Help - trying to remove BraveSentry etc

**StckFigure** · 05-15-2007, 05:24 PM

My Windows copy is genuine, although even if it weren't, I can't imagine MS blatantly asking for credit card info like that.... ESPECIALLY it would have no reason to ask for a PIN! I think the strange coincidence with that is what worried me. Here's the CF-quarantined log:

Code:

2004-08-18 11:00      542    --a------    C:\Qoobox\Quarantine\C\WINDOWS\g32.txt.vir
2004-08-18 11:00      87    --a------    C:\Qoobox\Quarantine\C\WINDOWS\s32.txt.vir
2004-08-18 11:00      96    --a------    C:\Qoobox\Quarantine\C\WINDOWS\ws386.ini.vir
2007-05-08 10:53      10129    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\win32.exe.vir
2007-05-08 10:53      14918    --a------    C:\Qoobox\Quarantine\C\WINDOWS\159x.exe.vir
2007-05-08 10:54      1174028    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\Install.dat.vir
2007-05-08 10:54      958    --a------    C:\Qoobox\Quarantine\C\temp\17O7\tmpTF.log.vir
2007-05-08 10:55      112    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\desktop.ini.vir
2007-05-08 11:40      108945    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir
2007-05-08 11:41      49041    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir
2007-05-08 11:44      108945    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.vir
2007-05-10 12:10      687592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir
2007-05-10 12:10      687592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir
2007-05-10 12:14      61    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\windev-peers.ini.vir
2007-05-10 20:11      14    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\LOCALS~1\APPLIC~1\NetMon\domains.txt.vir
2007-05-10 20:11      992    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\LOCALS~1\APPLIC~1\NetMon\log.txt.vir
2007-05-11 11:18      27089    --a------    C:\Qoobox\Quarantine\C\WINDOWS\9129837.exe.vir
2007-05-11 11:39      1536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\1314734.exe.vir
2007-05-11 11:59      1536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\2515765.exe.vir
2007-05-11 12:19      1536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\3716453.exe.vir
2007-05-11 12:39      1536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\4917171.exe.vir
2007-05-11 12:59      1536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\6117859.exe.vir
2007-05-11 13:19      1536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\7318578.exe.vir
2007-05-14 22:15      1196    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DRIVER.reg.cf
2007-05-14 22:15      1202    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NEW_DRV.reg.cf
2007-05-14 22:15      2360    --a------    C:\Qoobox\Quarantine\Registry_backups\services_new_drv.reg.cf
2007-05-14 22:15      270    --a------    C:\Qoobox\Quarantine\Registry_backups\services_RpcApi.reg.cf
2007-05-14 22:15      2822    --a------    C:\Qoobox\Quarantine\Registry_backups\services_Network Monitor.reg.cf
2007-05-14 22:15      680    --a------    C:\Qoobox\Quarantine\Registry_backups\services_Driver.reg.cf
2007-05-14 22:15      832    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-05-14 22:15      836    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-05-14 22:15      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_ASPI113210.reg.cf
2007-05-14 22:15      862    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2007-05-14 22:15      868    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINCOM32.reg.cf


Folder PATH listing
Volume serial number is 10D3-D6EE
C:\QOOBOX
\---Quarantine
    +---C
    |   +---Documents and Settings
    |   |   +---All Users
    |   |   |   \---Documents
    |   |   |       \---Settings
    |   |   |               desktop.ini.vir
    |   |   |               
    |   |   \---LOCALS~1
    |   |       \---APPLIC~1
    |   |           \---NetMon
    |   |                   domains.txt.vir
    |   |                   log.txt.vir
    |   |                   
    |   +---temp
    |   |   \---17O7
    |   |           tmpTF.log.vir
    |   |           
    |   \---WINDOWS
    |       |   1314734.exe.vir
    |       |   159x.exe.vir
    |       |   2515765.exe.vir
    |       |   3716453.exe.vir
    |       |   4917171.exe.vir
    |       |   6117859.exe.vir
    |       |   7318578.exe.vir
    |       |   9129837.exe.vir
    |       |   g32.txt.vir
    |       |   s32.txt.vir
    |       |   ws386.ini.vir
    |       |   
    |       \---system32
    |           |   atmtd.dll.vir
    |           |   atmtd.dll._.vir
    |           |   pdp.exe.exe.vir
    |           |   sony.exe.exe.vir
    |           |   sony.exe.vir
    |           |   win32.exe.vir
    |           |   windev-peers.ini.vir
    |           |   
    |           \---config
    |               \---SYSTEM~1
    |                   \---APPLIC~1
    |                           Install.dat.vir
    |                           
    \---Registry_backups
            LEGACY_ASPI113210.reg.cf
            LEGACY_CMDSERVICE.reg.cf
            LEGACY_CORE.reg.cf
            LEGACY_DRIVER.reg.cf
            LEGACY_NETWORK_MONITOR.reg.cf
            LEGACY_NEW_DRV.reg.cf
            LEGACY_WINCOM32.reg.cf
            services_Driver.reg.cf
            services_Network Monitor.reg.cf
            services_new_drv.reg.cf
            services_RpcApi.reg.cf

check out all those .vir extensions! :-X

**StckFigure** · 05-15-2007, 05:25 PM

wow, cool... I didn't expect it to do that little window thing. If you want me to repost without the code /code tags, I can.

Also, just on a whim, I let my computer do a search for SpySheriff*.* and it found 22 files, but all of them are tucked away in Spybot's Recovery folder. I assume that makes them safe, but when you have 90+ Trojans, you want to make sure your bases are covered, so to speak, and thus defer to the expert!

**jholland1964** · 05-15-2007, 05:38 PM

Empty out the Spybot recovery folder...and any other recovery folders, like the AVG Anti-spy folders. We KNOW those things were baddies and there is no reason to keep them around. In fact empty your anti-virus recovery folder too, if you have one. I only keep those things around about a week and then dump them anyway. If something you need has been removed you would certainly know within a week.
Leave the combo log as is...I can see it and know that PP will be able to do so too.

Wish I knew EXACTLY what site asked for the ATM, etc...but hopefully now we never will :>)

**StckFigure** · 05-15-2007, 05:49 PM

Another interesting thing I notice...

in the C:\!Killbox folder is perfc000.dat, which if you'll remember, I thought had failed being deleted. Should I try deleting it from here?

In other news, tell me I'm overreacting by the fact that I got a hangup call from "765-4321"

**jholland1964** · 05-15-2007, 06:15 PM

Delete Killbox totally. If you need it again...which I pray to every god there is, that you won't.
Hmmm...a hang up from 765-4321...interesting...you know who that is don't you?

**StckFigure** · 05-15-2007, 06:37 PM

Killbox deleted uneventfully, thank goodness, and hopefully the dat file went with it.

No, in fact, it didn't even occur to me that that might be a REAL number! But now I googled it, and lo and behold. Ha.

**jholland1964** · 05-15-2007, 07:11 PM

Who is it?

I know you are kidding...aren't you?

**jholland1964** · 05-15-2007, 07:45 PM

How about running HiJackThis once more and giving us a new log...makes me nervous...but go ahead

**StckFigure** · 05-15-2007, 08:53 PM

Apparently, it's some telemarketing/telephone survey repository... 765-DIAL (which is 4321). Just a convenient number, I guess. Just kind of weird, with all the computer crap going on!

New and (oh please oh please) improved HJT log!

Logfile of HijackThis v1.99.1
Scan saved at 8:49:12 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hjkths1991.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIMACE] MACE.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173467735984
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/act...cheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**jholland1964** · 05-15-2007, 11:14 PM

GULP.....
I am not going to say anything...but....
just a couple more fixes to do .....hopefully...

First of all go to Start, Run. Type msconfig.
When the System Configuration Utility opens go to the Services Tab.
Look for this;
AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe
Take the checkmark out. Click Ok and close Sytem Configuration Utility

Run HiJackThis and place checkmarks next to the following entries;

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab

O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe

Once you have placed the checkmarks then click the FIX button.
Exit HJT.
Don't Reboot.

THEN go to;
C:\WINDOWS\system32\dsezu.exe
Delete that file noted in RED.

Reboot.
Keep your fingers crossed....
Run a new HJT scan and post that new log.

Judy

Thread: Help - trying to remove BraveSentry etc

Thread Tools

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions