malware braviax - winreanimator

[brewticus]

red circle with white X appears in sys tray. Continues to install Winreanimator sofware, which appears to be fake spyware removal. I followed all instructions on what to do first. I cannot run combofix, spybot, or superantispyware. when I try to run these programs, absolutly nothing happens. No error message or anything. I was able to run MGtools and have attached log.

[chaslang]

See if you can get started by running the below procedure. Attach the log if you can run it.

Virtumonde aka Trojan Vundo Removal

Is your copy of Spyware Doctor a paid version or free trial? If free, uninstall it now.


Download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

[brewticus]

Thank you for the quick reply!

vundofix will also not run. I uninstalled trial version of spyware doctor.

[chaslang]

Your PC is very badly infected. This is due to not having proper protection installed. This MUST BE corrected after we remove all of your malware.

Double-click the FindAWF icon.

• If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.

• Use the following option: Press 2 then Enter to restore files from bak folders
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

Quote:

"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"

• Next, close and click Yes to save the changes.
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please attach the new FindAWF log to your next message.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {393C2547-B2AB-422C-87AF-385238C73416} - C:\WINDOWS\system32\hggggef.dll
O2 - BHO: (no name) - {3F5767BD-784E-41C9-90EF-1E6B67AC09B0} - C:\WINDOWS\system32\vturo.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: hggggef - C:\WINDOWS\SYSTEM32\hggggef.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=-
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{393C2547-B2AB-422C-87AF-385238C73416}"=-

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:

Drivers to unload:
beep

Files to delete:
C:\Documents and Settings\All Users.WINDOWS\Application Data\abaw.lib
C:\Documents and Settings\All Users.WINDOWS\Application Data\adijapaqo.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\efixupugu.pif
C:\Documents and Settings\All Users.WINDOWS\Application Data\fulyk.inf
C:\Documents and Settings\All Users.WINDOWS\Application Data\gakoduzivi.com
C:\Documents and Settings\All Users.WINDOWS\Application Data\nugawynu.dl
C:\Documents and Settings\All Users.WINDOWS\Application Data\siwuciwubi.ban
C:\Documents and Settings\All Users.WINDOWS\Application Data\sorojup.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\vosycepyz.bin
C:\Program Files\Common Files\gocunikix.pif
C:\Program Files\Common Files\ibatuge.dll
C:\Program Files\Common Files\iqubesuse.scr
C:\arbfikac.exe
C:\qrwkjyd.exe
C:\qsdjpwpb.exe
C:\wpohl.exe
C:\WINDOWS\asugaq.dat
C:\WINDOWS\bebaporo.bat
C:\WINDOWS\bootstat.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\exapeka.com
C:\WINDOWS\hacec.bin
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\vynebusen.lib
C:\WINDOWS\wakawat.ban
C:\WINDOWS\wipibiqi.com
C:\WINDOWS\zatadad.reg
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\winistr.exe
C:\WINDOWS\system32\hggggef.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\wuqam.com
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\f9t.dat
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp\1316996511.exe
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp\abc123.pid

Folders to delete:
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\!KillBox
C:\Program Files\WinReanimator

Registry keys to delete:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel | HomePage
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks |{393C2547-B2AB-422C-87AF-385238C73416}

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

[brewticus]

Again, thank you for responding.

Since my last post, I ran combofix, spybot, and superantispyware. I did this by renaming the executables to "1234.exe" or smilar. I still followed all your instructions and am attaching all logs.

The braviax and winreanimator are not problems anymore. There is still some sort of spyware constantly trying to redirect and/or open ie to ad sites.

[chaslang]

You don't need to attach the hijackthis.log file. It is already part of MGlogs.zip You said you ran ComboFix but based on your logs it does not look like it was run because thousands of bad files showing in your log would have been removed by ComboFix. Also you did not attach a log from it. Please run it now from the command prompt with the /killall option as instructed in the READ ME. Attach a log when you finish.

Double-click the FindAWF icon.

• If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.

• Use the following option: Press 2 then Enter to restore files from bak folders
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

Quote:

"C:\Program Files\microsoft frontpage\bak\mehebor77798.exe"
"C:\Program Files\NoDNS\bak\NoDNS.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe"

• Next, close and click Yes to save the changes.
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please attach the new FindAWF log to your next message.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {6B6A55A9-72B1-4B03-BB0B-9DD746C4E396} - C:\Program Files\.\laxik777444.dll
O2 - BHO: 0 - {C93DA5BA-C54F-4302-EAB3-3B8A066469DD} - C:\Program Files\MSN\qulaf.dll
O4 - HKLM\..\Run: [mehebor] C:\Program Files\microsoft frontpage\mehebor77798.exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [BM755c313f] Rundll32.exe "C:\WINDOWS\system32\wxmmdecq.dll",s
O4 - HKCU\..\Run: [MapEDC] C:\Program Files\MapEDC\MapEDC.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [Tlda] "C:\DOCUME~1\ADMINI~1.MIB\MYDOCU~1\FNTS~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Sfnf] "C:\Program Files\Common Files\?asks\w?auboot.exe"
O20 - Winlogon Notify: dvdfscte - dvdfscte.dll (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Files to delete:
C:\Documents and Settings\administrator.MIBANKERS\Local Settings\Temp\3363614857.exe
C:\WINDOWS\system32\qctwxuei.ini
C:\WINDOWS\system32\qejhlkqu.ini
C:\WINDOWS\system32\welnprno.ini
C:\WINDOWS\system32\mpmsxvwk.dll
C:\WINDOWS\system32\onrpnlew.dll_old
C:\WINDOWS\system32\uftutshp.dll
C:\WINDOWS\system32\wxmmdecq.dll
C:\WINDOWS\system32\dvdfscte.dllbox
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\tk58.exe
C:\Program Files\laxik777444.dll
C:\Program Files\TTC.dll

Folders to delete:
C:\327882R2FWJFW
C:\Documents and Settings\administrator.MIBANKERS\My Documents\FNTS~1
C:\clean\bak
C:\WINDOWS\VEFNSSBCUkVXRVI
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\ukfz
C:\Program Files\Common Files\ASKS~1
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Java\jre1.5.0_06
C:\Program Files\Java\jre1.6.0_03
C:\Program Files\WinBudget
C:\Program Files\MapEDC
C:\Program Files\NoDNS

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the below logs:

• C:\ComboFix.txt
• C:\awf.txt
• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!