Unable to remove virus

Having a lot of trouble getting rid of a virus on my computer!. Have tried a lot of advice given on this forum but nothing seems to have worked.
So far I’ve tried:

Running avast (it locates a number of viruses/Trojans but does not seem to deleted them or else cannot delete them (cannot move to chest as currently being used by another program)
Running spybot (seems to be quite crap!)
Running malware. This was a lot better than spybot for finding the issues (found 14 as opposed to the three spybot found) but still does not seem to have worked at actually removing the viruses
Running all of the above in safe mode. Does not succeed in removing the viruses, when I reboot the viruses return (in the case of avast it still cannot remove the viruses in safemode)
Doing a scan during reboot. Scans until about 5% and then skips back to normal booting.

Any helps or tips?? Getting pretty desperate at this point and considering just re-installing. Thanks in advance

Why can’t it deal with them, e.g. what error messages are displayed ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

You say you have tried a lot of advice, what ‘exactly’ have you tried or we don’t know what else to suggest.

Hi David, thanks for the reply. Apologies for the lack of specifics, I’ll have to wait until I get home to access my laptop and provide these details.
Two of the viruses that I came across ended with figaro.sys and beep.sys. and the most persistent message from avast was that AVAST could not access the file because it is in use by another process…but I’ll try come up with more concrete details when I get home.

Well the reasons/errors given should be overcome by the use of the boot-time scan (you didn’t say if you tried this) as they shouldn’t be in use before windows starts.

I’ve tried the boot-time scan alright. It’s what I meant by “scan during reboot”, afraid I’m not too clear on some of these terms! When I run the boot-time scan it runs fine up until 5% of the scan is completed and then jumps from there back to normal boot-up. Now, I’ve never run one of these scans before but I presume the boot-time scan should run up too 100%?!
Thanks again for you help.

avast scans during boot as it is an on-access scanner as files are accessed they are scanned (depending on file type), this is entirely different to a boot-time scan (see image). I don’t rely on the % complete, but if avast completes the scan without detection then windows boots normally.

The scan I performed was the one you have attached in the image. It gave me no error message during the scan and booted normally (if ignoring the % completed) after about 5minutes scanning. However avast warning messages appear almost immediately once windows is launched.

Someone else posted yesterday about figaro.sys/beep.sys. Have a look at the post.Especially the possible need to replace the infected beep.sys,once the rootkit is removed.Also if you could run rootrepeal, as in the other post, and post a log here

http://forum.avast.com/index.php?topic=47595.msg401544#msg401544

Thanks, this looks like almost exactly the same issues except for the windows file protection message that I have not seen (as yet).

Below is the logfile from Hijack This program. Unfortunately it doesn’t mean much to me, any help would be much appreciated!
I am currently unable to run my laptop except using safe mode as it seems windows is damaged. If I boot up normally I get a message on a bright blue background saying “A problem has been detected and windows has been shut down to prevent damage to your computer…”

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:45, on 17/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fergus Brett\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [4oD] “C:\Program Files\Kontiki\KHost.exe” -all
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [msword98] C:\WINDOWS\system32\msword98.exe
O4 - HKLM..\Run: [PC Antispyware 2010] “C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe” /hide
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKCU..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU..\Run: [msword98] C:\Documents and Settings\Fergus Brett\msword98.exe
O4 - HKUS\S-1-5-18..\Run: [braviax] (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [braviax] (User ‘Default user’)
O4 - Startup: ikowin32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.manifest.co.uk/Remote/msrdp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


End of file - 6263 bytes

And here I’ve attached the root repeal log.

And thirdly here’s the malware log, I’ve run the fixes and received a message saying some files will only be removed after reboot.

Malwarebytes’ Anti-Malware 1.40
Database version: 2616
Windows 5.1.2600 Service Pack 2 (Safe Mode)

17/08/2009 10:40:51
mbam-log-2009-08-17 (10-40-51).txt

Scan type: Full Scan (C:|)
Objects scanned: 163878
Time elapsed: 39 minute(s), 47 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 4
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 44

Memory Processes Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) → Unloaded process successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) → Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) → Delete on reboot.
C:\WINDOWS\system32_scui.cpl (Rogue.HomeAntiVirus) → Delete on reboot.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) → Delete on reboot.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC_Antispyware2010 (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pc antispyware 2010 (Rogue.Multiple) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Fergus Brett\msword98.exe (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\msword98.exe (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\40ASQX4L\Install[1].exe (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.HomeAntiVirus) → Quarantined and deleted successfully.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0002008.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0002009.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0002010.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004024.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004034.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004035.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\WINDOWS\system32_scui.cpl (Rogue.HomeAntiVirus) → Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) → Quarantined and deleted successfully.
C:\Documents and Settings\Fergus Brett\Application Data\wiaserva.log (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv021250109698.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv171250109698.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv211250109698.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv241250315064.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv261250109698.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv371250315064.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv621250109698.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv671250315064.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv781250315064.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv791250315064.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Fergus Brett\delself.bat (Malware.Trace) → Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) → Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) → Quarantined and deleted successfully.

Wow you have some crap there.Run HJT again IF these entries are still there, then fix them.Close any other applications,open HJT, choose scan only.Place ticks next to the following entries,choose fix, reboot

C:\WINDOWS\system32\braviax.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
O4 - HKLM..\Run: [msword98] C:\WINDOWS\system32\msword98.exe
O4 - HKLM..\Run: [PC Antispyware 2010] “C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe” /hide
O4 - HKCU..\Run: [msword98] C:\Documents and Settings\Fergus Brett\msword98.exe
O4 - HKUS\S-1-5-18..\Run: [braviax] (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [braviax] (User ‘Default user’)
O4 - Startup: ikowin32.exe

Your rootrepeal log is gobbledy gook on my pc.
Can you then run mbam, hjt, and rootrepeal, and post fresh logs

Also go to virustotal, and upload regedit.exe from C:\WINDOWS\system32\regedit.exe and post the results http://www.virustotal.com/

I think C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) → Quarantined and deleted successfully will return on reboot

The regedit.exe file isn’t in the system32 folder in XP (it is normally in the windows folder), so is highly suspect also send it to avast, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Hey guys

Many thanks for your help on this. I’ve sent the file away to avast (I presume you both meant regedt.exe rather than regedit.exe??)
I was not too sure how to post the details from virustotal, they gave me a link so here is that link. If I need to do something else let me know.
I’ve attached new log for hijack this and for root repeal and deleted the files suggested. I rebooted, but only to safe mode. Let me know if you think I should try a full reboot.

Im currently re-running malware scan and will post results when completed.

Forgot the link to virustotal, here it is!

http://www.virustotal.com/analisis/db6aef6ee3e98498dccc554a876fe70cd250f2e28f41f4cb7371af3148b6163f-1250499946

Here’s the malware log

Malwarebytes’ Anti-Malware 1.40
Database version: 2616
Windows 5.1.2600 Service Pack 2 (Safe Mode)

18/08/2009 18:57:50
mbam-log-2009-08-18 (18-57-46).txt

Scan type: Full Scan (C:|)
Objects scanned: 164488
Time elapsed: 40 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pc antispyware 2010 (Rogue.Multiple) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) → No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) → No action taken.

Files Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) → No action taken.
C:\Avenger_scui.cpl (Rogue.HomeAntiVirus) → No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PJQOZLCM\Install[1].exe (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) → No action taken.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.HomeAntiVirus) → No action taken.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004060.sys (Trojan.KillAV) → No action taken.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004064.sys (Trojan.KillAV) → No action taken.
C:\System Volume Information_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004065.sys (Trojan.KillAV) → No action taken.
C:\WINDOWS\system32\wisdstr.exe (Rogue.PC_Antispyware2010) → No action taken.
C:\WINDOWS\system32_scui.cpl (Rogue.HomeAntiVirus) → No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) → No action taken.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.KillAV) → No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) → No action taken.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) → No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) → No action taken.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) → No action taken.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) → No action taken.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) → No action taken.

We meant the one that was in the system32 folder where it shouldn’t be we wanted you to upload it to virustotal first for confirmation and to post the link to the results.

This is the one and it is still reported in HJT:
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

So you need to fix this entry though you should first hace scanned it atr VT and given the results.

The RootRepeal log is still unreadable once you have completed the scan, select save as and that should just give a plain text file and not use special characters.

Also you seem to running everything in safe mode, is that out of necessity or choice.That could explain the garbled rootrepeal log

Ya Im running safe mode out of necessity as I cannot boot windows normally. Here’s the details of the root repeal, will probably take at least two posts:

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/08/18 18:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2

Drivers

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF77C7000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180992 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF724B000 Size: 138496 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF7946000 Size: 41664 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7759000 Size: 95360 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF7C2E000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF74BB000 Size: 604928 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7C26000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF79F6000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF78A6000 Size: 49536 File Visible: - Signed: -
Status: -

Name: cercsr6.sys
Image Path: cercsr6.sys
Address: 0xF7AA6000 Size: 29120 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7856000 Size: 53248 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF7C2A000 Size: 9344 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7846000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7771000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7D1C000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF76FB000 Size: 85952 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF70A8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D44000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF73A4000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C1000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7E51000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7722000 Size: 124800 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7D34000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7797000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF78C6000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF7572000 Size: 155648 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF7976000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7BFE000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF7404000 Size: 9600 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7886000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7896000 Size: 41856 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7D1A000 Size: 5504 File Visible: - Signed: -
Status: -

Name: Ip6Fw.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
Address: 0xF7BC6000 Size: 29056 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF72CC000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF7345000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7816000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7ADE000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF7CFA000 Size: 14848 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7D16000 Size: 8192 File Visible: - Signed: -
Status: -