Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Lingering Braviax Malware
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 09-02-2009, 06:26 PM   #1 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Lingering Braviax Malware
Background information:
I [think I] removed a malware called Braviax. Before I knew that this forum existed, i tried doing it on my own because i have removed many viruses in my day. But, after i removed it, it seems like my Internet is slower than normal. I am wondering if the malware is still lingering in the background. Here are the logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Michael D'Amico at 16:14:28.87 on Wed 09/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1326 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Michael D'Amico\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli iltrt42E.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\ccdgjkr9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPOJI610.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: XUL Cache: {4EE8C926-98D9-4250-B3F5-6054DC673A4B} - c:\documents and settings\michael d'amico\local settings\application data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}
FF - HiddenExtension: XUL Cache: {D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1} - c:\documents and settings\administrator\local settings\application data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}

============= SERVICES / DRIVERS ===============

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [2008-6-12 46744]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-21 353672]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2007-11-21 86098]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-31 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090831.018\naveng.sys [2009-8-31 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090831.018\navex15.sys [2009-8-31 1323568]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [2007-12-28 40672]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-09-01 20:35 <DIR> --d----- C:\!KillBox
2009-09-01 19:49 <DIR> --d----- c:\windows\pss
2009-09-01 16:15 146 a------- c:\documents and settings\michael d'amico\delself.bat
2009-08-31 20:43 120 a------- c:\windows\Pzacohahurozec.dat
2009-08-31 19:35 65,536 a------- c:\windows\9129837.exe
2009-08-31 19:35 190,742 a------- c:\windows\system32\wisdstr.exe
2009-08-31 19:35 94,016 ac------ c:\windows\system32\dllcache\agp440.sys
2009-08-31 18:17 1,097 a------- C:\net_save.dna
2009-08-31 18:17 <DIR> --d----- c:\program files\support.com
2009-08-31 18:16 <DIR> --d----- c:\program files\common files\SupportSoft

==================== Find3M ====================

2009-09-01 20:31 94,016 a------- c:\windows\system32\drivers\agp440.sys
2009-07-09 17:41 6,535,960 a------- c:\windows\PayPalPlug-In.exe
2009-07-09 17:41 68,248 a------- c:\windows\hosts.exe
2007-04-23 14:21 269,824 ac------ c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 ac------ c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 ac------ c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 ac------ c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 ac------ c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 ac------ c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 ac------ c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 ac------ c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 ac------ c:\windows\inf\wg111v3\RTWREFU.EXE
2008-09-17 19:36 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 16:16:20.17 ===============
Attached Files
File Type: zip Attach.zip (5.4 KB, 3 views)
Last edited by chemist; 09-03-2009 at 03:25 PM.
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-03-2009, 10:48 AM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please do not wrap logs in code or quoteboxes. Thanks.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 03:15 PM   #3 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
Thanks for your reply. Here is the combofix log:

ComboFix 09-09-03.02 - Michael D'Amico 09/03/2009 16:54.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1446 [GMT -4:00]
Running from: c:\documents and settings\Michael D'Amico\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michael D'Amico\Application Data\wiaserva.log
c:\documents and settings\Michael D'Amico\delself.bat
c:\documents and settings\Michael D'Amico\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\recycler\S-1-5-21-1396872088-3748908101-396746802-1003
c:\recycler\S-1-5-21-1949927173-469454160-995847847-1003
c:\recycler\S-1-5-21-2079935708-208231105-2391958233-1003
c:\recycler\S-1-5-21-3909813836-1729804518-3232454224-1003
c:\recycler\S-1-5-21-4245438337-535331677-3860417254-1003
c:\recycler\S-1-5-21-682003330-1801674531-839522115-1003
c:\windows\9129837.exe
c:\windows\iltrt42E.dll
c:\windows\Installer\7e1a6.msi
c:\windows\Installer\889bd.msi
c:\windows\Installer\889c5.msi
c:\windows\Installer\889d3.msi
c:\windows\Installer\88a05.msi
c:\windows\Installer\88a1a.msi
c:\windows\setup.exe
c:\windows\system32\wisdstr.exe
F:\Autorun.inf
F:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-02 00:35 . 2009-09-02 00:40 -------- d-----w- C:\!KillBox
2009-09-02 00:26 . 2009-09-02 00:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-01 20:56 . 2009-09-01 20:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}
2009-09-01 20:34 . 2009-09-02 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-01 00:43 . 2009-09-01 00:43 120 ----a-w- c:\windows\Pzacohahurozec.dat
2009-08-31 23:38 . 2009-08-31 23:38 -------- d-----w- c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}
2009-08-31 23:35 . 2009-09-02 00:31 94016 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2009-08-31 22:17 . 2009-08-31 22:23 -------- d-----w- c:\program files\support.com
2009-08-31 22:17 . 2009-08-31 22:17 -------- d-----w- c:\documents and settings\Michael D'Amico\Local Settings\Application Data\SupportSoft
2009-08-31 22:16 . 2009-08-31 22:16 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 21:02 . 2007-11-25 22:35 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-02 03:17 . 2008-05-20 21:29 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\uTorrent
2009-09-02 00:31 . 2004-03-31 22:28 94016 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-02 00:13 . 2007-11-21 07:32 -------- d-----w- c:\program files\Common Files\Apple
2009-08-16 19:06 . 2009-05-10 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-16 19:03 . 2008-06-13 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2009-07-29 22:00 . 2008-06-12 20:25 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\Aventail
2009-07-09 21:41 . 2009-07-09 21:41 68248 ----a-w- c:\windows\hosts.exe
2009-07-09 21:41 . 2009-07-09 21:41 6535960 ----a-w- c:\windows\PayPalPlug-In.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:128.153.4.220/255.255.255.255:Enabled:Clarkson University's Symantec Update Server

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/12/2008 4:27 PM 46744]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [11/21/2007 4:24 AM 86098]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:40 PM 102448]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [12/28/2007 8:20 PM 40672]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 AM 26624]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael D'Amico\Application Data\Mozilla\Firefox\Profiles\ccdgjkr9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: XUL Cache: {4EE8C926-98D9-4250-B3F5-6054DC673A4B} - c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}
FF - HiddenExtension: XUL Cache: {D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1} - c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 17:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5044)
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2009-09-03 17:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 21:13

Pre-Run: 123,935,014,912 bytes free
Post-Run: 123,890,782,208 bytes free

158 --- E O F --- 2008-04-10 03:08
Last edited by chemist; 09-03-2009 at 03:26 PM.
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 03:31 PM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello p0ng. Did you forget this part:

Quote:
Please do not wrap logs in code or quoteboxes. Thanks.
------------------------------------------------------

Quote:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
It appears you didn't install the Recovery Console. Any particular reason?

------------------------------------------------------

Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\windows\hosts.exe

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 04:46 PM   #5 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
Sorry about the quotes; it wont happen again. As for the recovery console, is it needed? Here are the results from VirusTotal:

File hosts.exe received on 2009.09.03 22:44:25 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.03 -
AhnLab-V3 5.0.0.2 2009.09.03 -
AntiVir 7.9.1.8 2009.09.03 -
Antiy-AVL 2.0.3.7 2009.09.03 -
Authentium 5.1.2.4 2009.09.03 -
Avast 4.8.1335.0 2009.09.03 -
AVG 8.5.0.409 2009.09.03 -
BitDefender 7.2 2009.09.04 -
CAT-QuickHeal 10.00 2009.09.02 -
ClamAV 0.94.1 2009.09.03 -
Comodo 2196 2009.09.04 -
DrWeb 5.0.0.12182 2009.09.03 -
eSafe 7.0.17.0 2009.09.03 -
eTrust-Vet 31.6.6719 2009.09.03 -
F-Prot 4.5.1.85 2009.09.03 -
F-Secure 8.0.14470.0 2009.09.03 -
Fortinet 3.120.0.0 2009.09.03 -
GData 19 2009.09.03 -
Ikarus T3.1.1.72.0 2009.09.03 -
Jiangmin 11.0.800 2009.09.03 -
K7AntiVirus 7.10.835 2009.09.03 -
Kaspersky 7.0.0.125 2009.09.04 -
McAfee 5730 2009.09.03 -
McAfee+Artemis 5730 2009.09.03 -
McAfee-GW-Edition 6.8.5 2009.09.03 Heuristic.BehavesLike.Win32.Spyware.H
Microsoft 1.5005 2009.09.03 -
NOD32 4392 2009.09.03 -
Norman 6.01.09 2009.09.03 -
nProtect 2009.1.8.0 2009.09.03 -
Panda 10.0.2.2 2009.09.03 -
PCTools 4.4.2.0 2009.09.03 -
Prevx 3.0 2009.09.04 -
Rising 21.45.14.00 2009.09.01 -
Sophos 4.45.0 2009.09.03 -
Sunbelt 3.2.1858.2 2009.09.03 -
Symantec 1.4.4.12 2009.09.04 -
TheHacker 6.3.4.3.396 2009.09.03 -
TrendMicro 8.950.0.1094 2009.09.03 -
VBA32 3.12.10.10 2009.09.03 -
ViRobot 2009.9.3.1916 2009.09.03 -
VirusBuster 4.6.5.0 2009.09.03 -
Additional information
File size: 68248 bytes
MD5...: ae3bc4f8ca5c57f6b98b2951c9968d04
SHA1..: 2cd715bade6c8662f61fd49c8e9f7ca1046e035b
SHA256: 499845eb6f3bf0dad197134223acb0de1d3294d422857edeac29f5852488c277
ssdeep: 768:jsizDPjHibDEYIYWtnPWYwQ4ouhG+dKYFf9Ql5UVeTVBxVmVjGHdZwRrL3eO
A:ooFH9/w22rN2tVBx8ppL3HA

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x46f268ea (Thu Sep 20 12:34:50 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb000 0xa800 6.39 2f3efeaab3f070a77a5dc69c8fadb07c
.data 0xc000 0x10000 0xe00 5.98 938a043a7b06ccf992f08dfdb9f9b126
.idata 0x1c000 0x1000 0x1000 4.90 6e50fa10a5bf6c5e2604dc1ae847e7b0
.rsrc 0x1d000 0x4000 0x3c00 4.71 0995df786d4d4c1a497f193cd6be8204

( 7 imports )
> ADVAPI32.DLL: RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
> KERNEL32.DLL: CloseHandle, CompareStringA, CreateDirectoryA, CreateDirectoryW, CreateFileA, CreateFileW, DeleteFileA, DeleteFileW, DosDateTimeToFileTime, ExitProcess, ExpandEnvironmentStringsA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, FindResourceA, FreeLibrary, GetCPInfo, GetCommandLineA, GetCurrentDirectoryA, GetDateFormatA, GetFileAttributesA, GetFileAttributesW, GetFileType, GetFullPathNameA, GetLastError, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetNumberFormatA, GetProcAddress, GetProcessHeap, GetStdHandle, GetTempPathA, GetTickCount, GetTimeFormatA, GetVersionExA, GlobalAlloc, HeapAlloc, HeapFree, HeapReAlloc, IsDBCSLeadByte, LoadLibraryA, LocalFileTimeToFileTime, MoveFileA, MoveFileExA, MultiByteToWideChar, OpenFile, ReadFile, SetCurrentDirectoryA, SetEnvironmentVariableA, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFileTime, SetLastError, SetVolumeLabelA, Sleep, SystemTimeToFileTime, WaitForSingleObject, WideCharToMultiByte, WriteFile, _lclose, lstrcmpiA, lstrlenA
> COMCTL32.DLL: -
> GDI32.DLL: DeleteObject
> SHELL32.DLL: SHBrowseForFolderA, SHChangeNotify, SHFileOperationA, SHGetFileInfoA, SHGetMalloc, SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA
> USER32.DLL: CharLowerA, CharToOemA, CharToOemBuffA, CharUpperA, CopyRect, CreateWindowExA, DefWindowProcA, DestroyIcon, DestroyWindow, DialogBoxParamA, DispatchMessageA, EnableWindow, EndDialog, FindWindowExA, GetClassNameA, GetClientRect, GetDlgItem, GetDlgItemTextA, GetMessageA, GetParent, GetSysColor, GetSystemMetrics, GetWindow, GetWindowLongA, GetWindowRect, GetWindowTextA, IsWindow, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadIconA, LoadStringA, MapWindowPoints, MessageBoxA, OemToCharA, OemToCharBuffA, PeekMessageA, PostMessageA, RegisterClassExA, SendDlgItemMessageA, SendMessageA, SetDlgItemTextA, SetFocus, SetMenu, SetWindowLongA, SetWindowPos, SetWindowTextA, ShowWindow, TranslateMessage, UpdateWindow, WaitForInputIdle, wsprintfA, wvsprintfA
> OLE32.DLL: CLSIDFromString, CoCreateInstance, CreateStreamOnHGlobal, OleInitialize, OleUninitialize

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
packers (F-Prot): ZIP
trid..: WinRAR Self Extracting archive (96.2%)
Win32 Executable Generic (1.5%)
Win32 Dynamic Link Library (generic) (1.4%)
Generic Win/DOS Executable (0.3%)
DOS Executable Generic (0.3%)
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 06:05 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello again, p0ng. Please tell us how your system is behaving after doing the following.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Quote:
As for the recovery console, is it needed?
The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
File::
c:\windows\Pzacohahurozec.dat

Folder::
c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}
c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u16-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
Kaspersky report
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 04:46 AM   #7 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
Recovery Console was installed when I ran ComboFix. Before I ran any of these programs, I noticed that my computer was a slight bit faster and my internet was slightly faster as well. Here are the logs:

ComboFix 09-09-03.02 - Michael D'Amico 09/03/2009 20:36.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1424 [GMT -4:00]
Running from: c:\documents and settings\Michael D'Amico\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael D'Amico\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Pzacohahurozec.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}
c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{D9429FD2-C2FA-4447-8C1E-B6D49B7B99F1}\install.rdf
c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}
c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}\chrome.manifest
c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}\chrome\content\_cfg.js
c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}\chrome\content\overlay.xul
c:\documents and settings\Michael D'Amico\Local Settings\Application Data\{4EE8C926-98D9-4250-B3F5-6054DC673A4B}\install.rdf
c:\windows\Pzacohahurozec.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-02 00:35 . 2009-09-02 00:40 -------- d-----w- C:\!KillBox
2009-09-02 00:26 . 2009-09-02 00:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-01 20:34 . 2009-09-02 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 23:35 . 2009-09-02 00:31 94016 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2009-08-31 22:17 . 2009-08-31 22:23 -------- d-----w- c:\program files\support.com
2009-08-31 22:17 . 2009-08-31 22:17 -------- d-----w- c:\documents and settings\Michael D'Amico\Local Settings\Application Data\SupportSoft
2009-08-31 22:16 . 2009-08-31 22:16 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 22:23 . 2008-06-13 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2009-09-03 21:02 . 2007-11-25 22:35 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-02 03:17 . 2008-05-20 21:29 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\uTorrent
2009-09-02 00:31 . 2004-03-31 22:28 94016 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-02 00:13 . 2007-11-21 07:32 -------- d-----w- c:\program files\Common Files\Apple
2009-08-16 19:06 . 2009-05-10 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-29 22:00 . 2008-06-12 20:25 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\Aventail
2009-07-09 21:41 . 2009-07-09 21:41 68248 ----a-w- c:\windows\hosts.exe
2009-07-09 21:41 . 2009-07-09 21:41 6535960 ----a-w- c:\windows\PayPalPlug-In.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:128.153.4.220/255.255.255.255:Enabled:Clarkson University's Symantec Update Server

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/12/2008 4:27 PM 46744]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [11/21/2007 4:24 AM 86098]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:40 PM 102448]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [12/28/2007 8:20 PM 40672]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 AM 26624]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael D'Amico\Application Data\Mozilla\Firefox\Profiles\ccdgjkr9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 20:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-09-04 20:43
ComboFix-quarantined-files.txt 2009-09-04 00:43
ComboFix2.txt 2009-09-03 21:13

Pre-Run: 123,815,211,008 bytes free
Post-Run: 123,804,516,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

136 --- E O F --- 2008-04-10 03:08






--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 4, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 04, 2009 02:12:22
Records in database: 2744145
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 115767
Threats found: 14
Infected objects found: 29
Suspicious objects found: 5
Scan duration: 04:32:51


File name / Threat / Threats count
C:\WINDOWS\system32\braviax.exe/C:\WINDOWS\system32\braviax.exe Infected: Trojan-Downloader.Win32.FraudLoad.fko 1
C:\WINDOWS\system32\_scui.cpl/C:\WINDOWS\system32\_scui.cpl Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.dj 1
C:\!KillBox\sys32_nov.exe Infected: Trojan-Dropper.Win32.Agent.bbup 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\058C0000\4F9DB648.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\058C0001\4F9DB687.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05EC0000\4FFD811F.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C00000\4FDDB163.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08100000\4A9DADF7.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09680000\4BFDB011.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09680001\4BFDB03F.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C900000\4ED55BEE.VBN Infected: Trojan-Dropper.Win32.Small.dcg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F900000\4F9DBD0F.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0000\4FBC5E6F.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In Backup.exe Suspicious: Packed.Win32.Klone.bn 1
C:\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In.exe Suspicious: Packed.Win32.Klone.bn 1
C:\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release.rar Suspicious: Packed.Win32.Klone.bn 1
C:\Documents and Settings\Michael D'Amico\Desktop\supplementedge\to be sorted\getDescrip\image.vbs Suspicious: Trojan-Downloader.JS.gen 1
C:\Documents and Settings\Michael D'Amico\Desktop\wirelesskeyview\WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.cw 1
C:\Documents and Settings\Michael D'Amico\Desktop\wirelesskeyview.zip Infected: not-a-virus:PSWTool.Win32.Messen.cw 1
C:\Program Files\PC_Antispyware2010\wscui.cpl Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.dj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan.Win32.FraudPack.rcj 1
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP2\A0000194.exe Infected: Trojan.Win32.FraudPack.rcj 1
C:\WINDOWS\Drivers\beep.sys Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\WINDOWS\system32\braviax.exe Infected: Trojan-Downloader.Win32.FraudLoad.fko 1
C:\WINDOWS\system32\dllcache\beep.sys Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\WINDOWS\system32\dllcache\figaro.sys Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\WINDOWS\system32\drivers\beep.sys Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\WINDOWS\system32\_scui.cpl Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.dj 1
F:\My Documents\My Source Code\nuclear\nuclear\Server\Main.frm Infected: Trojan.BAT.Disabler.e 1
F:\My Documents\My Source Code\nuclear\nuclear\Server\server.exe Suspicious: Backdoor.Win32.VB.gen 1
F:\My Documents\My Source Code\tocsock spammer\demo.bas Infected: Trojan.BAT.Disabler.e 1
F:\My Documents\My Websites\simplicity\cupholder1.htm Infected: Trojan.VBS.CDJack.a 1
F:\Progs\bitlock.exe.vbs Infected: Trojan-Dropper.VBS.Drivs 1
F:\Progs\Fon\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.a 1

Selected area has been scanned.
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 09:15 AM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello again, p0ng. QooBox is ComboFix's quarantine folder. System Volume Information is where Windows keeps old system restore points. Both will get deleted when we uninstall ComboFix.

------------------------------------------------------

Empty this entire Folder. It's where Symantec keeps it's renamed quarantined files:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

Don't delete the folder, just empty it.

------------------------------------------------------

It appears you picked up braviax.exe again, along with some others, in between running ComboFix and the Kaspersky scan.

Before we delete those other files from the Kaspersky report, I want you to run ComboFix again.

Disable Symantec, double-click ComboFix.exe and post the ComboFix.txt log in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 02:48 PM   #9 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
ComboFix 09-09-03.02 - Michael D'Amico 09/04/2009 16:35.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1328 [GMT -4:00]
Running from: c:\documents and settings\Michael D'Amico\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\kufefy._dl
c:\documents and settings\All Users\Application Data\nytyqisaby.exe
c:\documents and settings\All Users\Application Data\owydyrun.exe
c:\documents and settings\LocalService\Application Data\gexusolory.lib
c:\documents and settings\LocalService\Application Data\kipa.vbs
c:\documents and settings\LocalService\Application Data\rahusoboli.scr
c:\documents and settings\LocalService\Cookies\isulecar.dll
c:\documents and settings\LocalService\Cookies\pyjecofy.dat
c:\documents and settings\LocalService\Local Settings\Application Data\cavopehoso.scr
c:\documents and settings\LocalService\Local Settings\Application Data\ytywapogy.dll
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\ilyj.dat
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\imagotyki.scr
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\iryzac.dat
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\iviqupuri.ban
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\LocalService\Start Menu\Programs\PC_Antispyware2010
c:\documents and settings\LocalService\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk
c:\documents and settings\LocalService\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk
c:\documents and settings\Michael D'Amico\Local Settings\Temporary Internet Files\xisuv.scr
c:\program files\Common Files\poqet.sys
c:\program files\PC_Antispyware2010
c:\program files\PC_Antispyware2010\AVEngn.dll
c:\program files\PC_Antispyware2010\data\daily.cvd
c:\program files\PC_Antispyware2010\htmlayout.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg
c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe
c:\program files\PC_Antispyware2010\pthreadVC2.dll
c:\program files\PC_Antispyware2010\Uninstall.exe
c:\program files\PC_Antispyware2010\wscui.cpl
c:\windows\DRIVERS\beep.sys
c:\windows\lozigajix.dll
c:\windows\myherykaxa.dll
c:\windows\system32\ahavyduzu.vbs
c:\windows\system32\braviax.exe
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dyhyq.dll
c:\windows\system32\sivyximom.pif
c:\windows\system32\wisdstr.exe
c:\windows\tejir.pif
c:\windows\xopofesexa.exe
c:\windows\ycewy.inf

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP4\A0000578.sys

.
((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 00:59 . 2009-09-04 00:59 15033 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fefidizi.dat
2009-09-04 00:59 . 2009-09-04 00:59 13354 ----a-w- c:\windows\vavury.com
2009-09-04 00:53 . 2009-09-04 00:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-02 00:35 . 2009-09-02 00:40 -------- d-----w- C:\!KillBox
2009-09-02 00:26 . 2009-09-02 00:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-01 20:34 . 2009-09-02 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 23:35 . 2009-09-04 00:53 94272 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2009-08-31 22:17 . 2009-08-31 22:23 -------- d-----w- c:\program files\support.com
2009-08-31 22:17 . 2009-08-31 22:17 -------- d-----w- c:\documents and settings\Michael D'Amico\Local Settings\Application Data\SupportSoft
2009-08-31 22:16 . 2009-08-31 22:16 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 20:40 . 2007-11-25 22:35 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-04 00:59 . 2009-09-04 00:59 18478 ----a-w- c:\documents and settings\LocalService\Application Data\kijeco.dat
2009-09-04 00:59 . 2009-09-04 00:59 17683 ----a-w- c:\documents and settings\All Users\Application Data\wymef.dat
2009-09-04 00:55 . 2008-06-13 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2009-09-04 00:53 . 2004-03-31 22:28 94272 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-04 00:53 . 2004-03-31 23:15 -------- d-----w- c:\program files\Java
2009-09-02 03:17 . 2008-05-20 21:29 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\uTorrent
2009-09-02 00:13 . 2007-11-21 07:32 -------- d-----w- c:\program files\Common Files\Apple
2009-08-16 19:06 . 2009-05-10 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-29 22:00 . 2008-06-12 20:25 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\Aventail
2009-07-09 21:41 . 2009-07-09 21:41 68248 ----a-w- c:\windows\hosts.exe
2009-07-09 21:41 . 2009-07-09 21:41 6535960 ----a-w- c:\windows\PayPalPlug-In.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_21.02.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-04 20:42 . 2009-09-04 20:42 16384 c:\windows\Temp\Perflib_Perfdata_108.dat
+ 2009-09-04 00:53 . 2009-09-04 00:53 149280 c:\windows\system32\javaws.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 145184 c:\windows\system32\javaw.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 145184 c:\windows\system32\java.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 1757696 c:\windows\Installer\2148b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:128.153.4.220/255.255.255.255:Enabled:Clarkson University's Symantec Update Server

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/12/2008 4:27 PM 46744]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [11/21/2007 4:24 AM 86098]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:40 PM 102448]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [12/28/2007 8:20 PM 40672]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 AM 26624]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael D'Amico\Application Data\Mozilla\Firefox\Profiles\ccdgjkr9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6628)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-04 16:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 20:47
ComboFix2.txt 2009-09-04 00:43
ComboFix3.txt 2009-09-03 21:13

Pre-Run: 130,614,779,904 bytes free
Post-Run: 130,640,596,992 bytes free

196 --- E O F --- 2008-04-10 03:08
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 03:15 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello again, p0ng.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Did you install these:

C:\Documents and Settings\Michael D'Amico\Desktop\wirelesskeyview\WirelessKeyView.exe
C:\Documents and Settings\Michael D'Amico\Desktop\wirelesskeyview.zip
F:\Progs\Fon\hfs.exe

If so, they are probably OK. Let me know if you didn't.

------------------------------------------------------

Close any open browsers.

Ensure your F: drive is inserted/connected.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
File::
C:\!KillBox\sys32_nov.exe
C:\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In Backup.exe
C:\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In.exe
C:\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release.rar
C:\Documents and Settings\Michael D'Amico\Desktop\supplementedge\to be sorted\getDescrip\image.vbs
C:\WINDOWS\system32\dllcache\figaro.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\_scui.cpl
F:\My Documents\My Source Code\nuclear\nuclear\Server\Main.frm
F:\My Documents\My Source Code\nuclear\nuclear\Server\server.exe
F:\My Documents\My Source Code\tocsock spammer\demo.bas
F:\My Documents\My Websites\simplicity\cupholder1.htm
F:\Progs\bitlock.exe.vbs

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2009, 08:40 AM   #11 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
Quote:
Originally Posted by chemist View Post

Did you install these:

C:\Documents and Settings\Michael D'Amico\Desktop\wirelesskeyview\WirelessKeyView.exe
C:\Documents and Settings\Michael D'Amico\Desktop\wirelesskeyview.zip
F:\Progs\Fon\hfs.exe

If so, they are probably OK. Let me know if you didn't.
I did install those but don't need them anymore. Should I get rid of them?
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2009, 09:55 AM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
I would. Right-click and delete.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 02:49 PM   #13 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
Okay. I will be home Monday afternoon and will report back then.
Thanks.
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 04:40 PM   #14 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
chemist,
image.vbs is a script i created that is non-malicious. Here are the reports:

ComboFix 09-09-06.06 - Michael D'Amico 09/07/2009 14:54.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1452 [GMT -4:00]
Running from: c:\documents and settings\Michael D'Amico\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael D'Amico\Desktop\CFScript.txt.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\!killbox\sys32_nov.exe"
"c:\documents and settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release.rar"
"c:\documents and settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In Backup.exe"
"c:\documents and settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In.exe"
"c:\documents and settings\Michael D'Amico\Desktop\supplementedge\to be sorted\getDescrip\image.vbs"
"c:\windows\system32\_scui.cpl"
"c:\windows\system32\dllcache\figaro.sys"
"c:\windows\system32\drivers\beep.sys"
"f:\my documents\My Source Code\nuclear\nuclear\Server\Main.frm"
"f:\my documents\My Source Code\nuclear\nuclear\Server\server.exe"
"f:\my documents\My Source Code\tocsock spammer\demo.bas"
"f:\my documents\My Websites\simplicity\cupholder1.htm"
"f:\progs\bitlock.exe.vbs"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\!killbox\sys32_nov.exe
c:\documents and settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release.rar
c:\documents and settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In Backup.exe
c:\documents and settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release\PayPal Plug-In.exe
c:\documents and settings\Michael D'Amico\Desktop\supplementedge\to be sorted\getDescrip\image.vbs
c:\windows\system32\config\systemprofile\Desktop\PC_Antispyware2010.lnk
c:\windows\system32\drivers\beep.sys
f:\my documents\My Source Code\nuclear\nuclear\Server\Main.frm

c:\windows\system32\drivers\AGP440.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-04 00:59 . 2009-09-04 00:59 15033 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fefidizi.dat
2009-09-04 00:59 . 2009-09-04 00:59 13354 ----a-w- c:\windows\vavury.com
2009-09-04 00:53 . 2009-09-04 00:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-02 00:35 . 2009-09-07 18:59 -------- d-----w- C:\!KillBox
2009-09-02 00:26 . 2009-09-02 00:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-01 20:34 . 2009-09-02 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 22:17 . 2009-08-31 22:23 -------- d-----w- c:\program files\support.com
2009-08-31 22:17 . 2009-08-31 22:17 -------- d-----w- c:\documents and settings\Michael D'Amico\Local Settings\Application Data\SupportSoft
2009-08-31 22:16 . 2009-08-31 22:16 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 19:02 . 2007-11-25 22:35 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-04 20:48 . 2008-06-13 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2009-09-04 00:59 . 2009-09-04 00:59 18478 ----a-w- c:\documents and settings\LocalService\Application Data\kijeco.dat
2009-09-04 00:59 . 2009-09-04 00:59 17683 ----a-w- c:\documents and settings\All Users\Application Data\wymef.dat
2009-09-04 00:53 . 2004-03-31 22:28 94272 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-09-04 00:53 . 2004-03-31 23:15 -------- d-----w- c:\program files\Java
2009-09-02 03:17 . 2008-05-20 21:29 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\uTorrent
2009-09-02 00:13 . 2007-11-21 07:32 -------- d-----w- c:\program files\Common Files\Apple
2009-08-16 19:06 . 2009-05-10 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-29 22:00 . 2008-06-12 20:25 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\Aventail
2009-07-09 21:41 . 2009-07-09 21:41 68248 ----a-w- c:\windows\hosts.exe
2009-07-09 21:41 . 2009-07-09 21:41 6535960 ----a-w- c:\windows\PayPalPlug-In.exe
.

------- Sigcheck -------

[7] DA1F27D85E0D1525F6621372E7B685E9 [5.1.2600.0 (XPClient.010817-1148)] c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-03_21.02.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 19:01 . 2009-09-07 19:01 16384 c:\windows\Temp\Perflib_Perfdata_f0.dat
- 2004-03-31 21:09 . 2008-09-17 23:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-03-31 21:09 . 2009-09-04 20:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-03-31 21:09 . 2009-09-04 20:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-03-31 21:09 . 2008-09-17 23:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-03-31 21:09 . 2009-09-04 20:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-03-31 21:09 . 2008-09-17 23:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-04 00:53 . 2009-09-04 00:53 149280 c:\windows\system32\javaws.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 145184 c:\windows\system32\javaw.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 145184 c:\windows\system32\java.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 1757696 c:\windows\Installer\2148b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:128.153.4.220/255.255.255.255:Enabled:Clarkson University's Symantec Update Server

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/12/2008 4:27 PM 46744]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [11/21/2007 4:24 AM 86098]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:40 PM 102448]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [12/28/2007 8:20 PM 40672]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 AM 26624]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael D'Amico\Application Data\Mozilla\Firefox\Profiles\ccdgjkr9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 15:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4044)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-07 15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 19:06
ComboFix2.txt 2009-09-04 20:47
ComboFix3.txt 2009-09-04 00:43
ComboFix4.txt 2009-09-03 21:13

Pre-Run: 130,622,140,416 bytes free
Post-Run: 130,560,401,408 bytes free

180 --- E O F --- 2008-04-10 03:08






--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 7, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 07, 2009 2136
Records in database: 2757243
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 117929
Threats found: 9
Infected objects found: 8
Suspicious objects found: 5
Scan duration: 03:03:41


File name / Threat / Threats count
C:\Documents and Settings\Michael D'Amico\Desktop\supplementedge\to be sorted\getDescrip\image.vbs Suspicious: Trojan-Downloader.JS.gen 1
C:\Qoobox\Quarantine\C\Documents and Settings\Michael D'Amico\Desktop\Pharming\FBinder+0[1][1].5++release.rar.vir Suspicious: Packed.Win32.Klone.bn 1
C:\Qoobox\Quarantine\C\Documents and Settings\Michael D'Amico\Desktop\supplementedge\to be sorted\getDescrip\image.vbs.vir Suspicious: Trojan-Downloader.JS.gen 1
C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe.vir Infected: Trojan.Win32.FraudPack.sxz 1
C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\Uninstall.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fkv 1
C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\wscui.cpl.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.dj 1
C:\Qoobox\Quarantine\C\WINDOWS\9129837.exe.vir Infected: Trojan-Dropper.Win32.Agent.bccp 1
C:\Qoobox\Quarantine\C\WINDOWS\Drivers\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fko 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fkv 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-07_14.54.35.zip Infected: Trojan-Dropper.Win32.Agent.bbup 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-07_14.54.35.zip Suspicious: Packed.Win32.Klone.bn 2

Selected area has been scanned.
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 06:12 PM   #15 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
After I posted the threads, I re-enabled my anti-virus and a notification came up. I have attached the screenshot.
Attached Images
File Type: bmp screenshot.bmp (362.1 KB, 2 views)
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 06:15 PM   #16 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello again, p0ng. Again, QooBox is ComboFix's quarantine folder. It will get deleted when we uninstall ComboFix.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\AGP440.sys" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------

Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\windows\vavury.com

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 06:24 PM   #17 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
-c----w- 42,368 2004-08-04 04:07:42 C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
-c----w- 42,368 2008-04-13 18:36:38 C:\WINDOWS\ServicePackFiles\i386\agp440.sys
----a-w- 94,272 2009-09-04 00:53:46 C:\WINDOWS\system32\drivers\agp440.sys

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 179,008 Blocks: 351




File vavury.com received on 2009.09.08 00:23:58 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.07 -
AhnLab-V3 5.0.0.2 2009.09.07 -
AntiVir 7.9.1.12 2009.09.07 -
Antiy-AVL 2.0.3.7 2009.09.07 -
Authentium 5.1.2.4 2009.09.07 -
Avast 4.8.1351.0 2009.09.07 -
AVG 8.5.0.409 2009.09.07 -
BitDefender 7.2 2009.09.08 -
CAT-QuickHeal 10.00 2009.09.07 -
ClamAV 0.94.1 2009.09.07 -
Comodo 2210 2009.09.08 -
DrWeb 5.0.0.12182 2009.09.07 -
eSafe 7.0.17.0 2009.09.06 -
eTrust-Vet 31.6.6724 2009.09.07 -
F-Prot 4.5.1.85 2009.09.07 -
F-Secure 8.0.14470.0 2009.09.07 -
Fortinet 3.120.0.0 2009.09.08 -
GData 19 2009.09.08 -
Ikarus T3.1.1.72.0 2009.09.08 -
Jiangmin 11.0.800 2009.09.07 -
K7AntiVirus 7.10.837 2009.09.05 -
Kaspersky 7.0.0.125 2009.09.08 -
McAfee 5734 2009.09.07 -
McAfee+Artemis 5734 2009.09.07 -
McAfee-GW-Edition 6.8.5 2009.09.08 -
Microsoft 1.5005 2009.09.08 -
NOD32 4404 2009.09.08 -
Norman 6.01.09 2009.09.07 -
nProtect 2009.1.8.0 2009.09.07 -
Panda 10.0.2.2 2009.09.07 -
PCTools 4.4.2.0 2009.09.07 -
Prevx 3.0 2009.09.08 -
Rising 21.46.04.00 2009.09.07 -
Sophos 4.45.0 2009.09.07 -
Sunbelt 3.2.1858.2 2009.09.07 -
Symantec 1.4.4.12 2009.09.08 -
TheHacker 6.3.4.3.397 2009.09.07 -
TrendMicro 8.950.0.1094 2009.09.07 -
VBA32 3.12.10.10 2009.09.08 -
ViRobot 2009.9.7.1921 2009.09.07 -
VirusBuster 4.6.5.0 2009.09.07 -
Additional information
File size: 13354 bytes
MD5...: 5f9d8e80e1b4c231655395075576d9ce
SHA1..: 0a2d7f65361e7b4631ec8a383b704341fdb2f674
SHA256: 57b35115db546afbe8f5e9d1cc1d5b1f8fbeba7e4f6daa52245dcb55f2cab40e
ssdeep: 384:Gn9b8pbiZqcGyI3AKWL5padbfWNm9aGq1:Gn9mrLPdzWmM7
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: MPEG Video (100.0%)
Last edited by p0ng; 09-07-2009 at 06:26 PM.
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 06:57 PM   #18 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Hello again, p0ng. Remember, System Volume Information is where Windows keeps old system restore points. Those will get deleted when we uninstall ComboFix. Just tell Symantec to ignore them.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
FCopy::
c:\windows\system32\dllcache\beep.sys | c:\windows\system32\drivers\beep.sys
c:\WINDOWS\ServicePackFiles\i386\agp440.sys | c:\windows\system32\drivers\AGP440.sys

SkipFix::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 07:48 PM   #19 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 19
OS: Windows XP


Re: Lingering Braviax Malware
ComboFix 09-09-07.03 - Michael D'Amico 09/07/2009 21:45.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1424 [GMT -4:00]
Running from: c:\documents and settings\Michael D'Amico\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael D'Amico\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\beep.sys --> c:\windows\system32\drivers\beep.sys
c:\windows\ServicePackFiles\i386\agp440.sys --> c:\windows\system32\drivers\AGP440.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 01:45 . 2003-03-31 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 01:45 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-04 00:59 . 2009-09-04 00:59 15033 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fefidizi.dat
2009-09-04 00:59 . 2009-09-04 00:59 13354 ----a-w- c:\windows\vavury.com
2009-09-04 00:53 . 2009-09-04 00:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-02 00:35 . 2009-09-07 18:59 -------- d-----w- C:\!KillBox
2009-09-02 00:26 . 2009-09-02 00:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-01 20:34 . 2009-09-02 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 22:17 . 2009-08-31 22:23 -------- d-----w- c:\program files\support.com
2009-08-31 22:17 . 2009-08-31 22:17 -------- d-----w- c:\documents and settings\Michael D'Amico\Local Settings\Application Data\SupportSoft
2009-08-31 22:16 . 2009-08-31 22:16 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 01:43 . 2007-11-25 22:35 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-04 20:48 . 2008-06-13 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2009-09-04 00:59 . 2009-09-04 00:59 18478 ----a-w- c:\documents and settings\LocalService\Application Data\kijeco.dat
2009-09-04 00:59 . 2009-09-04 00:59 17683 ----a-w- c:\documents and settings\All Users\Application Data\wymef.dat
2009-09-04 00:53 . 2004-03-31 23:15 -------- d-----w- c:\program files\Java
2009-09-02 03:17 . 2008-05-20 21:29 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\uTorrent
2009-09-02 00:13 . 2007-11-21 07:32 -------- d-----w- c:\program files\Common Files\Apple
2009-08-16 19:06 . 2009-05-10 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-29 22:00 . 2008-06-12 20:25 -------- d-----w- c:\documents and settings\Michael D'Amico\Application Data\Aventail
2009-07-09 21:41 . 2009-07-09 21:41 68248 ----a-w- c:\windows\hosts.exe
2009-07-09 21:41 . 2009-07-09 21:41 6535960 ----a-w- c:\windows\PayPalPlug-In.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_21.02.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-03-31 22:28 . 2008-04-13 18:36 42368 c:\windows\system32\dllcache\agp440.sys
- 2004-03-31 21:09 . 2008-09-17 23:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-03-31 21:09 . 2009-09-07 23:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-03-31 21:09 . 2008-09-17 23:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-03-31 21:09 . 2009-09-07 23:33 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-04 00:53 . 2009-09-04 00:53 149280 c:\windows\system32\javaws.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 145184 c:\windows\system32\javaw.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 145184 c:\windows\system32\java.exe
+ 2009-09-04 00:53 . 2009-09-04 00:53 1757696 c:\windows\Installer\2148b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:128.153.4.220/255.255.255.255:Enabled:Clarkson University's Symantec Update Server

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/12/2008 4:27 PM 46744]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [11/21/2007 4:24 AM 86098]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:40 PM 102448]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [12/28/2007 8:20 PM 40672]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 8:37 AM 26624]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael D'Amico\Application Data\Mozilla\Firefox\Profiles\ccdgjkr9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(10052)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-08 21:47
ComboFix-quarantined-files.txt 2009-09-08 01:47
ComboFix2.txt 2009-09-07 19:06
ComboFix3.txt 2009-09-04 20:47
ComboFix4.txt 2009-09-04 00:43
ComboFix5.txt 2009-09-08 01:44

Pre-Run: 134,012,395,520 bytes free
Post-Run: 134,059,876,352 bytes free

143 --- E O F --- 2008-04-10 03:08
p0ng is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 07:52 PM   #20 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,595
OS: XP SP3


Re: Lingering Braviax Malware
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\AGP440.sys" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:12 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85