-21 13:42 1603152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-03-21 13:42 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-24 23:41 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-24 23:41 114688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-03-21 13:42 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"D:\\juicy lemon\\juicy lemon\\limewire.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 06:26:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 06:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 19:59:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 20:01:40
ComboFix-quarantined-files.txt 2008-04-11 01:01:22
ComboFix2.txt 2008-04-10 13:14:45
ComboFix3.txt 2008-04-07 12:17:24
ComboFix4.txt 2008-03-30 20:09:58
Pre-Run: 92,744,060,928 bytes free
Post-Run: 92,764,844,032 bytes free
.
2008-03-21 21:59:07 --- E O F ---
Attached Files
File Type: txt log.txt (12.7 KB, 2 views)
Last edited by Angelfire777; 04-11-2008 at 12:01 AM.
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-11-2008, 12:16 AM   #15 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Hi,

Next time please post your logs. Don't attach them.

Some of your programs have been patched by malware and there are no backups of those programs we could use now. Although they are patched, they will still work so it is your choice if you want to reinstall the programs or keep them. Thisis the list of the programs you need to reinstall just in case:

Quote:
C:\Program Files\Analog Devices\
C:\Program Files\Canon\
C:\Program Files\Common Files\LogiShrd\
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Messenger\
C:\Program Files\MySpace\IM\
Combofix Deletions
  • Open notepad.
  • Copy and paste the text inside the code box below to notepad
Code:
File::
C:\WINDOWS\system32\zepe.dl
C:\WINDOWS\system32\epoqy.pif
C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
C:\WINDOWS\lola.ban
C:\WINDOWS\huroludyte.dll
C:\Documents and Settings\All Users\Application Data\urori.dll
C:\WINDOWS\system32\wasajakur.ban
C:\WINDOWS\ynylix.vbs
C:\Documents and Settings\Owner\Application Data\yzozu.vbs
C:\WINDOWS\alazo.com
C:\WINDOWS\system32\umuzaka.bin
C:\WINDOWS\vofes.dll
C:\WINDOWS\akyhaj.dl
C:\Documents and Settings\All Users\Application Data\ahenely.reg
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log along with a fresh HijackThis log.
__________


Please do an online scan with Kaspersky WebScanner

Warning: If you had kaspersky online scanner installed before 10-5-2007, please uninstall it as kaspersky released a new version. Previous version had a serious flaw which could result in a buffer overflow.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Click Start > Control Panel
  • Click Add/Remove Programs
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u5, and install it to your computer.

On your next reply, please include a
  • Fresh HijackThis log.
  • kaspersky scan log
  • combofix log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-17-2008, 09:44 AM   #16 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Re: constant pops up - braviax.exe spyware infection
ok here goes (the only reson i attached them was because like b4 it wouldnt allow me to copy and paste it all and u told me to just attach them) now i uninstalled the old java but i cant find the specific Ju5 one so i installed JDK 6 Update 6, cause it also wouldnt let me dload Java SE 6 Update 10 Beta(only idk how to install it dloaded but nothing happened). now i hope i didnt do somthing wrong by this but i felt needed to let u know

hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:03 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1206494539093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 6504 bytes

kapersky log

KASPERSKY ONLINE SCANNER REPORT
Thursday, April 17, 2008 10:14:56 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/04/2008
Kaspersky Anti-Virus database records: 710612


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 47213
Number of viruses found 5
Number of infected objects 82
Number of suspicious objects 0
Duration of the scan process 01:12:02

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080328151611\backup\DOCUME~1\Owner\LOCALS~1\Temp\Binaries2.zip/WinReanimator.dll Infected: not-a-virus:FraudTool.Win32.Reanimator.d skipped

C:\Deckard\System Scanner\20080328151611\backup\DOCUME~1\Owner\LOCALS~1\Temp\Binaries2.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{4DA284FC-99A3-4D1D-B0EE-FD02F4757D45}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{8D858147-8233-491B-B547-B5404AB836B2}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008041620080417\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Analog Devices\Core\smax4pnp.exe Infected: Trojan.Win32.Patched.bz skipped

C:\QooBox\Quarantine\C\Program Files\WinReanimator\WinReanimator.dll.vir Infected: not-a-virus:FraudTool.Win32.Reanimator.d skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: not-virus:Hoax.Win32.Renos.bcz skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP329\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP330\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP331\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP332\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP332\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP332\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP332\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP333\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP334\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-14.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-15.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-16.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-18.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP335\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-14.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-15.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-16.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-18.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP336\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP340\A0037017.rbf Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP343\A0037365.dll Infected: not-a-virus:FraudTool.Win32.Reanimator.d skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP343\A0037371.exe Infected: not-virus:Hoax.Win32.Renos.bcz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP349\A0037966.rbf Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP370\A0043416.exe Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP370\A0043435.exe Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP370\A0043650.exe Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP370\A0043666.exe Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP371\A0043709.rbf Infected: Trojan.Win32.Patched.bz skipped

C:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP373\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{FBD3B7A5-0B35-4026-9F77-1658D309707A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\igfxtray.exe Infected: Trojan.Win32.Patched.bz skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcmsc_28CKMxEVrZzFUhw Object is locked skipped

C:\WINDOWS\Temp\mcmsc_3QUYO4JDCj7YGcz Object is locked skipped

C:\WINDOWS\Temp\mcmsc_6roWs8m93MpTSoF Object is locked skipped

C:\WINDOWS\Temp\mcmsc_DjTxXbQRJtOrGoG Object is locked skipped

C:\WINDOWS\Temp\mcmsc_nw8Oq2tyRgOl7i9 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP281\A0031741.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

D:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP281\A0031741.exe 7-Zip: infected - 1 skipped

D:\System Volume Information\_restore{F6B29364-AF4E-4806-A473-E56D6442085A}\RP373\change.log Object is locked skipped

Scan process completed.

combofix log

ComboFix 08-04-10.5 - Owner 2008-04-16 11:56:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.679 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\All Users\Application Data\ahenely.reg
C:\Documents and Settings\All Users\Application Data\urori.dll
C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
C:\Documents and Settings\Owner\Application Data\yzozu.vbs
C:\WINDOWS\akyhaj.dl
C:\WINDOWS\alazo.com
C:\WINDOWS\huroludyte.dll
C:\WINDOWS\lola.ban
C:\WINDOWS\system32\epoqy.pif
C:\WINDOWS\system32\umuzaka.bin
C:\WINDOWS\system32\wasajakur.ban
C:\WINDOWS\system32\zepe.dl
C:\WINDOWS\vofes.dll
C:\WINDOWS\ynylix.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ahenely.reg
C:\Documents and Settings\All Users\Application Data\urori.dll
C:\Documents and Settings\Owner\Application Data\ygifamyru.sys
C:\Documents and Settings\Owner\Application Data\yzozu.vbs
C:\WINDOWS\akyhaj.dl
C:\WINDOWS\alazo.com
C:\WINDOWS\huroludyte.dll
C:\WINDOWS\lola.ban
C:\WINDOWS\system32\epoqy.pif
C:\WINDOWS\system32\umuzaka.bin
C:\WINDOWS\system32\wasajakur.ban
C:\WINDOWS\system32\zepe.dl
C:\WINDOWS\vofes.dll
C:\WINDOWS\ynylix.vbs

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-16 11:21 . 2008-04-16 11:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-16 11:21 . 2008-04-16 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-11 17:18 . 2008-04-13 15:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-10 11:17 . 2008-04-10 19:45 <DIR> d-------- C:\ComboFix(3)
2008-04-10 10:23 . 2008-04-10 19:45 <DIR> d--hs---- C:\RECYCLER(2)
2008-04-08 12:41 . 2008-04-08 12:43 <DIR> d-------- C:\ComboFix(2)
2008-04-08 12:37 . 2008-04-08 12:38 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-27 13:47 . 2008-04-02 18:36 256 --a------ C:\WINDOWS\system32\pool.bin
2008-03-26 10:06 . 2005-09-20 09:31 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-03-21 17:02 . 2008-03-21 17:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 17:00 . 2008-03-21 17:00 <DIR> d-------- C:\Deckard
2008-03-21 16:54 . 2008-03-21 16:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 16:54 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-21 13:42 . 2008-03-21 14:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-21 13:42 . 2008-03-21 13:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-21 13:42 . 2008-03-21 13:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-21 13:42 . 2008-03-21 13:42 1,406 --a------ C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-04-16 15:54 --------- d-----w C:\Program Files\Canon
2008-04-16 15:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-04-16 15:45 --------- d-----w C:\Program Files\MySpace
2008-04-14 17:56 --------- d-----w C:\Program Files\NCH Software
2008-04-11 00:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 20:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-04-02 14:53 --------- d-----w C:\Program Files\Java
2008-03-31 16:09 --------- d-----w C:\Program Files\McAfee
2008-03-30 20:19 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-03-28 20:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-25 04:41 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-03-25 04:41 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-03-21 19:08 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-19 18:46 17,681 ----a-w C:\Program Files\Common Files\yhepotic._dl
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 19:08 --------- d-----w C:\Program Files\CA Yahoo! Anti-Spy
2008-03-11 19:06 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-11 19:05 --------- d-----w C:\Program Files\Yahoo!
2008-03-04 23:20 --------- d-----w C:\Program Files\GreenTechMobile
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-24 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-24 18:05 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-23 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-22 16:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-05 19:41 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.
Files Infected - Win32.Agent.zb
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
.

((((((((((((((((((((((((((((( snapshot_2008-04-10_19.59.22.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-03-01 13:03:00 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\advpack.dll
+ 2008-03-01 13:03:00 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtmsft.dll
+ 2008-03-01 13:03:00 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtrans.dll
+ 2008-03-01 13:03:00 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\extmgr.dll
+ 2008-03-01 13:03:00 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\icardie.dll
+ 2008-02-22 09:39:56 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ie4uinit.exe
+ 2008-03-01 13:03:00 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieakeng.dll
+ 2008-03-01 13:03:00 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieakui.dll
+ 2008-03-01 13:03:00 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieapfltr.dll
+ 2008-03-01 13:03:00 388,608 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iedkcs32.dll
+ 2008-03-01 13:03:01 6,067,712 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieframe.dll
+ 2008-03-01 13:03:01 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iernonce.dll
+ 2008-03-01 13:03:01 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iertutil.dll
+ 2008-02-22 09:39:56 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieudinit.exe
+ 2008-02-22 09:40:22 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
+ 2008-03-01 13:03:01 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\jsproxy.dll
+ 2008-03-01 13:03:01 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msfeeds.dll
+ 2008-03-01 13:03:01 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msfeedsbs.dll
+ 2008-03-01 13:03:01 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
+ 2008-03-01 13:03:01 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtmled.dll
+ 2008-03-01 13:03:01 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msrating.dll
+ 2008-03-01 13:03:01 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mstime.dll
+ 2008-03-01 13:03:01 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\occache.dll
+ 2008-03-01 13:03:01 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\pngfilt.dll
+ 2008-03-01 13:03:02 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\url.dll
+ 2008-03-01 13:03:02 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\urlmon.dll
+ 2008-03-01 13:03:02 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\webcheck.dll
+ 2008-03-01 13:03:02 827,392 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:33 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
+ 2007-03-06 01:22:33 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948881\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948881\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948881\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948881\update\update.exe
+ 2007-03-06 01:23:47 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948881\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941693$\spuninst\updspapi.dll
+ 2007-03-08 13:47:48 1,843,584 -c----w C:\WINDOWS\$NtUninstallKB941693$\win32k.sys
+ 2006-06-26 17:37:10 148,480 -c----w C:\WINDOWS\$NtUninstallKB945553$\dnsapi.dll
+ 2004-08-04 12:00:00 45,568 -c----w C:\WINDOWS\$NtUninstallKB945553$\dnsrslvr.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB945553$\spuninst\updspapi.dll
+ 2007-06-19 13:31:19 282,112 -c----w C:\WINDOWS\$NtUninstallKB948590$\gdi32.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB948590$\spuninst\updspapi.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w C:\WINDOWS\$NtUninstallKB948881$\spuninst\updspapi.dll
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 23:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-11 00:47:45 274,168 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-15 10:08:20 274,168 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 23:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-03-24 23:41 1404928]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"NBKeyScan"="C:\Program Files\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-24 23:41 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-24 23:41 114688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"D:\\juicy lemon\\juicy lemon\\limewire.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 06:30:06 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 06:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 11:59:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-16 12:00:17
ComboFix-quarantined-files.txt 2008-04-16 17:00:06
ComboFix2.txt 2008-04-11 01:01:42
ComboFix3.txt 2008-04-10 13:14:45
ComboFix4.txt 2008-04-07 12:17:24
ComboFix5.txt 2008-03-30 20:09:58
Pre-Run: 92,508,434,432 bytes free
Post-Run: 92,497,932,288 bytes free
.
2008-04-15 10:02:24 --- E O F ---
__________________
"speed is nothing with out control"
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-17-2008, 08:11 PM   #17 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Hi,

Your logs shows that you still have an older version of java installed. What you need to install is Java runtime environment 6 update 6

Other than that, how is your machine performing?
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-20-2008, 11:25 PM   #18 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Thumbs Up Re: constant pops up - braviax.exe spyware infection
the computer is running pretty good like new i would say, i still get "infections" every time i run ad aware but other that all is well, only thing i couldn't seam to locate the jave update version 6 update 6 only update 5, so im not sure where to find it. and could you possibly recommend anything to maybe keep this from happening again?
__________________
"speed is nothing with out control"
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-23-2008, 07:44 PM   #19 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: constant pops up - braviax.exe spyware infection
Sorry for the delay in responding. I didn't get an email notification that you replied.

Go to this page: http://java.sun.com/javase/downloads/index.jsp

Scroll down and you'll see this:

Quote:
Java Runtime Environment (JRE) 6 Update 6
The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
That's the one you need to download.

Congratulations! Your log looks clean!

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Here are some free programs I recommend that could help you improve your pc's security.

MVPS Hosts File
~You can download it from here
~I highly recommend this hosts file. You can learn more about this here

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

Install WinPatrol
~You can download it from here
~You can get some information about how WinPatrol works here

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!

Note: Please reply to this thread one last time so I could close it.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2008, 11:35 PM   #20 (permalink)
Registered User
 
driftnation's Avatar
 
Join Date: Mar 2008
Location: chicago
Posts: 11
OS: windows xp sp2


Grin Re: constant pops up - braviax.exe spyware infection
im sorry it has taken me this long to reply but my computer is running grest i run the programs u rec. and the ad-aware thats on my rig and everything is running pretty well, i thank you for you time and all your help
__________________
"speed is nothing with out control"
driftnation is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:41 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85