Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Braviax And Virtumonde Infections


  • This topic is locked This topic is locked
2 replies to this topic

#1 onetiger2

onetiger2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Rotherham, England
  • Local time:05:46 PM

Posted 23 August 2008 - 11:28 AM

Avast reported a virus on my daughter's computer after she clicked an e mail attachment. Before she could react, a large box appeared in front saying the computer was infected by a virtumonde virus and advising her to run her antivirus scan. There is nothing to make this box go away so she has it permanently plastered across the screen. I ran Avast, it found 2 viruses, rebooted and deleted them but the box was still there.

In Task Manager I found and stopped 2 applications - "lphc3coj0er1a" (which a search told me was from Dailykey (virtumonde work trojans)) and "braviax" - a malware. I also disabled them from starting in the system config utility but braviax returned on reboot.



I looked in Event logs and found the following Avast logs :-


* Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.

* Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP240\A0061275.scr" file.

* Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Suzy\Local Settings\Temp\.tt6.tmp.vbs" file.

* Internal error has occurred in module aswar scan function failed!, function 00000002.

* Sign of "Win32:Cutwail [Trj]" has been found in "C:\WINDOWS\System32\drivers\Cio28.sys" file.

* Sign of "Win32:Cutwail [Trj]" has been found in "C:\WINDOWS\System32\drivers\Syf17.sys" file.

* Sign of "Win32:Cutwail [Trj]" has been found in "C:\WINDOWS\System32\drivers\Ckr64.sys" file
* Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\blphc3coj0er1a.scr" file.

* Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\Suzy\Local Settings\Temp\.tt6.tmp.vbs" file.

* Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\blphc3coj0er1a.scr" file.

* Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\blphc3coj0er1a.scr" file.

* Sign of "Win32:Agent-QNI [Trj]" has been found in "C:\WINDOWS\system32\dllcache\figaro.sys" file.

* Sign of "VBS:Malware-gen" has been found in "C:\WINDOWS\temp\.tt14.tmp.vbs" file.


Also :-



* Windows saved user ACER-511EBA12DF\Suzy registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.



* Event ID 7026 The following boot-start or system-start driver(s) failed to load:

Aavmker4

AmdK8

aswSP

avgio

avipbb

Fips

SASDIFSV

SASKUTIL



I booted into Safe Mode With Networking but the internet wouldn't work. It works ok in normal mode so I tried to do online virus scans with Bit Defender and Panda, but both failed to start, even after installing their ActiveX controls.
I used my own computer to download AntiVir to my thumb drive then I booted to safe mode on daughter's computer, disabled Avast, installed Antivir, then booted it into normal mode. AntiVir immediately found TR/dropper.gen, TR/rootkit.gen, TR/FakeScanner.F, TR/Agent.33280 Trojan. It deleted them and rebooted then I deleted braviax from the System32 folder, got rid of its prefetch file and deleted its registry entry with Ccleaner.

We seem to have got rid of lphc3coj0er1a and braviax but Antivir keeps having to delete a virus every boot time and the damn box is still on the screen.
I've tried my best. Here is the Hijackthis log :-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:14:56, on 23/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\SysMonitor.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\BT Voyager Wireless Adapter\PRISMCFG.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Suzy\Local Settings\Temporary Internet Files\Content.IE5\4AF3UXVF\HiJackThis[1].exe



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe

O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BT Voyager Wireless Utility.lnk = C:\Program Files\BT Voyager Wireless Adapter\PRISMCFG.exe

O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe

O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



--

End of file - 4530 bytes












Many thanks in advance.

BC AdBot (Login to Remove)

 


#2 onetiger2

onetiger2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Rotherham, England
  • Local time:05:46 PM

Posted 25 August 2008 - 06:06 PM

My daughter's computer became unbootable altogether today - no safe mode even, so she has reinstalled XP using the recovery discs she made when she first got the computer. It's working fine now and she's not lost anything important as she has always backed up her files. So no worries now and I'm sorry if you've waded through all the first post before you read this. She took a risk clicking on the link in that e mail because it looked like something to do with her line of work, but shell know better in future.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:46 PM

Posted 25 August 2008 - 06:10 PM

Thank you for letting us know that the problem is taken care of onetiger2. Since that is the case, I shall close this topic.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users