Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

braviax virus HT log [RESOLVED]

Started by Lovltn848 , Feb 16 2008 02:54 PM

This topic is locked

#31
JSntgRvr

Posted 17 February 2008 - 07:17 PM

Global Moderator

Global Moderator
11,579 posts

Lets repeat the process on the FoundFix. Please remove FoundFix.bat from your computer.

Set Explorer to view File extensions of known file types:

* Right-click your Start button and go to "Explore".
* Select Tools from the menu
* Select Folder Options
* Select the View tab
* Remove the check mark from "Hide extension from known file types".
* Select Apply to All Folders | Yes | Apply | OK.

Download the enclosed file.
It is a text file to obtain a list all Found.* files in the root of your system, and list the files and folders in the qoobox folder, which is Combofix Quarantine. Once downloaded right click on the file and change its extension from .txt to .bat. After you have done this, the file will be renamed FoundFix.bat and its icon would have changed to a batch file. Once done, double click on the FoundFix.bat. The MSDOS window will be displayed for a second. That is Normal. A report will be produced. Post its contents in a reply.

Set Explorer to Defaults:

* Right-click your Start button and go to "Explore".
* Select Tools from the menu
* Select Folder Options
* Select the View tab
* Click on Restore Defaults
* Select Apply to All Folders | Yes | Apply | OK.

#32
Lovltn848

Posted 17 February 2008 - 07:21 PM

Member

Topic Starter
Member
237 posts

Volume in drive D is STUDENT
Volume Serial Number is 680D-9210

Directory of D:\

02/16/2008 01:23 PM <DIR> FOUND.004
02/16/2008 02:06 PM <DIR> FOUND.005
02/17/2008 06:35 PM <DIR> FOUND.008
02/16/2008 03:01 PM <DIR> FOUND.006
02/18/2008 02:58 AM <DIR> FOUND.012
02/17/2008 06:12 PM <DIR> FOUND.007
02/17/2008 10:40 PM <DIR> FOUND.009
02/17/2008 10:53 PM <DIR> FOUND.010
02/17/2008 11:05 PM <DIR> FOUND.011
02/18/2008 03:06 PM <DIR> FOUND.013
02/05/2008 07:47 PM <DIR> FOUND.000
02/16/2008 12:09 PM <DIR> FOUND.001
02/16/2008 12:20 PM <DIR> FOUND.002
02/16/2008 12:32 PM <DIR> FOUND.003
0 File(s) 0 bytes
14 Dir(s) 1,364,832,256 bytes free
Volume in drive D is STUDENT
Volume Serial Number is 680D-9210

Directory of D:\Qoobox

02/18/2008 11:24 AM <DIR> .
02/18/2008 11:24 AM <DIR> ..
02/18/2008 11:24 AM <DIR> Quarantine
02/18/2008 11:24 AM <DIR> BackEnv
02/18/2008 11:28 AM 0 snapshot@2008-02-18_11.28.00.63.dat
02/18/2008 11:28 AM 0 snapshot@2008-02-18_11.28.00.63_B.dat
02/18/2008 11:29 AM 8,153 ComboFix2.txt
02/18/2008 02:48 PM 727 [email protected]
02/18/2008 03:02 PM 1,138 ComboFix-quarantined-files.txt
5 File(s) 10,018 bytes

Directory of D:\Qoobox\Quarantine

02/18/2008 11:24 AM <DIR> .
02/18/2008 11:24 AM <DIR> ..
02/18/2008 11:24 AM <DIR> D
02/18/2008 11:27 AM <DIR> Registry_backups
02/18/2008 02:52 PM <DIR> G
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D

02/18/2008 11:24 AM <DIR> .
02/18/2008 11:24 AM <DIR> ..
02/18/2008 11:24 AM <DIR> ComboFix
02/18/2008 02:52 PM <DIR> Autoruns
02/18/2008 12:51 AM 545,241 Autoruns.zip.vir
02/18/2008 02:52 PM <DIR> Documents and Settings
02/18/2008 02:52 PM <DIR> WINDOWS
1 File(s) 545,241 bytes

Directory of D:\Qoobox\Quarantine\D\ComboFix

02/18/2008 11:24 AM <DIR> .
02/18/2008 11:24 AM <DIR> ..
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Autoruns

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
12/14/2007 10:07 AM 48,130 autoruns.chm.vir
02/07/2008 09:30 AM 603,176 autoruns.exe.vir
02/07/2008 09:30 AM 513,064 autorunsc.exe.vir
07/28/2006 08:32 AM 7,005 Eula.txt.vir
4 File(s) 1,171,375 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> All Users
02/18/2008 02:52 PM <DIR> Lauren
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\All Users

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> Start Menu
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\All Users\Start Menu

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> Programs
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\All Users\Start Menu\Programs

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> Startup
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\All Users\Start Menu\Programs\Startup

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/16/2008 12:00 PM 49,152 oodm.exe.vir
1 File(s) 49,152 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\Lauren

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> Start Menu
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\Lauren\Start Menu

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> Programs
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\Lauren\Start Menu\Programs

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> Startup
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\Documents and Settings\Lauren\Start Menu\Programs\Startup

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
10/11/2006 03:59 PM 439,294 lsas.exe.vir
1 File(s) 439,294 bytes

Directory of D:\Qoobox\Quarantine\D\WINDOWS

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:52 PM <DIR> pss
02/18/2008 02:52 PM <DIR> system32
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\D\WINDOWS\pss

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
10/11/2006 03:59 PM 439,294 lsas.exeStartup.vir
1 File(s) 439,294 bytes

Directory of D:\Qoobox\Quarantine\D\WINDOWS\system32

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
09/21/2005 06:08 PM 290,816 Atwtusb.exe.vir
02/18/2008 02:52 PM <DIR> dllcache
1 File(s) 290,816 bytes

Directory of D:\Qoobox\Quarantine\D\WINDOWS\system32\dllcache

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
02/18/2008 02:40 PM 30,720 figaro.sys.vir
1 File(s) 30,720 bytes

Directory of D:\Qoobox\Quarantine\Registry_backups

02/18/2008 11:27 AM <DIR> .
02/18/2008 11:27 AM <DIR> ..
0 File(s) 0 bytes

Directory of D:\Qoobox\Quarantine\G

02/18/2008 02:52 PM <DIR> .
02/18/2008 02:52 PM <DIR> ..
04/09/2007 11:02 PM 282,624 qttask.exe.vir
1 File(s) 282,624 bytes

Directory of D:\Qoobox\BackEnv

02/18/2008 11:24 AM <DIR> .
02/18/2008 11:24 AM <DIR> ..
02/18/2008 11:24 AM 236 profiles.folder.dat
02/18/2008 11:24 AM 168 appdata.folder.dat
02/18/2008 11:24 AM 95 templates.folder.dat
02/18/2008 11:24 AM 98 personal.folder.dat
02/18/2008 11:24 AM 110 localsettings.folder.dat
02/18/2008 11:24 AM 218 localappdata.folder.dat
02/18/2008 11:24 AM 161 programs.folder.dat
02/18/2008 11:24 AM 124 cache.folder.dat
02/18/2008 11:24 AM 113 startup.folder.dat
02/18/2008 11:24 AM 132 startmenu.folder.dat
02/18/2008 11:24 AM 91 desktop.folder.dat
02/18/2008 11:24 AM 95 favorites.folder.dat
02/18/2008 11:24 AM 122 mypictures.folder.dat
02/18/2008 11:24 AM 4,157 setpath.dat
02/18/2008 11:24 AM 9,749 setpath.bat
15 File(s) 15,669 bytes

Total Files Listed:
31 File(s) 3,274,203 bytes
62 Dir(s) 1,364,701,184 bytes free

#33
JSntgRvr

Posted 17 February 2008 - 07:51 PM

Global Moderator

Global Moderator
11,579 posts

Download the enclosed file.
Save this file next to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

#34
Lovltn848

Posted 17 February 2008 - 08:12 PM

Member

Topic Starter
Member
237 posts

This time my computer only rebooted once from the ComboFix. When my desktop was loading, a pop-up from Tiny Personal Firewall appeared saying "SERVICE_CONTROL_INTERROGATE". Instead of clicking okay like I did last time (maybe that's what made my computer restart again?) I closed it.

I am also getting red shield with a white x security alert. It says that I don't have a firewall up but I do.

Here is the report. It's a bit longer than the other logs so I added it as a downloadable file~

Attached Files

ComboFix.txt 15.42KB 395 downloads

Edited by Lovltn848, 17 February 2008 - 08:13 PM.

#35
JSntgRvr

Posted 18 February 2008 - 01:02 PM

Global Moderator

Global Moderator
11,579 posts

Hi, Lovltn848

It is possible the infection compromised Tiny Personal Firewall. You can remove it and reinstall.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
If the disclaimer notice is displayed, select "2" and press Enter

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Create a Restore point (If the above process fails):

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
In the System Restore dialog box, click Create a restore point, and then click Next.
Type a description for your restore point, such as "After Cleanup", then click Create.

How is the computer doing?

#36
Lovltn848

Posted 18 February 2008 - 02:07 PM

Member

Topic Starter
Member
237 posts

I have only one problem. When I turned off system restore that last time and rebooted, the system restore tab disappeared....so I can't turn it back on.

As of right now my computer is acting normal.

#37
JSntgRvr

Posted 18 February 2008 - 07:27 PM

Global Moderator

Global Moderator
11,579 posts

I have only one problem. When I turned off system restore that last time and rebooted, the system restore tab disappeared....so I can't turn it back on.

As of right now my computer is acting normal.

Perhaps has been disabled. Lets also test your ability to open a .zip folder after the fix. Remember to right click on the folder and select Extract

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
DisableSR

[Exclude]

[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.

Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
Open the new folder, and double click on regsearch.exe
Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
Please reply here with the entire contents of the Notepad file from RegSearch.

If you can't still open a zipped folder, download the enclosed file. And as you did before, change the extension from .txt to .bat. Once done, doubleclick on it and post back the report.

#38
Lovltn848

Posted 18 February 2008 - 07:49 PM

Member

Topic Starter
Member
237 posts

I was able to open the zip folder just fine, but the registry search goes blank when I go to another window. I will leave it up and see if it gives me a report.

edit: it worked

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 2/19/2008 6:53:38 PM for strings:
; 'disablesr'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000

; End Of The Log...

~Another quick thing. Can I uninstall combofix right now? It won't release the virus out of the quarantine will it?

Edited by Lovltn848, 18 February 2008 - 08:34 PM.

#39
JSntgRvr

Posted 18 February 2008 - 08:35 PM

Global Moderator

Global Moderator
11,579 posts

Run the following command:(Start->Run, copy and paste the command below and click OK)

CMD /C Net.exe Start >"%Userprofile%\Desktop\Report.txt"

Open the Report.txt on your desktop. See if System Restore Service and Remote Procedure Call (RPC) are present. If not, Run this command -> Services.msc. Scroll to the Remote Procedure Call (RPC) first and Start the service, then start the System Restore Service.

Let me know of any error you may experience.

Also, go to the Control Panel. Click on Administrative Tools, then the Event Viewer. Check on System and Applications for an error concerning System Restore and post the information here.

I'll be checking this in the AM.

#40
Lovltn848

Posted 18 February 2008 - 08:45 PM

Member

Topic Starter
Member
237 posts

System Restore Service and Remote Procedure Call (RPC) are present. No errors on that.

On the Event Viewer>System, I found many errors concerning "sr" and "srservice". Is that system restore?

#41
JSntgRvr

Posted 18 February 2008 - 08:56 PM

Global Moderator

Global Moderator
11,579 posts

On the Event Viewer>System, I found many errors concerning "sr" and "srservice". Is that system restore?

Yes. There is a way to save that log, but it will be huge. You will need to save it as a .txt file, then upload the same.

Right click on System and select Save log as. Save it to your desktop as a text file (Change the file type as Text), name it Event.

Upload that report.

#42
Lovltn848

Posted 18 February 2008 - 09:23 PM

Member

Topic Starter
Member
237 posts

Here it is. I arranged it in alphabetical order so you can sr and srservice easier.

Attached Files

Event.txt 203.08KB 187 downloads

#43
JSntgRvr

Posted 19 February 2008 - 12:38 PM

Global Moderator

Global Moderator
11,579 posts

Hi, Lovltn848

Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file to identify the location of the SR.SYS file. Once extracted, doubleclick on the LocateFiles.bat file and post its report.

Do you have the Windows XP Installation CD available?

Edited by JSntgRvr, 19 February 2008 - 12:39 PM.

#44
Lovltn848

Posted 19 February 2008 - 12:44 PM

Member

Topic Starter
Member
237 posts

It's giving me "File not Found" and only the time and date appear in the report.

I do have the Windows XP CD but in instances where my computer tells me to "insert floppy disk" I will insert the CD but it never helps.