braviax.exe removal problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by Wombatt, Mar 12, 2008.

  1. Wombatt

    Wombatt Private E-2

    Hi guys,

    Recently the fireall program COMODO and spybot S&D identified that braviax was tring to access the internet and asked permission from me to let this happen. I said "NO". My antivirus program AVG 7.5 didnt seen to remove the problem nor did spybot S&D , adaware , so I looked on the net for some solution and stumbled upon your site. I have tried the simple malware removal process that is posted here but have rum into some problems.
    After downloading the required programs listed and following the steps inticated I got as far as running the superantispyware program as instructed and where it finnished running it asked to restart the system as part of the process ,this was done but upon restarting windows starts to the point of showing me the user accounts but when I logon to any of them windows starts loading the user settings and then comes up with a message that says something along the lines of windows cant load this program and has to restart. I am able use safe mode which is how I am posting now but dont know what to do to fix the problem. I have attached the SAS log file, and MGlogs.zip .

    I hope you guys can help

    Thanks
    Wombatt
     

    Attached Files:

    Wombatt, Mar 12, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please disable Spybot's Teatimer as requested in the READ ME. See: How to disable Spybot's TeaTimer

    Your PC is way out of date with Windows updates. This is major security risk. You must get your PC updated after your malware problems have been resolved.

    Do you really use all of those user accounts that are created? You should delete unused/unnecessary accounts and delete and left over folders from them after a reboot.

    Rename the ComboFix.exe file that is on your Desktop to cf.exe We will be trying to use this further down.

    Delete all of the below temp file in your root folder of drive C.
    Code:
    C:\
1a.tmp        Dec 18 2007           0  "1A.tmp"
15.tmp        Dec 18 2007           0  "15.tmp"
16.tmp        Dec 18 2007           0  "16.tmp"
17.tmp        Dec 18 2007           0  "17.tmp"
18.tmp        Dec 18 2007           0  "18.tmp"
19.tmp        Dec 18 2007           0  "19.tmp"
1b.tmp        Dec 18 2007           0  "1B.tmp"
1c.tmp        Dec 18 2007           0  "1C.tmp"
1d.tmp        Dec 18 2007           0  "1D.tmp"
1e.tmp        Dec 18 2007           0  "1E.tmp"
1f.tmp        Dec 18 2007           0  "1F.tmp"
20.tmp        Dec 18 2007           0  "20.tmp"
21.tmp        Dec 18 2007           0  "21.tmp"
22.tmp        Dec 18 2007           0  "22.tmp"
23.tmp        Dec 18 2007           0  "23.tmp"
24.tmp        Dec 18 2007           0  "24.tmp"
25.tmp        Dec 18 2007           0  "25.tmp"
26.tmp        Dec 18 2007           0  "26.tmp"
27.tmp        Dec 18 2007           0  "27.tmp"
28.tmp        Dec 18 2007           0  "28.tmp"
29.tmp        Dec 18 2007           0  "29.tmp"
2a.tmp        Dec 18 2007           0  "2A.tmp"
2b.tmp        Dec 18 2007           0  "2B.tmp"
2c.tmp        Dec 18 2007           0  "2C.tmp"
2d.tmp        Dec 18 2007           0  "2D.tmp"
2e.tmp        Dec 18 2007           0  "2E.tmp"
2f.tmp        Dec 18 2007           0  "2F.tmp"
30.tmp        Dec 18 2007           0  "30.tmp"
31.tmp        Dec 18 2007           0  "31.tmp"
32.tmp        Dec 18 2007           0  "32.tmp"
33.tmp        Dec 18 2007           0  "33.tmp"
34.tmp        Dec 18 2007           0  "34.tmp"
    DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - Global Startup: pgqb.exe
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    If you are able to boot in normal mode now, then Uninstall the below old versions of software:
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 13, 2008
    #2
  3. Wombatt

    Wombatt Private E-2

    Thanks Chaslang,

    I am able to run windows in normal mode now. I answer to your question about all the user accounts its a case of one computer and 5 family members teenage girls and one teenage boy wanting their own log on privacy and all that. Maybe I needto put my foot down and make them share. Anyway I have attached the logs that you have asked for. Is there anything else I need to do?

    Thankyou
     

    Attached Files:

    Wombatt, Mar 14, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!! It is better to each have their own password protected accounts but they really should not have administrator priviledges. However you mentioned 5 family members and not including the account named Admininistrator, I see 7 accounts.
    Code:
     
   Yes    | DaBoy
   Yes    | DaWestons
   Yes    | load
   Yes    | MooMoo
          | Mum
   Yes    | qoI
   Yes    | Rosebud
    And all but Mum are administrators (indicated by the Yes - this came from the newfiles.txt log inside of the MGlogs.zip file).

    And also your C:\Documents and Settings folder shows the below folders that normally would mean other user accounts but I don't see these user accounts, so what are these from:
    Code:
    TEMP          Apr 10 2005              "TEMP"
ROSEBU~1.LOU  Apr 10 2005              "Rosebud.LOUISCYPHER"
HELPAS~1      Jun 11 2005              "HelpAssistant"
TEMP~1.LOU    Oct 11 2005              "TEMP.LOUISCYPHER"
TEMPLO~1.000  Apr 29 2006              "TEMP.LOUISCYPHER.000"
TEMPLO~1.001  Jun  8 2006              "TEMP.LOUISCYPHER.001"
TEMPLO~1.002  Jun 27 2006              "TEMP.LOUISCYPHER.002"
MOOMOO~1.LOU  Aug 19 2006              "MooMoo.LOUISCYPHER"

    You do not have your system in normal startup mode as requested in step 1 of the READ ME, but do not change it yet. Wait until the end of the below fix.

    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now see step 1 of the READ ME and put your PC into Normal Startup mode with MSconfig and remain in this mode.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 16, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds