PDA

View Full Version : Hopeless !!! malware still on my computer



nushnush
2009-08-08, 15:31
Hi,

Since monday, i get this pop up from spyware terminator warning : bn2.tmp, and after that another alert to modify startup : regedit.exe

I follow some posts here, but i think i don't solve this, i run ( by order ), atf cleaner, combofix, after this again atf cleaner, and sdfix, when i run combofix and sdfix in safe mode, a pop up window saying the system will shutdown in 50 sec...when it's shutdown, i restart in safemode and the sdfix was continued, but the combofix i think goes down, because i get windows message saying : hdfix or something like that missing.

After al that i scan with malwarebytes and gets : 2 braviax.exe trojans.
I follow the instruction, and do restart, but again after this i got red X near the clock says : your computer is infected, and again pop up from spyware terminator says : modify startup : BN2.TMP.

Update : i just notice that a program called : pc antispyware2010 has run itself...

I delete regedit.exe file ( i know it's system file ) because i don't know how to stop this worm.

I can't run hijackthis, and the internet is too slow...

what to do ???

Malwarebytes' Anti-Malware 1.40
Database version: 2578
Windows 5.1.2600 Service Pack 2

08/08/2009 15:43:07
mbam-log-2009-08-08 (15-43-05).txt

Scan type: Quick Scan
Objects scanned: 80880
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> No action taken.

Files Infected:
C:\WINDOWS\braviax.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49IJG9IR\Install[1].exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> No action taken.
C:\WINDOWS\temp\BN1.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN2.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\sa\Local Settings\Temporary Internet Files\uwamyj.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.

ken545
2009-08-12, 01:53
Hello nushnush

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Reply to this topic only and do not start any new topics.

You had Malwarebytes set to TAKE NO ACTION, which accomplished nothing.


Go to this site RootRepeal (http://rootrepeal.googlepages.com/)

Scoll down until you see the Download heading. You can download it in either RAR or ZIP format. Use whatever is easiest for you.

Extract the RootRepeal.exe file from the RAR or ZIP.
Disable your antivirus, antispyware, and firewalls before continuing or they may block RootRepeal from running properly.
Now run the RootRepeal.exe program by double clicking on it.
On the botton click the Files tab and then click the Scan button
A Select Drives form will open. Select all of your drives by checking the boxes and then click OK.
It will start scanning. Wait for it to finish. It can take awhile depending on how many drives, how many files, how many folders...etc. Be patient.
When it finishes, click Save Report and save it somewhere you can easily find it (like your Desktop)
Name it NRRlog.txt
Copy and Paste to log into this thread.