braviax\cru629 strikes another innocent pc

Discussion in 'Malware Help (A Specialist Will Reply)' started by pyroter, Feb 29, 2008.

  1. pyroter

    pyroter Private E-2

    I was online two days ago, when my computer suddenly rebooted. As it started back up I noticed that my Norton software had been disabled, which seems to open up a whole world of possibilities, unfortunately they are not all good. I also have the now famous red circle with a white cross in my system tray. It seems to me that some generous soul has sent me a free copy of braviax\cru629. I would really like to get rid of it.

    I searched your malware forums and it seems that my computer has most of the symptoms described in the thread titled "System Defender has attacked me".

    I went through all the steps outlined in "read and run me first thread". I updated my Java, and followed all of the other steps that applied to my system (Dell 8300, 3.0Ghz, 1 Gig ram, XP Pro). I have Norton Systemworks, Spybot Search and Destroy, Spyware Terminator, and Ad Aware all of which were installed and functional prior to my receiving the afore mentioned unsolicited giftware.

    After the initial discovery I ran Spyware Terminator and it removed several rootkits, which I hoped would put an end to this but of course it did not. Spybot has also been disabled and will not run. I tried re-installing it to no avail. I was also unable to install SUPERAntispyware, Combofix seems to have been installed but it will not run. I ran CCleaner and MGtools, and have attached the logfile it created.

    Your help will be greatly appreciated...

    pyroter
     

    Attached Files:

    pyroter, Feb 29, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Did you run it exactly as requested from the command prompt with the killall option? Did it give you any error messages? What happened exactly? You could try running in safe boot mode too as this sometimes helps.

    I look thru your MGlogs.zip file now but please answer the above while I'm reading.
     
    chaslang, Feb 29, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your Windows version is out of date and should be updated for greater security.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [braviax] braviax.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
    O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
    O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Terry.D8XPNW41.001\Local Settings\Temp

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Feb 29, 2008
    #3
  4. pyroter

    pyroter Private E-2

    Quote

    “Did you run it exactly as requested from the command prompt with the killall option? Did it give you any error messages? What happened exactly? You could try running in safe boot mode too as this sometimes helps.”

    Yes. No. Nothing. Safemode did not help.

    I was able to remove Windows Messenger.
    ---------------------------------------------------------------------------------------------------------------------------------
    I ran analyse.exe (HijackThis) and selected the lines specified for removal.
    I was not able to find the line---

    “O4 - HKLM\..\Run: [braviax] braviax.exe”

    or the line---

    “O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background”

    I would imagine the latter was removed when Windows Messenger was removed. HijackThis did remove all of the lines I selected.
    ---------------------------------------------------------------------------------------------------------------------------------

    I downloaded and ran The Avenger. It removed everything except the registry value

    “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | braviax”.

    Avenger popped up a box which said “Error: Invalid registry syntax in command” (see attached screenshot in zip file avenger.doc). I tried to delete it manually but I could not find it either.

    It also generated the following:

    Error: registry key “\Registry\Machine\system\CurrentControlSet\Services\cru629” not found!
    Deletion of driver “cru629” failed!
    status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    I searched for the files Avenger attempted to delete but did not find them.
    ---------------------------------------------------------------------------------------------------------------------------------
    I deleted the temporary files specified and then ran CCleaner.

    At this point braviax/cru629 seems to be gone and my system boots normally. I was able to run SUPERAntiSpyware as well as Norton Antivirus, AdAware, Spybot Search and Destroy, and Spyware Terminator. I updated each program and then ran a scan and each program found several things to remove except for Norton Antivirus. After removal I repeated each scan to make sure the items were actually removed. The last time I ran SUPERAntiSpyware it did find the following:

    Trojan.LanMan/Rootkit
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP433\A0097582.SYS

    C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP433\A0097583.SYS

    Trojan.Downloader-Gen/AVP
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP434\A0098028.EXE

    I am guessing these could be removed by toggling System Restore, but I will wait until I hear from you to do so.


    I then ran CCleaner and MGtools again to generate the attached logs. I also attached several logs and screenshots from the other scan tools mentioned above.

    I realize I need to update XP to SP2, I was just giving Microsoft a little time to work the bugs out. Can you recommend a utility to backup my system prior to installing SP2?
    Do you know if Zone Alarm firewall can peacefully coexist with SP2?

    Please let me know if you see any other issues that need to be addressed.

    Thank you,

    pyroter
     

    Attached Files:

    pyroter, Mar 3, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please only run the scans we ask you to run and only run them the number of times we ask you to run them.

    Now that your PC appears to be in a better frame of mine, please attempt to run the ComboFix procedure from the READ & RUN ME and attach the log from ComboFix.

    Your logs are clean but I still want to see if ComboFIx finds anything.

    Note: You are using Mozilla Firefox (1.5) which is way out of date. You should uninstall and update to Mozilla Firefox


    I would check with people in the Software Forum for recommendations on backup software, but aren't you running Acronis? It also depends on what medium you wish to back up to.
     
    chaslang, Mar 6, 2008
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds