Braviax / Reanimator

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Elvish Magi, Mar 2, 2008.

  1. Elvish Magi

    Elvish Magi Private E-2

    A friend has asked me to look at this computer as she is virtually IT-illiterate, and I have removed several problems already (though others may still be present).

    Definately remaining, however, is Windows Reanimimator, which seems to be spawned from braviax.exe - a suspicion confirmed looking at other posts on this forum - and removing it is beyond my level of knowledge.

    In common with other posts made on this subject it is doing a good job of preventing the installation / execution of many removal tools, so I'm hoping someone can help... please!

    I've followed all the steps in the "Read and Run Me First" thread, with the following problems:

    SUPERAntiSpyware - Installation will not initialise
    SpyBot - Search & Destroy - Installs, but execution will not initialise
    combofix.exe - Execution will not initialise

    MGTools thankfully did run, and the produced log is attached.

    Many thanks in advance!
     

    Attached Files:

    Elvish Magi, Mar 2, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Sorry for the delay in responding.

    No wonder you had problems running some of the tools. You are very badly infected. Let's see if we can get some of the malware removed and then we may be able to run the other scans.

    Is the below something you installed?
    O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\kwtbaim.exe"

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {1962c5bc-e475-465b-823b-133e711bceb9} - (no file)
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [braviax] braviax.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
    O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Mar 5, 2008
    #2
  3. Elvish Magi

    Elvish Magi Private E-2

    Don't worry about it - I am very appreciative of the help!

    I'm not surprised - From what I can tell, this computer has been used without any efective protection for some time by my friend and her teenage son - one of whom it appears likes to visit some rather dodgy websites! In other words, it's a complete recipee for disaster!

    I don't know if this is something she chose to install or not, but one of the first things I did when looking at this PC was to uninstall a multitude of toolbars, including this one.

    If it's still hanging around in places after being uninstalled then presumably it needs to go.

    Anyway, I've followed through the steps given (logs attached) and there is definately a marked improvement including the absence of reanimator - thank you!

    You'll see from the Avenger log that I had to delete C:\WINDOWS\hcwprn.exe manually, and while going through the list of files to ensure their absence I encountered a strange problem.

    When I went to open c:/windows/system32 the screen turned completely grey. I was able to switch between running processes still using alt+tab, and in doing so it was clear that the grey screen was due to an unnamed running program.

    The applications list in task manager didn't list it, so I rebooted with the intention of seeing if I could identify it from the list of processes when it started. However, I was unable to replicate the problem.

    Therefore I don't know if it was an attempt by some remaining malware to prevent me from viewing the system32 folder, or "just" a glitch in windows. Any ideas?

    Thank you for the help :)
     

    Attached Files:

    Elvish Magi, Mar 5, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you need to decide what to do with this one too. I don't know exactly what it is but I don't like the looks of it.[/quote]

    I'm going to go thru the new logs now to see if anything remains but I wanted to comment on something before I forget. This PC is running virgin Windows XP with NO UPDATES. This is a major security risk. When finished removing all malwar, you need to get protection in place and then you MUST get this PC updated.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Now run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Elle\Local Settings\Temp

    Now it would be a very good idea to attempt running ComboFix and SUPERAntispyware from the READ and RUN ME instructions since you could not run these before.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\ComboFix.txt
    • SUPERAntispyware log
    • C:\MGlogs.zip
    It will require two posts to attach the above four logs. Make sure you tell me how things are working now!
     
    chaslang, Mar 8, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds