Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
I tried to respond to http://forums.techguy.org/malware-removal-hijackthis-logs/852788-virus-keeps-logging-me-off.html thread, but I don't have permission.

I'm having the same problem. I first thought it was the braviax.exe thing (which, along with a regedit I'm not familiar with, appeared on my msconfig). I tried the SDFIX listed on another thread on this site. When I start up in Safe Mode, not doing anything, I'm also forced to reboot within 5 minutes. If I start up in Safe Mode and use SDFIX, it allows me to finish running the scan without force rebooting me. I press anykey and it reboots. If I try to go back to Safe Mode, it won't do the second part of the SDFIX scan. If I reboot normally, it reboots before the scan can complete.

I don't know if braviax.exe is the only problem, or if there are multiple ones. Anyone have any idea?
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #2 ·
Somehow, the issue with the rebooting has been resolved. I'm not sure how or where.

I've been able to run HijackThis and MalwareBytes several times now, renaming of HijackThis required, but MalwareBytes will run as mbam.exe.

HijackThis keeps showing me the same suspicious looking files, and I keep deleting them, but they keep reappearing.

MalwareBytes continues to find between 41 and 75 infected files. I remove them, and it says something lingers that it has to restart in order to remove (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32). I allow it to reboot, but then it doesn't load up on startup, and when I run a scan again, it's all back.

I've downloaded Kaspersky on another computer and, after much hassle, got it to install. However, it has the original install file's database, which is far out of date. When I try to update it, I recieve Error code: 800000C6, and it refuses to update.

Here are my logfiles from HijackThis and MalwareBytes.

HijackThis
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:25 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\huihk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp2.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download all with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - [URL]file://C:\Program[/URL] Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: avp2 - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
--
End of file - 4669 bytes
MalwareBytes
Code:
Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3 (Safe Mode)
8/16/2009 5:19:05 PM
mbam-log-2009-08-16 (17-19-05).txt
Scan type: Full Scan (C:\|)
Objects scanned: 227899
Time elapsed: 37 minute(s), 42 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 57
Memory Processes Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Delete on reboot.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01KL4WXG\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F7BSVK4B\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J3MGTB3R\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z9QSHT1K\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-583907252-1078081533-1801674531-1004\Dc5\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-583907252-1078081533-1801674531-1004\Dc5\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0148453.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150526.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150530.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150531.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150537.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150543.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150554.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150595.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150615.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150623.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150628.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150638.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150815.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150832.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150840.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150847.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150960.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150973.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150974.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150977.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150986.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150987.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\qehuguba.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\BN36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top