Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird/New Braviax


  • This topic is locked This topic is locked
3 replies to this topic

#1 taxic

taxic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 03 September 2009 - 11:17 PM

I tried using SD fix and combo fix and Malwarebytes to get rid of it, but it reappears on reboot. I tried to find braviax and cru629.dat, but can only seem to find braviax.exe in windows/system32. Can't find any evidence of cru629, nor can I find any suspect files in windows/system. (view hidden files on) Tried removing them from the registry, but they just reappear on restart.

Running Windows XP SP3, firewall on.

I can also see and delete sys32_nov.exe in Windows/system32, but that reappears as well on restart

Now on startup, AVG detects and closes the braviax and figaro (sp?) processes, but leaves the sys32_nov, which i have to maually end task. I also had 2 instances of homeantivirus 2010 trying to install on me, but i closed the install process.

Hope someone can help. Thanks for your time.

Here is my DDS log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 12:03:14.48 on Fri 04/09/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1453 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [sys32_nov] c:\documents and settings\administrator\sys32_nov.exe
uRun: [braviax]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [sys32_nov] c:\windows\system32\sys32_nov.exe
mRun: [braviax]
mRun: [Regedit32] c:\windows\system32\regedit.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [braviax]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203659985708
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\f7h8hg61.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {1D4E4AEA-C62E-4533-A31B-C7488B587706} - c:\documents and settings\administrator\local settings\application data\{1D4E4AEA-C62E-4533-A31B-C7488B587706}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-24 297752]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-3-5 17149]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-3-5 362944]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-24 50704]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2008-2-22 26496]

=============== Created Last 30 ================

2009-09-04 11:54 11,264 a------- c:\windows\system32\braviax.exe
2009-09-04 11:54 146 a------- c:\documents and settings\administrator\delself.bat
2009-09-03 23:40 192,381 a------- c:\windows\system32\wisdstr.exe
2009-09-03 23:40 11,264 a------- c:\windows\system32\braviaxs.exe
2009-09-03 23:40 94,272 ac------ c:\windows\system32\dllcache\agp440.sys
2009-09-03 23:21 <DIR> --ds---- C:\ComboFix
2009-09-03 19:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-09-03 19:28 <DIR> a-dshr-- C:\cmdcons
2009-09-03 18:47 229,888 a------- c:\windows\PEV.exe
2009-09-03 18:47 161,792 a------- c:\windows\SWREG.exe
2009-09-03 18:47 98,816 a------- c:\windows\sed.exe
2009-09-03 16:54 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-03 16:49 <DIR> --d----- c:\windows\ERUNT
2009-09-03 16:38 <DIR> --d----- C:\SDFix
2009-09-03 01:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-03 01:23 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 01:23 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-03 01:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 00:44 120 a------- c:\windows\Jxusimox.dat
2009-09-03 00:34 29,216 a------- c:\windows\system32\sys32_nov.exe
2009-09-02 23:11 <DIR> --d----- C:\Program1
2009-08-26 21:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\LimeWire
2009-08-26 21:09 <DIR> --d----- c:\program files\LimeWire
2009-08-16 18:07 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-16 12:52 <DIR> --d----- C:\a858062b5f575f1ab7
2009-08-14 20:53 26,056 a------- c:\windows\system32\drivers\hamachi.sys
2009-08-13 00:07 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 00:03 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 19:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-09-04 11:55 94,272 a------- c:\windows\system32\drivers\agp440.sys
2009-08-20 12:49 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-20 12:49 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 19:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 05:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-30 02:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-30 02:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-30 02:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-25 18:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 18:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 18:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 18:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 18:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 18:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-17 00:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 22:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 22:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-11 00:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 16:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-02-12 13:06 94,208 a------- c:\docume~1\admini~1\applic~1\ezplay.sys
2009-02-12 13:05 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys
2008-03-01 21:44 32 a------- c:\documents and settings\administrator\log.dat
2002-07-02 00:13 224 a--sh--- c:\docume~1\admini~1\applic~1\maildriver32.dat
2002-07-02 00:13 224 a--sh--- c:\docume~1\admini~1\applic~1\login_setup.dat
2008-09-15 17:45 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-09-15 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-15 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat
2008-09-15 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 12:04:40.37 ===============

Attached Files


Edited by taxic, 03 September 2009 - 11:19 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:38 PM

Posted 21 September 2009 - 02:12 AM

Hello ,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 taxic

taxic
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 21 September 2009 - 02:30 AM

Thanks for the reply, but I did a reformat, please close this thread.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:38 PM

Posted 21 September 2009 - 02:33 AM

Sorry we couldn't get to you sooner, but thanks for letting us know you sorted it :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users