Braviax and others

HI -

My friend Gerry's computer seems to be infected with (among probable other things): Braviax; Virtumonde; and WinReanimator. Symptoms include: Spybot 1.5 constantly popping up with questions about registry changes; other unwanted popups; changes of IE home page; messages about needing "more powerful" anti-spyware tools; etc.

After trying VundoFix.exe (nothing found), I've followed as carefully as I could the new (shorter) version of "READ & RUN ME FIRST", and I attach logs from SAS, ComboFix, and MGTools. If needed I've also got a .reg file output by CCleaner.

 

Hi apolodorus!
Welcome to Major Geeks!

Please attach the logs. Remember when you log on to check the Remember Me button. Also, after you upload the files and close the window, you may need to submit the attachments.

Thanks.
abri

 

HI -

Thanks for the reply. I thought I had attached the logs, but obviously something went wrong (inexperience probably) so I'll try again.

Thanks again,

Bob

P.S. I seem not to have clicked "upload".

 

Hi apolodorus,
It looks like you have bad files all the way through your computer which came in starting on the 4th of this month. Please use your computer as little as possible and avoid unnecessary reboots until I can post a set of removal instructions for you.

abri

 

HI Abri -

Bad news, not totally unexpected. Waiting for instructions.

Regards,

Bob

 

Hi Bob,

Please do the following:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


4) And now run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip located directly under C: along with the Avenger log.


Let me know how things are running now?

abri

 

Abri -

I'll let you know how I get on.

Bob

 

HI abri -

Sorry for the delay, but Gerry needed the computer for some work, so I had to wait. I attach the two output files as requested.

I notice from "avenger.txt" that avenger couldn't find certains files. I don't know anything about most of them, but I do about the nine dot-exe files in "C:\Program Files": I happened to notice them before I got your email and deleted them! Hope I didn't louse anything up!

Regards,

Bob

 

Hi apolodorus,
Your logs look a lot better. Could you tell me what's in the following two folders? (Don't open any files! When you find them, if you don't know what they are, right click on them first and see if you can get any information about them from the properties window. Also, make sure they really are Folders and not Files!

C:\5c9eaf7ab6c0c2cad0c5140846
C:\b69a1fa3371cd019d4f79641345d37

Other than that, please disable your guest account if this has not already been done.

After I hear back from you about the above two folders, I will post the final cleanup instructions.

How is your computer running?
abri

 

HI Abri -

As far as I can tell the two folders contain files which must have been put there as a result of some experiments Gerry and I were trying a few weeks ago.

The guest account is turned off and, as far as I know, always has been.

The computer is running fine.

Regards and thanks,

Bob

 

Hi Bob,
Here are the final cleanup instructions.

abri