PLEASE SEE THIS ATTACHS !!!
my friend scan all system by avast! boot-scan ; also scan by MBAM. and the night scan by Panda Cloud Antivirus ( >:() but infected still !!!
Post MBAM log here
Download an run HijackThis and post the log here http://filehippo.com/download_hijackthis/
Then someone who can red these logs will help you
I suggest (at least) the general cleaning procedure:
- Clean your temporary files.
- Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
- Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
- Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
- Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
- Clean your Hosts file (replacing it) with HostsMan tool.
- Disable System Restore and then reenable it again.
- Immunize your system with SpywareBlaster.
- Check if you have insecure applications with Secunia Software Inspector.
Braviax is a known trojan for fake AV’s. Get rid of it.
HijackThis not working in this system!
read this log, please
I see you are still running WinXP SP2 and WinXP SP3 has been available for over a year so you should go to Tools then Windows Update in Internet Explorer and install all updates as it provides performance enhancements and several Critical updates.
Go to Control panel then Automatic updates then enable at least Notify me but do not download updates.
Download and installUser Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
Install IE8 as it is faster and safer than IE6:
Stay Safer Online
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Accelerators
http://www.microsoft.com/windows/internet-explorer/features/faster.aspx
Windows uses IE for everything so it should be updated and made safe.
Run Secunia Online Software Inspector to see what applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
Get Malwarebytes Anti-Malware (MBAM) then update it then run a Quick scan and let it remove all it finds:
http://www.malwarebytes.org/mbam.php
Post its log here after it completes.
If HJT is not working htere may be a deeper problem
Please save this file to your desktop. Double-click on it to run a scan. When it’s finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
THEN
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Start the Sysprot.exe program.
[]Click on the Log tab.
[] In the Write to log box select all items.
[] Click on the Create Log button on the bottom right.
[] After a few seconds a new Window should appear.
[] Make sure Scan all drives is selected and click on the Start button.
[] When it is complete a new Window will appear to indicate that the scan is finished.
[*] The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
Hi essexboy,
is this new tool Win32kDiag.exe along the same lines as HJT but more powerful, the only reason I ask is I thought I would check it out but it failed to run.
Log file is located at: C:\Documents and Settings\UserName\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!
Searching ‘C:\WINDOWS’…
Finished!
XP Pro user with admin privileges.
Hi David - no all this tool does is search for junctions that malware places on the system to stop any anti malware programmes running. If it shows nothing you are clean.
An example of an infected report
WARNING: Could not get backup privileges!The bolded file is the one that is infected by the malware so that it runs every time you bootSearching ‘C:\WINDOWS’…
Found mount point : C:\WINDOWS$hf_mig$\KB904706\KB904706
Mount point destination : \Device__max++>^
Found mount point : C:\WINDOWS$hf_mig$\KB912945\KB912945
Mount point destination : \Device__max++>^
Found mount point : C:\WINDOWS$hf_mig$\KB916281\KB916281
Mount point destination : \Device__max++>^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-10 03:00:00 55808 C:\WINDOWS$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
[1] 2004-08-10 03:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)
Finished!
Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281And this is one of the junctions added with the bolded part showing what the mountpoint will runMount point destination : \Device__max++>^
It actually worked well on your system. The information then allows us to replace the bad file, remove the junctions and reset the permissions
Hope that makes sense
Thanks for the update.
Just for kicks, I decided to run Win32kDiag.exe also.
Thankfully, nothing was found … just as I would expect. 
Log Created.
HijackThis is Fixed. 
Ok you do not have the bad one but you do have a trojan downloader
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Double click on Combo-Fix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt .
very thx
pondus;Tech;YoKenny;essexboy;
any type of malware, deleted.