Author Topic: braviax.exe--Something's gone wrong again  (Read 29276 times)

0 Members and 1 Guest are viewing this topic.

heinleineken

  • Guest
braviax.exe--Something's gone wrong again
« on: February 18, 2008, 07:22:19 PM »
Avast detected a virus, initially it was a braviax.exe...did some looking around and found that it was related to cru629...I managed to stop the process (which had listed itself in the startup files) using Spybot S&D then deleted and created a new locked version of braviax.exe (actually a blank txt)
long story short--I'm getting virus notifications every 30 mins or so.  the last two were win32:JunkPoly [cryp] and win32:Agent-QLO [trj]  I'll run hijack this and post a log, if anyone could help, I'd be very grateful.  Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:20:41 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Jenn Kirklys\Desktop\security\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Trust\CnxDslTb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [LogitechSetup] C:\DOCUME~1\Default\LOCALS~1\Temp\QuickCam_11.1.0\setup.exe /skip_all_checks /p  /start /restart /l:enu
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: jwqyk.exe
O4 - Global Startup: ankqmmsftg.exe
O4 - Global Startup: arzvmbvbbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: braviax.exe--Something's gone wrong again
« Reply #1 on: February 18, 2008, 11:04:03 PM »
check the boxes left to these items

O4 - Startup: jwqyk.exe
O4 - Global Startup: ankqmmsftg.exe
O4 - Global Startup: arzvmbvbbo.exe

and click "fix selected"..

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #2 on: February 19, 2008, 12:37:33 AM »
I kind of figured those had to go...
they're gone.
I'll let you know tomorrow after a restart and a fresh hijackthis report...

well, here we go, A fresh virus detection while I'm writing this...
Avast detected JunkPoly [cryp] and Agent-QLO [trj]
I sent both to the chest, but cannot figure out where they're being replicated from...
any ideas?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: braviax.exe--Something's gone wrong again
« Reply #3 on: February 19, 2008, 12:42:11 AM »
Download this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Unfortunately I will not be able to look at till tomorrow as I am off to bed now

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #4 on: February 19, 2008, 12:56:19 AM »
I'll follow those instructions and post the results tomorrow..I'm off to sleep too.
Thanks
Thomas

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #5 on: February 19, 2008, 11:09:59 AM »
DSS scan main.txt below

Deckard's System Scanner v20071014.68
Run by Default on 2008-02-19 10:43:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-02-19 09:43:41 UTC - RP123 - Deckard's System Scanner Restore Point
1: 2008-02-18 14:47:54 UTC - RP122 - Installed ANIWZCS2 Service


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Default.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-19 10:45:25
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Default\Desktop\dss.exe
D:\Documents and Settings\Jenn Kirklys\Desktop\security\Default.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Trust\CnxDslTb.exe
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [LogitechSetup] C:\DOCUME~1\Default\LOCALS~1\Temp\QuickCam_11.1.0\setup.exe /skip_all_checks /p  /start /restart /l:enu
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #6 on: February 19, 2008, 11:11:18 AM »


--
End of file - 6321 bytes

-- HijackThis Fixed Entries (D:\DOCUME~1\JENNKI~1\Desktop\security\backups\) ---

backup-20061128-231645-654 O16 - DPF: {33331111-1111-1111-1111-611111193423} -
backup-20061128-231650-835 O16 - DPF: {33331111-1111-1111-1111-615111193427} -
backup-20080219-003158-451 O4 - Startup: jwqyk.exe
backup-20080219-003158-667 O4 - Global Startup: arzvmbvbbo.exe
backup-20080219-003158-678 O4 - Global Startup: ankqmmsftg.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ISODrive (ISO DVD/CD-ROM Device Driver) - c:\program files\ultraiso\drivers\isodrive.sys <Not Verified; EZB Systems, Inc.; ISODrive>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R3 CnxTgN (TRUST 215A SPEEDLINK ADSL PCI WEB MODEM WAN Adapter Driver) - c:\windows\system32\drivers\cnxtgn.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>
R3 CnxTgP (TRUST 215A SPEEDLINK ADSL PCI WEB MODEM WAN Adapter Filter Driver) - c:\windows\system32\drivers\cnxtgp.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner PCI Controller>
R3 CnxTgR (TRUST 215A SPEEDLINK ADSL PCI WEB MODEM Interface Device Driver) - c:\windows\system32\drivers\cnxtgr.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner PCI Controller>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 OMCI - c:\windows\system32\drivers\omci.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-19 10:00:00       350 --a------ C:\WINDOWS\Tasks\At11.job
2008-02-19 09:00:00       350 --a------ C:\WINDOWS\Tasks\At10.job
2008-02-19 08:00:00       350 --a------ C:\WINDOWS\Tasks\At9.job
2008-02-19 07:00:00       350 --a------ C:\WINDOWS\Tasks\At8.job
2008-02-19 06:00:00       350 --a------ C:\WINDOWS\Tasks\At7.job
2008-02-19 05:00:00       350 --a------ C:\WINDOWS\Tasks\At6.job
2008-02-19 04:00:00       350 --a------ C:\WINDOWS\Tasks\At5.job
2008-02-19 03:00:00       350 --a------ C:\WINDOWS\Tasks\At4.job
2008-02-19 02:00:00       350 --a------ C:\WINDOWS\Tasks\At3.job
2008-02-19 01:00:00       350 --a------ C:\WINDOWS\Tasks\At2.job
2008-02-19 00:00:00       350 --a------ C:\WINDOWS\Tasks\At1.job
2008-02-18 22:00:00       350 --a------ C:\WINDOWS\Tasks\At23.job
2008-02-18 21:00:00       350 --a------ C:\WINDOWS\Tasks\At22.job
2008-02-18 20:00:00       350 --a------ C:\WINDOWS\Tasks\At21.job
2008-02-18 19:00:00       350 --a------ C:\WINDOWS\Tasks\At20.job
2008-02-18 18:00:00       350 --a------ C:\WINDOWS\Tasks\At19.job
2008-02-18 17:00:00       350 --a------ C:\WINDOWS\Tasks\At18.job
2008-02-18 16:00:00       350 --a------ C:\WINDOWS\Tasks\At17.job
2008-02-18 15:00:00       350 --a------ C:\WINDOWS\Tasks\At16.job
2008-02-18 14:00:00       350 --a------ C:\WINDOWS\Tasks\At15.job
2008-02-18 13:00:00       350 --a------ C:\WINDOWS\Tasks\At14.job
2008-02-18 12:00:00       350 --a------ C:\WINDOWS\Tasks\At13.job
2008-02-18 11:00:00       350 --a------ C:\WINDOWS\Tasks\At12.job
2008-02-17 23:00:00       350 --a------ C:\WINDOWS\Tasks\At24.job

-- Files created between 2008-01-19 and 2008-02-19 -----------------------------

2008-02-19 00:28:24         8 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME{70FFC40F-D921-47DD-B630-2E3571DE784A}
2008-02-18 16:59:55         0 d--h----- C:\WINDOWS\PIF
2008-02-18 16:59:13         0 --a------ C:\WINDOWS\system32\braviax.exe
2008-02-18 16:19:41         0 d-------- C:\Program Files\TrojanHunter 3.8
2008-02-18 15:49:46         7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME{13D04E61-604B-42AB-8CD4-F42619B2871C}
2008-02-18 13:11:09    691545 --a------ C:\WINDOWS\unins000.exe
2008-02-18 13:11:09      3444 --a------ C:\WINDOWS\unins000.dat
2008-02-18 13:00:30         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 12:03:45         7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME
2008-02-17 20:09:43         8 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME{389EED01-65D4-49FA-A958-02D583D150F9}
2008-02-17 20:09:36    245760 --a------ C:\WINDOWS\system32\wnicapi.dll <Not Verified; Alpha Networks Inc.; WNICAPI Dynamic Link Library>
2008-02-17 20:08:48      8192 -ra------ C:\WINDOWS\system32\drivers\rt2661.bin
2008-02-17 20:08:48      8192 -ra------ C:\WINDOWS\system32\drivers\rt2561s.bin
2008-02-17 20:08:48      8192 -ra------ C:\WINDOWS\system32\drivers\rt2561.bin
2008-02-17 20:08:47      2048 --a------ C:\WINDOWS\system\rt73.bin
2008-02-17 20:08:47      8192 -ra------ C:\WINDOWS\system\rt2661.bin
2008-02-17 20:08:47      8192 -ra------ C:\WINDOWS\system\rt2561s.bin
2008-02-17 20:08:47      8192 -ra------ C:\WINDOWS\system\rt2561.bin
2008-02-16 17:05:34         0 d-------- C:\Program Files\Soulseek
2008-02-04 12:36:26         0 d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-02 20:45:05         0 d-------- C:\Program Files\RCrawler
2008-01-31 22:14:24         0 d-------- C:\WINDOWS\pss
2008-01-28 11:57:40         0 d-------- C:\Documents and Settings\Default\Application Data\Nero
2008-01-28 11:54:17         0 d-------- C:\Program Files\Nero
2008-01-28 11:54:17         0 d-------- C:\Program Files\Common Files\Nero
2008-01-28 11:54:17         0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-28 10:30:51         0 d-------- C:\Program Files\Common Files\EZB Systems
2008-01-28 10:30:48         0 d-------- C:\Program Files\UltraISO
2008-01-27 23:31:56         0 d-------- C:\Program Files\MagicISO




-- Find3M Report ---------------------------------------------------------------

2008-02-18 19:20:10         0 d-------- C:\Documents and Settings\Default\Application Data\uTorrent
2008-02-18 11:53:25         0 d-------- C:\Documents and Settings\Default\Application Data\Skype
2008-02-17 20:08:43         0 d-------- C:\Program Files\D-Link
2008-02-17 20:08:42         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-10 19:58:37         0 d-------- C:\Documents and Settings\Default\Application Data\Adobe
2008-02-10 19:32:14         0 d-------- C:\Program Files\PowerISO
2008-02-04 12:36:26         0 d-------- C:\Program Files\TVUPlayer
2008-01-29 23:35:03         0 d-------- C:\Documents and Settings\Default\Application Data\U3
2008-01-28 11:54:17         0 d-------- C:\Program Files\Common Files
2008-01-28 11:30:55         0 d-------- C:\Program Files\Ahead
2008-01-27 12:54:30         0 d-------- C:\Program Files\DivX
2008-01-17 01:38:59      4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-17 01:15:04     42528 --a------ C:\WINDOWS\system32\unins000.dat
2008-01-17 01:13:12    691717 --a------ C:\WINDOWS\system32\unins000.exe
2008-01-16 23:26:43         0 d-------- C:\Program Files\Veoh Networks
2008-01-11 01:39:42         0 d-------- C:\Program Files\Alex Feinman
2007-12-24 13:47:52      7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-24 13:47:46     38400 --a------ C:\WINDOWS\system32\ff_unrar.dll
2007-12-24 13:40:26    404992 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-12-22 22:02:50    188416 --a------ C:\WINDOWS\system32\ff_theora.dll
2007-12-22 22:02:24    102912 --a------ C:\WINDOWS\system32\ff_tremor.dll
2007-12-22 21:27:22   3104256 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-12-03 16:39:34    122880 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-12-03 16:38:30    135168 --a------ C:\WINDOWS\system32\ff_samplerate.dll
2007-12-03 16:38:24    118784 --a------ C:\WINDOWS\system32\ff_realaac.dll
2007-12-03 16:38:14    143360 --a------ C:\WINDOWS\system32\ff_libmad.dll
2007-12-03 16:38:06    397312 --a------ C:\WINDOWS\system32\ff_libfaad2.dll
2007-12-03 16:37:44     54784 --a------ C:\WINDOWS\system32\ff_liba52.dll
2007-12-03 16:37:38    167936 --a------ C:\WINDOWS\system32\ff_libdts.dll
2007-12-03 16:34:32     26624 --a------ C:\WINDOWS\system32\ff_wmv9.dll
2007-12-01 13:43:30    520192 --a------ C:\WINDOWS\system32\ff_x264.dll
2007-11-29 13:17:32    662016 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-29 12:52:34    204800 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-11-29 12:52:34    204800 --a------ C:\WINDOWS\system32\ff_kernelDeint.dll
2007-11-29 12:52:32     60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >


-- Registry Dump ---------------------------------------------------------------



heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #7 on: February 19, 2008, 11:11:50 AM »
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 02:00 PM]
"CnxDslTaskBar"="C:\Program Files\Trust\CnxDslTb.exe" [05/28/2003 06:52 PM]
"D-Link Wireless G WUA-1340"="C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [12/15/2005 12:19 PM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [06/29/2006 05:34 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [11/17/2006 04:54 PM]
"THGuard"="C:\Program Files\TrojanHunter 3.8\THGuard.exe" [01/26/2004 01:17 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSetup"="C:\DOCUME~1\Default\LOCALS~1\Temp\QuickCam_11.1.0\setup.exe" []
"@"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"Registry Crawler"=C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com
127.0.0.1   www.032439.com
127.0.0.1   032439.com

7892 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-19 10:48:05 ------------

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #8 on: February 19, 2008, 11:13:56 AM »
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.26GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 1534.98 MiB / 1102.41 MiB
Pagefile Memory (total/avail): 3434.38 MiB / 3103.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.34 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 18.64 GiB total, 2.78 GiB free.
D: is Fixed (NTFS) - 127.99 GiB total, 22.96 GiB free.
E: is Fixed (NTFS) - 55.87 GiB total, 28.51 GiB free.
F: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 74.5 GiB - 2 partitions
  \PARTITION0 (bootable) - Installable File System - 18.64 GiB - C:
  \PARTITION1 - Installable File System - 55.87 GiB - E:

\\.\PHYSICALDRIVE1 - WDC WD1600JB-00DUA1 - 149.05 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 127.99 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.408.000 (Check Point, LTD.) Disabled Outdated
AV: avast! antivirus 4.7.1098 [VPS 080218-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Default\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HAL01
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Default
LOGONSERVER=\\HAL01
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Nero\Lib\;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Default\LOCALS~1\Temp
TMP=C:\DOCUME~1\Default\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=HAL01
USERNAME=Default
USERPROFILE=C:\Documents and Settings\Default
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Default (admin)
Jennifer (new local, admin)
Thomas (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #9 on: February 19, 2008, 11:17:50 AM »

 --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
 --> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
 --> C:\WINDOWS\UNRecode.exe /UNINSTALL
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AirPlus G --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B7E4354-0492-460A-BDB1-1F59EE141025}\setup.exe" -l0x9  -removeonly
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\setup.exe"
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Express Rip --> C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
ffdshow [rev 1723] [2007-12-24] --> "C:\WINDOWS\system32\unins000.exe"
Golden Records --> C:\Program Files\NCH Swift Sound\Golden\uninst.exe
HijackThis 1.99.1 --> D:\Program Files\HijackThis.exe /uninstall
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
ISO Recorder --> MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Logitech Legacy USB Camera Driver Package --> "C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\11.10.2016\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"legacyqcam_11.10" /clone_wait /hide_progress
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Logitech QuickCam Driver Package --> "C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Nero 8 --> MsiExec.exe /X{B944FA21-81AF-4A77-8328-CE4F4CC51033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Prism --> C:\Program Files\NCH Software\Prism\uninst.exe
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RarZilla Free Unrar 2.12 --> C:\Program Files\RarZilla Free Unrar\uninstall.exe
Registry Crawler --> C:\PROGRA~1\RCrawler\UNWISE.EXE C:\PROGRA~1\RCrawler\INSTALL.LOG
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SopCast 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SoundTap --> C:\Program Files\NCH Swift Sound\SoundTap\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Switch --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
TrojanHunter 3.8 --> "C:\Program Files\TrojanHunter 3.8\unins000.exe"
TRUST 215A SPEEDLINK ADSL PCI WEB MODEM WAN Adapter --> C:\Program Files\Trust\CnxUnist.exe -w3 AccessRunner ADSL
TVUPlayer 2.3.5.3 --> C:\Program Files\TVUPlayer\uninst.exe
UltraISO Premium V8.66 --> "C:\Program Files\UltraISO\unins000.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{97A96172-A963-4A37-9FFB-DA6805BB915A}\setup.exe -runfromtemp -l0x0409
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Wireless G WUA-1340 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{71FD28F7-E697-40B4-8DC9-91E8B1B9AEE9}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------


Event Record #/Type2922 / Error
Event Submitted/Written: 02/19/2008 10:46:16 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type2921 / Error
Event Submitted/Written: 02/19/2008 10:46:16 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type2920 / Error
Event Submitted/Written: 02/19/2008 10:46:15 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type2919 / Warning
Event Submitted/Written: 02/18/2008 11:56:09 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'

Event Record #/Type2918 / Warning
Event Submitted/Written: 02/18/2008 11:56:09 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed.  The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10708 / Error
Event Submitted/Written: 02/19/2008 10:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At11.job command failed to start due to the following error:
%%2147942402

Event Record #/Type10707 / Error
Event Submitted/Written: 02/19/2008 09:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At10.job command failed to start due to the following error:
%%2147942402

Event Record #/Type10706 / Error
Event Submitted/Written: 02/19/2008 08:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At9.job command failed to start due to the following error:
%%2147942402

Event Record #/Type10705 / Error
Event Submitted/Written: 02/19/2008 07:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At8.job command failed to start due to the following error:
%%2147942402

Event Record #/Type10704 / Error
Event Submitted/Written: 02/19/2008 06:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At7.job command failed to start due to the following error:
%%2147942402



-- End of Deckard's System Scanner: finished at 2008-02-19 10:48:05 ------------

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #10 on: February 19, 2008, 11:23:06 AM »
I'm sorry to have posted the logfiles in the body of the msg, but I've been distracted this morning, and only now realized they should have been posted as attachments.

If it's any use, I've just had 'virus has been detected' warning.  It's  for the same two that I've been getting:  JunkPoly and Agent-QLO they are both found in windows temp folder and were both sent to the chest...

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #11 on: February 19, 2008, 12:46:38 PM »
new problem
"virus has been detected"  same two JunkPoly and Agent-QLO
however when I attempt to 'send to chest' I get the dreaded 'cannot process, file is not packed' error

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: braviax.exe--Something's gone wrong again
« Reply #12 on: February 19, 2008, 02:00:49 PM »
OK I see them now

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\system32\braviax.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #13 on: February 19, 2008, 11:53:37 PM »
oh. my. god. combofix took the better part of an hour.
log below
ComboFix 08-02-20.1 - Default 2008-02-19 20:42:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1088 [GMT 1:00]
Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-01-20 to 2008-02-20  )))))))))))))))))))))))))))))))
.

2008-02-19 20:19 . 2008-02-19 20:19   <DIR>   d--------   C:\_OTMoveIt
2008-02-19 00:56 . 2008-02-19 00:56   <DIR>   d--------   C:\Deckard
2008-02-19 00:28 . 2008-02-19 13:02   8   --a------   C:\WINDOWS\system32\ANIWZCSUSERNAME{70FFC40F-D921-47DD-B630-2E3571DE784A}
2008-02-18 16:59 . 2008-02-18 16:59   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-02-18 16:19 . 2008-02-19 12:11   <DIR>   d--------   C:\Program Files\TrojanHunter 3.8
2008-02-18 15:49 . 2008-02-18 23:55   7   --a------   C:\WINDOWS\system32\ANIWZCSUSERNAME{13D04E61-604B-42AB-8CD4-F42619B2871C}
2008-02-18 13:13 . 2008-02-18 13:13   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-02-18 13:11 . 2008-02-18 13:09   691,545   --a------   C:\WINDOWS\unins000.exe
2008-02-18 13:11 . 2008-02-18 13:11   3,444   --a------   C:\WINDOWS\unins000.dat
2008-02-18 13:00 . 2008-02-18 13:14   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 12:03 . 2008-02-18 16:53   7   --a------   C:\WINDOWS\system32\ANIWZCSUSERNAME
2008-02-17 20:09 . 2006-12-22 18:44   245,760   --a------   C:\WINDOWS\system32\wnicapi.dll
2008-02-17 20:09 . 2008-02-19 00:23   8   --a------   C:\WINDOWS\system32\ANIWZCSUSERNAME{389EED01-65D4-49FA-A958-02D583D150F9}
2008-02-17 20:08 . 2006-04-06 13:15   8,192   -ra------   C:\WINDOWS\system32\drivers\rt2661.bin
2008-02-17 20:08 . 2006-04-06 13:15   8,192   -ra------   C:\WINDOWS\system32\drivers\rt2561s.bin
2008-02-17 20:08 . 2006-04-06 13:15   8,192   -ra------   C:\WINDOWS\system32\drivers\rt2561.bin
2008-02-17 20:08 . 2006-04-06 13:15   8,192   -ra------   C:\WINDOWS\system\rt2661.bin
2008-02-17 20:08 . 2006-04-06 13:15   8,192   -ra------   C:\WINDOWS\system\rt2561s.bin
2008-02-17 20:08 . 2006-04-06 13:15   8,192   -ra------   C:\WINDOWS\system\rt2561.bin
2008-02-17 20:08 . 2005-11-16 02:21   2,048   --a------   C:\WINDOWS\system\rt73.bin
2008-02-16 17:05 . 2008-02-16 18:40   <DIR>   d--------   C:\Program Files\Soulseek
2008-02-15 11:31 . 2008-02-15 11:31   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-02-15 11:31 . 2008-02-15 11:31   1,409   --a------   C:\WINDOWS\QTFont.for
2008-02-04 12:36 . 2008-02-04 12:36   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-02 20:45 . 2008-02-02 20:52   <DIR>   d--------   C:\Program Files\RCrawler
2008-01-28 11:57 . 2008-01-28 11:57   <DIR>   d--------   C:\Documents and Settings\Default\Application Data\Nero
2008-01-28 11:54 . 2008-01-28 11:54   <DIR>   d--------   C:\Program Files\Nero
2008-01-28 11:54 . 2008-01-28 11:56   <DIR>   d--------   C:\Program Files\Common Files\Nero
2008-01-28 11:54 . 2008-01-28 11:54   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Nero
2008-01-28 10:30 . 2008-01-28 10:30   <DIR>   d--------   C:\Program Files\UltraISO
2008-01-28 10:30 . 2008-01-28 10:30   <DIR>   d--------   C:\Program Files\Common Files\EZB Systems
2008-01-27 23:31 . 2008-01-27 23:32   <DIR>   d--------   C:\Program Files\MagicISO
2008-01-21 00:52 . 2008-01-21 00:52   166   --a------   C:\key.shm

.

heinleineken

  • Guest
Re: braviax.exe--Something's gone wrong again
« Reply #14 on: February 19, 2008, 11:54:02 PM »

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 19:44   6,387,744   --sha-w   C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-19 11:50   78,536   --sha-w   C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-18 23:01   19,604,644   ----a-w   C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_02_18_23_18_57_full.dmp.zip
2008-02-18 22:18   1,536,512   ----a-w   C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-18 18:20   ---------   d-----w   C:\Documents and Settings\Default\Application Data\uTorrent
2008-02-18 10:53   ---------   d-----w   C:\Documents and Settings\Default\Application Data\Skype
2008-02-17 19:08   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-17 19:08   ---------   d-----w   C:\Program Files\D-Link
2008-02-10 18:32   ---------   d-----w   C:\Program Files\PowerISO
2008-02-04 11:36   ---------   d-----w   C:\Program Files\TVUPlayer
2008-01-29 22:35   ---------   d-----w   C:\Documents and Settings\Default\Application Data\U3
2008-01-28 10:30   ---------   d-----w   C:\Program Files\Ahead
2008-01-27 11:54   ---------   d-----w   C:\Program Files\DivX
2008-01-17 00:13   691,717   ----a-w   C:\WINDOWS\system32\unins000.exe
2008-01-16 22:26   ---------   d-----w   C:\Program Files\Veoh Networks
2008-01-11 00:39   ---------   d-----w   C:\Program Files\Alex Feinman
2007-12-29 15:23   2,033,482   ----a-w   C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-24 12:47   7,680   ----a-w   C:\WINDOWS\system32\ff_vfw.dll
2007-12-24 12:47   38,400   ----a-w   C:\WINDOWS\system32\ff_unrar.dll
2007-12-24 12:40   404,992   ----a-w   C:\WINDOWS\system32\libmplayer.dll
2007-12-22 21:02   188,416   ----a-w   C:\WINDOWS\system32\ff_theora.dll
2007-12-22 21:02   102,912   ----a-w   C:\WINDOWS\system32\ff_tremor.dll
2007-12-22 20:27   3,104,256   ----a-w   C:\WINDOWS\system32\libavcodec.dll
2007-12-06 23:31   1,424,384   ----a-w   C:\WINDOWS\Internet Logs\xDB265.tmp
2007-12-06 23:24   1,424,384   ----a-w   C:\WINDOWS\Internet Logs\xDB266.tmp
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-12-03 15:39   122,880   ----a-w   C:\WINDOWS\system32\libmpeg2_ff.dll
2007-12-03 15:38   397,312   ----a-w   C:\WINDOWS\system32\ff_libfaad2.dll
2007-12-03 15:38   143,360   ----a-w   C:\WINDOWS\system32\ff_libmad.dll
2007-12-03 15:38   135,168   ----a-w   C:\WINDOWS\system32\ff_samplerate.dll
2007-12-03 15:38   118,784   ----a-w   C:\WINDOWS\system32\ff_realaac.dll
2007-12-03 15:37   54,784   ----a-w   C:\WINDOWS\system32\ff_liba52.dll
2007-12-03 15:37   167,936   ----a-w   C:\WINDOWS\system32\ff_libdts.dll
2007-12-03 15:34   26,624   ----a-w   C:\WINDOWS\system32\ff_wmv9.dll
2007-12-01 12:43   520,192   ----a-w   C:\WINDOWS\system32\ff_x264.dll
2007-11-29 22:30   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2007-11-29 12:17   662,016   ----a-w   C:\WINDOWS\system32\xvidcore.dll
2007-11-29 11:52   60,273   ----a-w   C:\WINDOWS\system32\pthreadGC2.dll
2007-11-29 11:52   204,800   ----a-w   C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-11-29 11:52   204,800   ----a-w   C:\WINDOWS\system32\ff_kernelDeint.dll
2007-11-03 13:42   1,418,240   ----a-w   C:\WINDOWS\Internet Logs\xDB1.tmp
2007-11-03 13:40   1,418,240   ----a-w   C:\WINDOWS\Internet Logs\xDB2.tmp
2004-08-04 12:00   4,096   --sha-w   C:\WINDOWS\system32\bns.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"CnxDslTaskBar"="C:\Program Files\Trust\CnxDslTb.exe" [2003-05-28 18:52 397312]
"D-Link Wireless G WUA-1340"="C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [2005-12-15 12:19 2715648]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 17:34 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 16:54 1552384]
"THGuard"="C:\Program Files\TrojanHunter 3.8\THGuard.exe" [2004-01-26 01:17 1067520]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"Registry Crawler"=C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

R3 CnxTgN;TRUST 215A SPEEDLINK ADSL PCI WEB MODEM WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-05-28 18:52]
R3 CnxTgP;TRUST 215A SPEEDLINK ADSL PCI WEB MODEM WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgP.sys [2003-05-28 18:52]
R3 CnxTgR;TRUST 215A SPEEDLINK ADSL PCI WEB MODEM Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxTgR.sys [2003-05-28 18:52]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basekwgb32.dll

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 20:44:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 23:06:29
.
2007-11-02 02:00:50   --- E O F ---