Question:
help! I have a trojan virus which shows a red circle with a white x in it. getting "download" alerts. help!
malone
2008-03-17 06:18:51 UTC
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:54 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
c:\sots\KMService.exe
C:\Program Files\Marimba\Castanet Tuner\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\Metlife\MediaManager\MediaManager.exe
c:\MetLife\MetTask\METTASK.EXE
C:\Lotus\Notes\ntmulti.exe
C:\WINNT\system32\Prot_srv.exe
C:\WINNT\system32\pstartSr.exe
c:\winnt\system32\rcmdsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\igfxsrvc.exe
C:\WINNT\stsystra.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\sots\detectVPN.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Pinpoint Global\Media Room\MediaRoomClientApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Websense\WDC\WsUIMgr.exe
C:\WINNT\system32\braviax.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\METLIFE\LSMS3\lsms3.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Marimba\Castanet Tuner\lib\minituner.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://imetlife.metlife.com/siteminderagent/forms/singlesignon/signon.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://exwintp019.metlife.com/login.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metropolitan Life
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SET_PLAYER] regedit /s c:\systemp\mp3\mp3assoc.reg
O4 - HKLM\..\Run: [RoamingUser] "C:\Program Files\Marimba\Castanet Tuner\tuner.exe" -start http://as_risccast00:5282/ENT/Castanet/RoamingUser?start 1
O4 - HKLM\..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE
O4 - HKLM\..\Run: [DetectVPN] c:\sots\detectVPN.exe
O4 - HKLM\..\Run: [LSMS3] C:\Program Files\MetLife\LSMS3\LSMS.BAT
O4 - HKLM\..\Run: [LSMS] C:\Program Files\MetLife\LSMS3\OldLSM.BAT
O4 - HKLM\..\Run: [MediaRoomApp] C:\Program Files\Pinpoint Global\Media Room\MediaRoomClientApp.exe
O4 - HKLM\..\Run: [AWMON] C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe /custom +prefs:"C:\PROGRA~1\Lavasoft\AD-AWA~1\awsettings.awc"
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [sp2cfg] C:\WINNT\system32\mrmbtemp\xpsp2\wkix32.exe C:\WINNT\system32\mrmbtemp\xpsp2\popup.kix /i
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WsUiMgr] C:\Program Files\Websense\WDC\WsUIMgr.exe
O4 - HKLM\..\Run: [braviax] C:\WINNT\system32\braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [braviax] C:\WINNT\system32\braviax.exe
O4 - Global Startup: ADAWARE.LNK = C:\WINNT\runonce.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CENSUSNT.LNK = C:\METLIFE\dlm\censusnt.bat
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NTCONECT.LNK = C:\Security\NtConect.exe
O4 - Global Startup: systray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://exwintp019.metlife.com/login.asp
O15 - Trusted Zone: *.metlife.com
O15 - Trusted Zone: *.metlife.com (HKLM)
O16 - DPF: {10B05D6E-5BFB-11D4-8920-00C04F57BB26} (KMReader Class) - https://imetlife.metlife.com/siteminderagent/forms/singlesignon/KeyMasterObj.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = metlife.com
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\program files\symantec\pcanywhere\awhost32.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: KMService - Unknown owner - c:\sots\KMService.exe
O23 - Service: Marimba - BMC Software, Inc. - C:\Program Files\Marimba\Castanet Tuner\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MediaManager - Unknown owner - c:\progra~1\Metlife\MediaManager\MediaManager.exe
O23 - Service: MetLifeĀ® Task List (MetLifeTaskList) - MetLifeĀ® - c:\MetLife\MetTask\METTASK.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINNT\system32\pstartSr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Websense Desktop Client (WebsenseDesktopClient) - Websense - C:\Program Files\Websense\WDC\WDC.exe

--
End of file - 10095 bytes
Nine answers:
Michael
2008-03-17 07:21:23 UTC
This one is your problem<>C:\WINNT\system32\braviax.exe > this is the only problem i can see.



http://forums.majorgeeks.com/showthread.php?t=151498



Superantispyware have it in their definitions so

should remove.This is free for personal use.



http://www.fileresearchcenter.com/B/BRAVIAX.EXE-12273.html



Download from link below and would be advisable

to scan in safe mode if it does not remove in

normal mode.If still there after that you will have

to turn off system restore<>scan again<>reboot

and if gone turn system restore back on.This will

create a new restore point without the braviax.exe.
Melody
2016-08-24 00:22:51 UTC
2
2008-03-17 06:22:26 UTC
Step 1: Make sure that you have an up to date antivirus program. If you don't, install AVG. You should only have one antivirus program. (If you need to uninstall your antivirus, use RevoUninstaller)

Step 2: Visit the Google Pack website, and use it to download Spyware Doctor.

Step 3: Download and install ThreatFire.

Step 4: Make sure to use Mozilla's Firefox from here on out. Also, install the Adblock Plus add-on for it.

Step 5: Make sure that you have a firewall program on your computer. If you don't, install Comodo.



This is just a quick summary of what you should do. For other recommended programs, and their optimal settings, visit my guide on the matter. http://prometechus.blogspot.com/2007/09/viruses-spyware.html FEEL FREE TO IM ME IF YOU HAVE ANY QUESTIONS.



I also noticed that you're running an outdated version of Internet Explorer. I would suggest that you visit the Microsoft Update website, click on the Custom button, and download all the available updates, including IE7. The scans that the IE installer does may help make this process easier.
Manny
2008-03-17 07:03:31 UTC
Everyone is correct. However, cleaning a virus is sometimes very hard. If you manage to erradicate the virus from your machine I suggest to install a technology to wipe out any infection at boot time.



Deep Freeze and ReturnIL are two softwares that protect your computer from trojans, malwares, etc.



You computer will still get infected by viruses and other trojans when you browse to P2P sites or others. However, as soon as you reboot your PC it will revert to its original locked state wiping out all the changes made to the OS, so you will have a clean PC every time you boot.



Now I don't have antivirus software on my machine. I still have Firewall to make sure I can block inbound/outbound traffic while infected (to be able to detect the anomalies so I can reboot and clean the pc and to protect from any file transfer of confidential info stored in my pc).



Also, if you don't get Deep Freeze or Returnil you can get Sandboxie to create a virtual sandbox in Internet Explorer that isolate your computer from your bad browsing habits. However, this does not protects you from software installs that you download, that would be the job of Deep Freeze or Returnil



Hope this helps everyone.
mable
2016-05-31 01:08:27 UTC
Try using an anti virus that you know is legit. A few examples would be, Norton, McAfee, NOD, Avast. If that does not take care of the problem a worst care scenario would be to reformat your hard drive.
BALLIN"
2008-03-17 06:30:30 UTC
Install Kaspersky antivirus 7 trial version from www.kaspersky.com, update it and make a full scan of your computer, it will find all viruses that AVG or any other a-virus software missed and delete them. besides that it will get your operating system to good working conditions

believe me
SPACEGUY
2008-03-17 06:32:27 UTC
I suggest you do the following to find this so you can get rid of it;



Update and use your own antivirus or download one of the antivirus tools below and along with the spyware doctor and update them and restart your computer in safe mode ( tap F-8) during startup, then scan with the antivirus and the spyware doctor while in safe mode, this should find it so you can remove it; Please note that you should only run one antivirus on your computer at one time,



Avira Antivirus free (Recommended)



http://www.free-av.com/antivirus/allinonen.html



PC Tools free antivirus, free, Note; only run one antivirus at a time;



http://www.pctools.com/free-antivirus/



Kaspersky free antivirus; Note, you should only run one antivirus at a time;



http://usa.kaspersky.com/products_services/free-virus-scanner.php



This is a free antivirus tool called avg free, Note; You should only run one antivirus at a time;



http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff





The free edition of spyware doctor, The best for removing spyware, adware and malware and it finds backdoor trojans and its free, ( Recommened)



http://www.download.com/Spyware-Doctor-Starter-Edition/3000-8022_4-10754824.html



SG
Lolita Lempicka
2008-03-17 06:25:58 UTC
update your antivirus software

scan your pc in safe mode
2008-03-18 06:54:07 UTC
I'm not sure about entries on hijackthis log, but i've noticed braviax.exe so you definitely need braviax removal: http://www.2-spyware.com/remove-braviax.html


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...