braviax.exe take over

Welcome to Major Geeks!

What exactly did you do and can you undo it. It will be rather impossible for us to help you if you cannot even boot into Windows in normal or safe mode to run anything. Can you bring up Task Manager and get things to run (like your browser to download files) from Task Manager? Also look in Task Manager to see if any processes are hogging the CPU and try to kill them. Even in safe mode with no Desktop, you still may be able to run Task Manager.

Ideally we need to get you to be able to run the below or at least as much of it as possible.

READ & RUN ME FIRST. Malware Removal Guide

 

Please follow the instructions already given for running the READ & RUN ME. They do not ask for a HijackThis log to be posted. And all logs must be attachments to your message.

 

Until you complete the instructions in the READ & RUN ME and attach ALL of the logs that were requested, we cannot help you. The logs are our visibility into what is going on with your system. Without the logs we are blind and can only guess and we will not guess as that will normally lead to major problems.

 

Not True!! I will quote from the Win XP Cleaning procedure for one example and since you never said what Windows version you have.

If you really have Win32.Parite, you could be in for a total reinstall unless you have an antivirus program that will do a great job at finding and repairing the problems. This infection can affect every EXE and SCR file on your PC and also will possibly find its way to any shared drives on a network. The infection is know by a few names. Here is some info on it from Symantec:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-011708-2030-99&tabid=2

 

So then I assume this means you skipped all of the other blues underlined links in the procedure before this point too. You will need to go back and follow those steps. I can see from your logs that you have skipped some of them. One I can see is that you are still using MSconfig to control startups. So did you do each of the below as requested? If not, do them now:

• Uninstall Malware via Add/Remove Programs
• Updating Sun Java

Based on seeing the below in your logs I can see the above were not done.
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_06
Viewpoint Media Player

• Use MSconfig to setup for Normal Startup Mode
  • Read this to bette understand why not to use MSconfig: Dealing with Startup Processes

You also ignore the below important notice at the beginning of the READ ME

You have multiple antivirus programs installed. You must uninstall all but one right now.



Note: Using blue underlined text to for hotlinks is standard operationg procedure on the internet. Also in many place in our procedure it did say "continue here:" and those words were followed by links which is the here.



Why are your logs from safe boot mode? Are you having problems running in normal boot mode? We need to have logs from normal boot mode. After doing ALL of the above, from normal boot mode run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log

• C:\MGlogs.zip

If you cannot do the above in normal boot mode, then just tell me when you return and just get the new log from safe boot mode and we will continue.

 

I see BitDefender and BullGuard. You may have already uninstall AntiVir but since you have been incorrectly using MSconfig, you have stuck registry entries for many many programs including Antivire. Note that both BitDefender and Bullguard are installed and they are both active. You need to uninstall one. If you do not then you will waste system resources slowing down your PC and you will make each program actually less effective rather than improving your security. They will fight against each other.

Yes there was. That is where Viewpoint Media Player should have been removed.

No you did not. You need to follow my instructions and uninstall all the old versions. Then use the link that I gave to you to get the current version and install it. Don't try to update via Sun Java just follow the instructions as given.

That means it never finished running properly.

You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

You have lots of malware trapped in MSconfig which needs to be removed. You should never have been using MSconfig this way to begin with as noted in the link given multiple times ( Dealing with Startup Processes ) I will take a look at your previous log and give you a partial fix (in another message ) to remove some of the things from MSconfig but you will have to put your system into normal startup mode and provide a log from this mode so we can finalize things. You must remain in normal startup mode and not use MSconfig like this anymore.

 

Uninstall Ewido as it was discontinued long ago and was replaced by AVG Antispyware.


Now copythe bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure you note whether you receive a success message about adding the above to the registry. If you do not receive a success message then do not continue with the below because the above did not work. Just come back and tell me that the registry patch failed.

Now put use MSconfig to put your PC into Normal Startup mode and then Reboot.

After reboot, run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Any programs that you still use and that are broken/given error messages may need to be reinstalled. If you don't use them, then uninstall them.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ewido anti-spyware 4.0 guard
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Do you still use the below software that is trying to load services? I would guess no to some of these and that these are just hanging around do to your having used MSconfig.

Nero 7 is still installed but do you use the BackItUp program. If not, we can remove the service.

You still have one old version of Sun Java installed. Uninstall Java(TM) SE Runtime Environment 6

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: ComcastHSI - {00B73B80-3B49-11D9-82A6-0000E87A8BE3} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Help - {00B73B81-3B49-11D9-82A6-0000E87A8BE3} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: Support - {00B73B82-3B49-11D9-82A6-0000E87A8BE3} - http://www.comcastsupport.com/ (file missing) (HKCU)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay then let's fix them which will also improve startup and overall performance.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to NBService
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
  • Digidesign MME Refresh Service
  • Icecast Media Server
  • TuneUp WinStyler Theme Service
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste DigiRefresh into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below Services (if you do not find them or get any errors, just continue):
  • Icecast
  • TUWinStylerThemeSvc
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

That's because we are not finished recovering from the problems caused by using MSconfig like you did. Wait until we are finished.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Do you use AOL? If not uninstall it. If you use it, you still don't need all that junk to automatically run when you start your PC. Many can be removed permanently with HijackThis.

That info was in the READ ME in step 1 and I gave you the same link in message # 16 and 18 right here in your thread. Here it is again: Dealing with Startup Processes


You can use the tools in the above link to control things like the below which you may or may not need. Only you know what you use and don't use.

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101014872\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1c\AOL.EXE" -b
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

 

Check out Autoruns.

For items that you never want to startup, like Quicktime, you can just fix those startup O4 lines with HijackThis. If you never need AOL to startup, then fix those lines too or remove them with Autoruns.

You logs were clean of malware in the last set. You can attach a new MGlogs.zip file now so I can see what your startup situation looks like.

 

Yes!

You forgot to attach the new log.

 

Why, after all of the discussion that we have had, are you using MSconfig to control startups?????

I doubt they are really errors, but tools like this always find things they believe are issues in the registry. Some of it is just due to normal activity from using your PC. You can discuss topics like this more in the Software Forum.

 

Sorry but according to your runkeys.txt log, you are. The below shows it:

Run MSconfig! If it does not show Normal Startup mode (and it cannot based on the above), then you are using MSconfig to control startups.

 

Sorry again but no Autoruns does not put you in selective startup mode. Autoruns is totally independent of MSconfig. If you use Autoruns to disable startups, it makes its own registry keys. Here is an example of what it would look like for just one particular area

This shows than Autoruns has disabled FreeRAM.exe and mnyexpr.exe from running at startup for the current user.

You have something else locking or blocking you from putting your system into normal startup mode and keeping it there if it keeps reverting to Selective Startup.

You current log shows you are in Normal Startup and that you have only one item disable with AutoRuns and that is the below:

 

Possibly this is due to something else. I have tried this multiple times on my own PC and Autoruns has no effect whatsoever on normal vs selective startup.

Those were just examples of what Autoruns could put into the registry. They were not examples from your PC.

You just have HijackThis fix those O4 lines and that removes those startup keys from the registry which means they will not load anymore at startup since the registry entries are gone.

Are you sure Autoruns is not showing them? Did you select the Everything tab which shows all startup? This will show everything considered a startup. Way more then you would ever know about.

 

You're welcome.


If you are not having any other malware problems, it is time to do our final steps:

2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
3. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
11. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
12. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!