Help - trying to remove BraveSentry etc

[jholland1964]

Tell you what StckFigure, think I am going to have to sign off...it is nearly 1:30 and 7 a.m. comes awfully early...have to take grandkids to school in the morning. Let the AVG run and tell it to clean everything. Give it a good look and see where all is located. Note any new items by comparing your AVG scans. Hopefully, we won't have anything new pop up, just the stuff in System Restore.
Judy

P.S. Keep this computer off the internet until we are absolutely certain all is removed. Of course the Killbox will need to be downloaded...can you download to another computer and save it to a disk and then run it that way?

[StckFigure]

AVG's found a new one - Proxy.Xorpix.m. It's up to F:\System Files or something like that, so it's past the MP3 folder and pretty much just has the Windows folder ahead. Might be done in an hour, if I can stay up that long I'll post the complete log though when it is done.

[StckFigure]

Ha, we posted over each other again. Yes, please don't let your sleep revolve around me! I'm keeping the computer off the 'net; I've downloaded Killbox to this computer and I'll be able to transfer it.

[StckFigure]

Okay, just to get it out of the way, yes, it's 3:15.

AVG finished, and the log is posted... two were from system recovery and the third was that a3dxx.dll file!

But. I rebooted into Normal mode to run Killbox before I realized this (namely, AVG got rid of a3dxx, so there's nothing for killbox to kill!). After the computer booted, I got the little yellow bubble telling me that there were Windows updates available. After realizing that I didn't need Killbox, I shut down and am right now looking at the windows logo shutdown screen except it also is flashing between "Installing update x of 9" and "Do not turn off or unplug your computer. It will turn off automatically." (The x of course is a number 1 to 9). Now, normally this wouldn't worry me at all, and to my eye looks completely normal. I don't even know if the nasties could do what I'm seeing. However, since I haven't been connected to the Internet, and I've gone through normal mode a couple times before this, I don't know where the updates CAME from. But it convinced me enough to let it run its course and shut down, because I decided for no real reason that, if it was installing nasties, that could be taken care of, but if it was an actual Windows thing installing real updates and it didn't want me to shut off the computer, then it might cause bigger problems if I did. I hope you followed that... like I said, it's 3:15 AM :-X

So now my computer's installing 7 of 9 - which is great if you're a Star Trek fan - and then presumably will shut down and go to bed, just as I hope to do.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:02:21 AM 5/14/2007

+ Scan result:



C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP507\A0182842.exe -> Downloader.Nurech.bh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\a3dxx.dll -> Proxy.Xorpix.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP507\A0182841.sys -> Rootkit.Agent.ef : Cleaned with backup (quarantined).


::Report end

[jholland1964]

I am very leery about the "Windows Updates" being installed since, as you say.....

However, since I haven't been connected to the Internet, and I've gone through normal mode a couple times before this, I don't know where the updates CAME from.

You CAN'T get Windows Updates unless you are online. There shouldn't have been any Windows Updates to get....

AND the file you were supposed to use Killbox on was NOT
C:\WINDOWS\system32\a3dxx.dll that was no longer showing in the latest HJT log.
The one to use Killbox on was this one;

C:\WINDOWS\SYSTEM32\perfc000.dat

Boy! This is really something! There just shouldn't have been any Windows Updates to install and we know that "something" installed.
This is unbelievable. I have never run into anything like this.
The ONE thing I do notice is how small the AVG log is...It found very little this time. Which is a good sign I believe. But now this Windows Update makes me really think there has to be a rootkit hiding someplace and it just hasn't been found.

Whatever you do, DON'T hook this computer up to the internet. Be sure the plug is removed from the back of the computer.
Let me contact PhilliePhan and see if he will take a look at all this, he knows much more than I do. Maybe he can give us a clue as to what else we can do to try to rid this thing of whatever is sitting in there.
Do use the Killbox on that file I just noted, it was still showing in the latest HJT log.

And I hate to say this...but run another AVG Anti-spy, I know it takes forever but we have to see if something else has been put back on the computer.
I will get back with you as soon as possible
Judy

[StckFigure]

Ahhh... of course it was. It would help if I had checked back :-X

The "Windows Update" thing hung on 7 of 9; I woke up and it was still there. I've turned the computer off on it; I'm going to boot into Normal Mode now and Killbox that file, then I'm going to go into AVG and start a new scan.

[StckFigure]

Oh, and the ethernet cable is completely removed from the computer; there's no way it could have gotten anything on the Internet. The only possibilities that I can see are 1) There were actual Windows updates that something was blocking from being installed/recognized, and that something got removed or 2) There weren't actual updates and something pretended that there were. Could be something I'm not thinking of though.

[StckFigure]

P.S. Do I want to click "End Explorer Shell While Killing File"? I don't know what that means.

I'm going to reorder and do the AVG first now, because I have to be somewhere for a couple hours, so I may as well let it go; I'll Killbox after if needed, because by then I'll have a reply from you on this question, too.

[jholland1964]

P.S. Do I want to click "End Explorer Shell While Killing File"? I don't know what that means.

NO. Unless something is noted in the instructions then don't worry about it. We will only give the instructions necessary. If something is not mentioned then ignore it. If something is necessary then instructions will be given.

[StckFigure]

AVG had found nothing upon my return -- it was up to C:\Program Files -- so I cancelled it and went ahead and Killbox-ed that .dat file. Here's a new HJT log, in case it helps. I've also reset AVG while I wait on hearing back from you about the Windows update thing. For the sake of doing it speedily, I'm going to do the Fast System Scan though, because that will get the registry and Windows directory and that way, if it does find something in those most likely places, it will be done faster so I can do something about it. I imagine you'll want me to do a full system scan too, but I'm going to wait on that until I hear back from you about everything else, since it takes so long. I seem to have no problems so far resulting from the system hanging on 7 of 9, and so far it hasn't asked me to install updates again (presumably, numbers 8 and 9 wouldn't've gotten installed).

Logfile of HijackThis v1.99.1
Scan saved at 3:09:57 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hjkths1991.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIMACE] MACE.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173467735984
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/act...cheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe