MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 02-24-08, 13:08
brewticus brewticus is offline
Private E-2
 
Join Date: Jun 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default malware braviax - winreanimator

red circle with white X appears in sys tray. Continues to install Winreanimator sofware, which appears to be fake spyware removal. I followed all instructions on what to do first. I cannot run combofix, spybot, or superantispyware. when I try to run these programs, absolutly nothing happens. No error message or anything. I was able to run MGtools and have attached log.
Attached Files
File Type: zip MGlogs.zip (38.6 KB, 17 views)
Reply With Quote
Sponsored links
  #2  
Old 02-24-08, 13:56
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: malware braviax - winreanimator

See if you can get started by running the below procedure. Attach the log if you can run it.

Virtumonde aka Trojan Vundo Removal

Is your copy of Spyware Doctor a paid version or free trial? If free, uninstall it now.


Download and run FindAWF by noahdfear.
  • Please download FindAWF by noahdfear.
  • Save to your desktop.
  • Double-click the FindAWF icon.
    • If a Security Alert shows, allow the program to run.
  • As instructed, press any key to continue.
  • Use the following option: Press 1 then Enter to scan for bak folders
  • The scan may take a while, please be patient.
  • When done, a text file, Find AWF report is produced.
  • Please attach the Find AWF report in your next post.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 02-24-08, 15:13
brewticus brewticus is offline
Private E-2
 
Join Date: Jun 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: malware braviax - winreanimator

Thank you for the quick reply!

vundofix will also not run. I uninstalled trial version of spyware doctor.
Attached Files
File Type: txt awf.txt (2.5 KB, 9 views)
Reply With Quote
  #4  
Old 02-26-08, 01:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: malware braviax - winreanimator

Your PC is very badly infected. This is due to not having proper protection installed. This MUST BE corrected after we remove all of your malware.

Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
  • As instructed, press any key to continue.
  • Use the following option: Press 2 then Enter to restore files from bak folders
  • A text file opens called: files.txt
  • Click below the line and paste the following list of files to be restored:
Quote:
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
  • Next, close and click Yes to save the changes.
  • Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list, if running
    • Deletes the rogue file from the parent folder, if present
    • Copies the original file to the parent folder
  • When done with the above, it automatically runs a new scan and opens a new log.
  • Please attach the new FindAWF log to your next message.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {393C2547-B2AB-422C-87AF-385238C73416} - C:\WINDOWS\system32\hggggef.dll
O2 - BHO: (no name) - {3F5767BD-784E-41C9-90EF-1E6B67AC09B0} - C:\WINDOWS\system32\vturo.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: hggggef - C:\WINDOWS\SYSTEM32\hggggef.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=-
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{393C2547-B2AB-422C-87AF-385238C73416}"=-
Now download The Avenger by Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Check the 'Input script manually' box.
  • Click on the magnifying glass icon.
  • Copy everything in the Quote box below, and paste it in the box that opens:
Quote:
Drivers to unload:
beep

Files to delete:
C:\Documents and Settings\All Users.WINDOWS\Application Data\abaw.lib
C:\Documents and Settings\All Users.WINDOWS\Application Data\adijapaqo.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\efixupugu.pif
C:\Documents and Settings\All Users.WINDOWS\Application Data\fulyk.inf
C:\Documents and Settings\All Users.WINDOWS\Application Data\gakoduzivi.com
C:\Documents and Settings\All Users.WINDOWS\Application Data\nugawynu.dl
C:\Documents and Settings\All Users.WINDOWS\Application Data\siwuciwubi.ban
C:\Documents and Settings\All Users.WINDOWS\Application Data\sorojup.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\vosycepyz.bin
C:\Program Files\Common Files\gocunikix.pif
C:\Program Files\Common Files\ibatuge.dll
C:\Program Files\Common Files\iqubesuse.scr
C:\arbfikac.exe
C:\qrwkjyd.exe
C:\qsdjpwpb.exe
C:\wpohl.exe
C:\WINDOWS\asugaq.dat
C:\WINDOWS\bebaporo.bat
C:\WINDOWS\bootstat.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\exapeka.com
C:\WINDOWS\hacec.bin
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\vynebusen.lib
C:\WINDOWS\wakawat.ban
C:\WINDOWS\wipibiqi.com
C:\WINDOWS\zatadad.reg
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\winistr.exe
C:\WINDOWS\system32\hggggef.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\wuqam.com
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\f9t.dat
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp\1316996511.exe
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp\abc123.pid

Folders to delete:
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\!KillBox
C:\Program Files\WinReanimator

Registry keys to delete:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel | HomePage
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks |{393C2547-B2AB-422C-87AF-385238C73416}

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
  • Now click the 'Done' button.
  • Click on the traffic light icon and OK the prompt.
  • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt
After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 03-08-08, 21:03
brewticus brewticus is offline
Private E-2
 
Join Date: Jun 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: malware braviax - winreanimator

Again, thank you for responding.

Since my last post, I ran combofix, spybot, and superantispyware. I did this by renaming the executables to "1234.exe" or smilar. I still followed all your instructions and am attaching all logs.

The braviax and winreanimator are not problems anymore. There is still some sort of spyware constantly trying to redirect and/or open ie to ad sites.
Attached Files
File Type: zip all logs.zip (79.7 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 03-10-08, 02:01
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,168
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: malware braviax - winreanimator

You don't need to attach the hijackthis.log file. It is already part of MGlogs.zip You said you ran ComboFix but based on your logs it does not look like it was run because thousands of bad files showing in your log would have been removed by ComboFix. Also you did not attach a log from it. Please run it now from the command prompt with the /killall option as instructed in the READ ME. Attach a log when you finish.

Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
  • As instructed, press any key to continue.
  • Use the following option: Press 2 then Enter to restore files from bak folders
  • A text file opens called: files.txt
  • Click below the line and paste the following list of files to be restored:
Quote:
"C:\Program Files\microsoft frontpage\bak\mehebor77798.exe"
"C:\Program Files\NoDNS\bak\NoDNS.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe"
  • Next, close and click Yes to save the changes.
  • Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list, if running
    • Deletes the rogue file from the parent folder, if present
    • Copies the original file to the parent folder
  • When done with the above, it automatically runs a new scan and opens a new log.
  • Please attach the new FindAWF log to your next message.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {6B6A55A9-72B1-4B03-BB0B-9DD746C4E396} - C:\Program Files\.\laxik777444.dll
O2 - BHO: 0 - {C93DA5BA-C54F-4302-EAB3-3B8A066469DD} - C:\Program Files\MSN\qulaf.dll
O4 - HKLM\..\Run: [mehebor] C:\Program Files\microsoft frontpage\mehebor77798.exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [BM755c313f] Rundll32.exe "C:\WINDOWS\system32\wxmmdecq.dll",s
O4 - HKCU\..\Run: [MapEDC] C:\Program Files\MapEDC\MapEDC.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [Tlda] "C:\DOCUME~1\ADMINI~1.MIB\MYDOCU~1\FNTS~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Sfnf] "C:\Program Files\Common Files\?asks\w?auboot.exe"
O20 - Winlogon Notify: dvdfscte - dvdfscte.dll (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Do not change any check box options!!
  • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
Quote:
Files to delete:
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp\3363614857.exe
C:\WINDOWS\system32\qctwxuei.ini
C:\WINDOWS\system32\qejhlkqu.ini
C:\WINDOWS\system32\welnprno.ini
C:\WINDOWS\system32\mpmsxvwk.dll
C:\WINDOWS\system32\onrpnlew.dll_old
C:\WINDOWS\system32\uftutshp.dll
C:\WINDOWS\system32\wxmmdecq.dll
C:\WINDOWS\system32\dvdfscte.dllbox
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\tk58.exe
C:\Program Files\laxik777444.dll
C:\Program Files\TTC.dll

Folders to delete:
C:\327882R2FWJFW
C:\Documents and Settings\administrator.MIBANKERS\My Documents\FNTS~1
C:\clean\bak
C:\WINDOWS\VEFNSSBCUkVXRVI
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\ukfz
C:\Program Files\Common Files\ASKS~1
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Java\jre1.5.0_06
C:\Program Files\Java\jre1.6.0_03
C:\Program Files\WinBudget
C:\Program Files\MapEDC
C:\Program Files\NoDNS
  • Now click the Execute button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the below logs:
  • C:\ComboFix.txt
  • C:\awf.txt
  • C:\avenger.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Red Circle w/ White X -- braviax.exe -- System Defender tlrich Malware Removal 2 02-13-08 21:27
malware help please newbielee Malware Removal 3 01-06-08 18:04
Malware problem not fixed with Malware Removal instructions aagarwal584 Malware Removal 9 12-27-07 01:19
ran all the steps in "Read & Run Me First malware removal guide," still have malware aarond95 Malware Removal 10 10-24-07 23:40
malware? iainb Malware Removal 1 10-09-07 20:19


All times are GMT -5. The time now is 22:20.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger