Jump to content

Braviax.exe

DeDraconis
 Share

Recommended Posts

DeDraconis

DeDraconis

Posted
Posted

The problem began with my computer force restarting about 2-5 minutes after it booted up with no warning or dialogue box. This went on for quite a while, then stopped on it's own. Originally, I wasn't able to run any antivirus in time.

I've been able to run HijackThis and MalwareBytes several times now, renaming of HijackThis required, but MalwareBytes will run as mbam.exe.

HijackThis keeps showing me the same suspicious looking files, and I keep deleting them, but they keep reappearing.

MalwareBytes continues to find between 41 and 75 infected files. I remove them, and it says something lingers that it has to restart in order to remove (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32). I allow it to reboot, but then it doesn't load up on startup, and when I run a scan again, it's all back.

I've downloaded Kaspersky on another computer and, after much hassle, got it to install. However, it has the original install file's database, which is far out of date. When I try to update it, I recieve Error code: 800000C6, and it refuses to update.

I've been unable to install StopZilla at all.

When I go to Safe Mode, I think everything starts up more-or-less all right. I can run HijackThis and MalwareBytes off of a flash drive, but then it's during the reboot that I get reinfected. I noticed some infected files are in my System Restore. One time, too quick for me to see, before I could reboot I got a yellow-greenish screen that said it was doing some things. This was after running MalwareBytes, waiting to restart, running SDFIX, and then restarting on it's prompting.

Here are my logfiles from HijackThis and MalwareBytes.

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:25 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\huihk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp2.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: avp2 - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
--
End of file - 4669 bytes

MalwareBytes

Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3 (Safe Mode)
8/16/2009 5:19:05 PM
mbam-log-2009-08-16 (17-19-05).txt
Scan type: Full Scan (C:\|)
Objects scanned: 227899
Time elapsed: 37 minute(s), 42 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 57
Memory Processes Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Delete on reboot.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01KL4WXG\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F7BSVK4B\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J3MGTB3R\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z9QSHT1K\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-583907252-1078081533-1801674531-1004\Dc5\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-583907252-1078081533-1801674531-1004\Dc5\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0148453.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150526.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150530.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150531.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150537.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150543.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150554.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150595.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150615.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150623.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150628.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1278\A0150638.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150815.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150832.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150840.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\A0150847.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1280\snapshot\MFEX-1.DAT (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150960.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150973.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150974.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150977.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150986.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71F0F295-0E85-4369-A424-2613B2BB66D3}\RP1281\A0150987.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\qehuguba.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\BN36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi DeDraconis and welcome to Malwarebytes.

Please don't put logs in Code boxes; that makes it a bit harder on the eyes.

Update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post please post the one that is not minimized.

-screen317

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept