Braviax.exe

Welcome to Major Geeks!

This is your best bet. Some of those will even help somewhat with your problem.

You don't need any of these.

Try safe boot mode with networking and if that does not work, copy the logs to your flash drive and upload them via another PC.

After running some of the tools in the READ ME, you may have access. If not, we will give you other detailed instructions based on what we see in your logs. Note other tools may be require so to that end download the below and get it onto the problem PC. DO NOT RUN IT. Just get it onto your PC so we can use it later.

Download The Avenger by Swandog46, and save it to your Desktop.

 

Sometimes it will work if you boot in safe mode. Spybot may too!

Not normally. Let it run awhile longer and if it does not seem to end or appears to be hung. Stop it and also try it in safe boot mode. It may have already removed some items too.

No we don't need it.

 

You must attach logs to your messages as requested in the READ ME or your messages will not show up. They will get trapped by the spam filters. In addition we do not want logs post inline because it messes up search engines, it actually slows down loading and scrolling back and forth thru the threads, and it it makes working up fixes slower.


[EDIT] Ah! I see you now made another post and attached it. I will delete the inline one now.


You need to continue on with the rest of the READ ME.

 

Based on the log, you had/have a lot more problems than just braviax. Have you been running this PC without protection? Did you happen to notice how much bad stuff Malwarebytes just removed?

 

You must make sure that you attach what we ask for to avoid additional delays. You should not be attach those individual logs that you put into your own zip file. You need to attach the C:\MGlogs.zip file that was requested in the READ ME. However you first need to install MGtools.exe where the READ ME told you it had to be installed. You MUST save it to C:\MGtools.exe and run it from there. You put it on drive F and as a result it did not run properly. Run it from the correct location and watch for error messages as stated in the Using MGtools instructions. Apply any fixes necessary. Then attach the C:\MGlogs.zip file.

.

Also have you tried to run SUPERAntispyware again.

 

You need to uninstall Viewpoint Media Player as requested in step 1 of the READ ME.

Then you need to uninstall J2SE Runtime Environment 5.0 Update 4 which was also requested in step 1 of the READ ME. And then reboot and install the current version for the below link which was also in the READ ME:

Sun Java Runtime Environment

If you have a problem with your internet that does not allow you to update the above right now, that's fine. Just tell me you did not install the update yet.


Now your McAfee software has to be uninstalled as it has become infected and cannot be trusted. After uninstalling it, run the below:

McAfee Consumer Product Removal Tool

If you have a problem with your internet that does not allow you to download and run the McAfee removal tool right now, that's not really fine but we will continue anyware.. Just tell me you did not run this tool yet.


And then reboot your PC and delete the below folder if it still exists:
c:\program files\mcafee.com


Now do the below which you must get downloaded.

Download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

Now delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Michelle Mui\Local Settings\Temp


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

You will not be clean after doing the above. You will be far from clean. These are just necessary steps before we can get to the heart of your problems and we need some more new information from the above logs to create a proper fix.

 

You have the worst infected PC that I have seen in a very long time. I'm not sure who is using this PC and for what, but you need to develope much better surfing habits for all users.


Double-click the FindAWF icon.

• If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.

• Use the following option: Press 2 then Enter to restore files from bak folders
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

• Next, close and click Yes to save the changes.
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please attach the new FindAWF log to your next message.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {BC484D19-C55D-441C-B7E2-3672EB6D0088} - C:\WINDOWS\system32\apcup.dll
O4 - HKLM\..\Run: [hrglonki] rundll32.exe "C:\WINDOWS\TEMP\eidrebjhfd.nls" WLEntryPoint
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Policies\Explorer\Run: [fmngaiqp] rundll32.exe "C:\WINDOWS\system32\snjogphhk.dll" WLEntryPoint
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: @ÿ - @ÿ (file missing)
O20 - Winlogon Notify: crehcjid - crehcjid.dll (file missing)
O20 - Winlogon Notify: jidsjmlgfahgr - C:\WINDOWS\SYSTEM32\jidsjmlgfahgr.dll
O20 - Winlogon Notify: Pˆ˜ÿ - Pˆ˜ÿ (file missing)
O20 - Winlogon Notify: ÀØÿ - ÀØÿ (file missing)
O20 - Winlogon Notify: Àÿ - Àÿ (file missing)
O21 - SSODL: sMXWGVukbX - {606A9EA5-CAC0-340F-EE61-6D5A79CB5224} - (no file)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now you MUST go back to step 1 of the READ ME anf follow the instructions properly for putting your PC into Normal Startup mode with MSconfig. You did not do this and you have dozens of malware items trapped in MSconfig. I started cleaning some of them up in the above fix but there was just way too much to do this way. You must use Normal Startup mode so we can continue with your cleanup.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger. And don't forget the new log from FindAWF.

Make sure you tell me how things are working now!

 

Yes it is still infected. As I said it was very badly infected and will require some iterations. Some items we attempted to fix in my last fix did not work.

Please run this Running ComboFix and attach the C:\combofix.txt log that is requested.

Then rerun Malwarebytes Anti-Malware like you did in the READ ME and attach a new log from it.

 

Sorry about that! You can get it here: combofix.exe

 

The below appears in your Documents and Settings folder. This folder normally only contains User and System Account names. Did you create this account? If not, what do you see in this folder?

Code:

C:\Documents and Settings\
E38D88~1      Nov 16 2006              "e38d887bd8269a491b7ac1cb"

I'm also wondering if your svchost.exe system file has gotten infected since the file date on it is Mar 29, 2008. Do you have your Windows XP SP2 bootable CD.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

If you goto Control Panel, User Accounts, does that user show up in the list of users?

For somethings it will work fine. It just would not have all of the drivers and some other items for your Toshiba Laptop but for most of the Windows OS related files it would be fine. Please do the below.

Click Start, Run and enter sfc /scannow and click OK. There is a space after the sfc. If this causes a message to come up about needing your CD, put in this SP2 CD you have for Dell. Let me know if it did ask for the CD.

Now uninstall SUPERAntiSpyware and then reboot your PC before continuing.

We have a stuck registry key that contains non-valid characters and information that we do not seem to be able to remove. I want to try removing it a different way. Download the attach FixWN.zip file to your Destop. Then extract the FixWN.reg file from the ZIP file also to your Desktop. Now double click on the FixWN.reg file and say yes to the prompt about adding it to the registry. Tell me if you get a success message about it adding to the registry.


Now download the current version of MGtools.exe and save it to C:\MGtools.exe like requested in the READ ME. Then double click on C:\MGtools.exe to run it. This will create a new MGlogs.zip file when it finishes. Please attach this new MGlogs.zip file.

 

Yes that is because it was updated again before you returned to do the download and the link I gave you became non-valid since that file was now replace. You did however get the current version. Note the current version is always available via downloading from the link in the READ & RUN ME.

It appears that the bad registry entries are now gone.


If you are not having any other malware problems, it is time to do our final steps:

2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
11. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
12. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!