Braviax.exe troubles

Hi,

I have a computer that has been infected with Braviax. I am able to start the computer in Safe Mode. When I try to open the computer in normal mode, it restarts (before finishing the startup!).

Unfortunately, I did not find your forum before trying to fix the problem. Here are the events I can recall:

I got the pop-up message in my tray about need to clean something - the message was to buy some software to take care of the problem (some kind of "Defender" software - I don't recall the name.)

I tracked down the problem to something others have identified as Braviax.exe. Looking at the McAfee web site said it wasn't a problem (this was in early March 2008), but I didn't believe it.

I noticed a "fix" from someone who said he overcame the Braviax by deleting the Braviax.exe file and replacing it with a blank file of the same name.

I also deleted the Braviax entry from the list of processes running.

While I was doing this, my computer froze. I had no keyboard access, and the mouse didn't work either, not even after a half hour elapsed.

I have tried System Restore to no avail. I have found only that I can open the computer in Safe Mode. I can get files to the computer through a Flash drive, but currently the Internet Access does not work (DSL modem).

What do I need to do to fix the computer? :confused

With apologies for the lengthy post,

Tom

 

I have started to do the READ and RUN ME FIRST items.

Removed Viewpoint Media Player via Add/Remove Programs.

Removed old version of Sun Java. Unable to load latest version in Safe Mode (and computer shuts down during Startup in Normal mode).

MSCONFIG was set for Normal Startup (in Safe Mode, logged in as Administrator).

Unable to open McAfee to look for quarantined files. Thus, unable to remove quarantined files/items.

Ran CCleaner. Process deleted many files (>400 MB). (Ran CCleaner for all accounts I could find in Safe Mode {Administrator and one user acct}.)

Rebooted, and tried to open in Normal Mode. Computer shut down before Startup was done. (Noted that Starup was faster than before - which meant seeing the computer will shut down message a little sooner than before :banghead ).

Enabled viewing all files etc. (in safe mode).

Tried to install SUPERAntiSpyware. Nothing happened. (Tried double-clicking the icon, right-clicking and selecting OPEN, but the exe file did not start).

Have not loaded Spybot-Search and Destroy, nor Malwarebytes software.

Combofix.exe is on Desktop.

MGTools.exe is in root directory (C:\).

Looking forward to your assistance.

TIA,

Tom

 

Hi berndt,
Welcome to Major Geeks!

Please run Combofix and the MGTools. You can run them in safe mode if you can't get to normal mode. The version of Combofix you run needs to be the current one (if you installed it yesterday, this is okay). After you run these two, attach the logs. If you have any problems, let me know.

abri

 

Hi abri,

Thanks for the reply.

I tried running combofix.exe, but the program did not open. (I saw a flicker of an hourglass, but nothing else. The desktop remained the same.)

Here is the result of MGTools.

I tried running combofix.exe after MGTools also. Again, program did not run.

Tom

 

Hi berndt,

I will start you out with the following instructions. See if you can do them and then try and run Combofix again. I'll post that towards the end. Be sure it's a version that is the most recent (yesterday's is okay).

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\2.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - Global Startup: dqui.exe
O4 - Global Startup: gncw.exe
O4 - Global Startup: uwgh.exe
O4 - Global Startup: wgqz.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\System32\ebkp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {22051D56-3AEA-47E4-A325-B1F88DAC856C} (HiWired Bootstrapper Class) - http://hwcas.hiwired.com/Downloads/HiWired.Client.BootrsrapXP.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB

After you click fix, just close hijackthis.


2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Now run CCleaner at the default setting with the Windows tab as the top one.


4) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player



5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.

7) Now go to How to properly run Combofix and try running it again.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the combofix log if it ran.


Let me know how things are running now?

abri

 

Hi abri,

I was able to do several of the items on your list.

1 Ran analyse.exe.

2 Ran The Avenger. Please see Avenger.txt.

When running The Avanger, I saw no box/option to "input script manually." I pasted the Quote box into the "Input script here" box that showed up. I saw no magnifying glass icon. I saw no "Done" button, but I saw and clicked on an "Execute" button. And avenger.txt came out as the software rebooted my computer.

The computer automatically shut down again, so I restarted in Safe Mode (as Administrator).

3 Ran CCleaner.

4 Removed Viewpoint Media Player.

5 Tried to add Java Runtime Environment. Was unable to install successfully. Saw a message stating that Windows Installer Service was not found/available, which sometimes happens in Safe Mode.

6 For Windows Live Messenger, Customer Experience Improvement Program was already greyed out.

7 Ran combofix according to the link you provided. (Thanks for the gentle correction.) Before running combofix, I was unable to open and disable McAfee. McAfee might not have been open, as I did not see it (Safe Mode), and earlier attempts to open McAfee in Safe Mode have not worked.

Combofix ran, rebooted, and displayed a message after the reboot:
zip I/O error: No such file or directory
zip error: Could not create output file <C:/Qoobox/Quarantine/catchme04/09/2008_164743.20.zip>

Reboot was running a bit slow, but has been continuing (as I type this at my other computer).

Should I try to run C:\MGtools\GetLogs.bat ? (whether I need to reboot to Safe Mode or not?)

Thanks,

Tom

 

Hi abri,

After a surprisingly long time (about 30 minutes after reboot), the combofix log came out.

Please see the attached file.

Windows now opens in Normal Mode. Yippee!

Should I run the C:\MGtools\GetLogs.bat? (Things take a pretty long time in Normal Mode - well, for now, that is.)

Thanks, Tom

 

Hi Tom,

Your combofix log is impressive. I wasn't sure if it was the weather hot XP or the recipes that did more damage. lol At a glance, I can see at least one more bad file in there so hopefully you will gain more functionality by the time we finish.

If you can get the GetLogs.bat to run, please do. It would help a lot because they've changed since you last posted them. After you run GetLogs.bat, look for the MGlogs.zip directly under C just above the superman icon.

Thanks.
abri

 

Hi abri,

Ran GetLogs.bat successfully. Attached updated MGlogs.zip.

Please advise when I need to load latest Java Runtime Environment.

Again, thank you for your awesome help!

Tom

 

He berndt,

You can install the current Java Runtime right away. The download link is in the READ & RUN ME FIRST

Do you recognize any of the following items?

O4 - HKCU\..\Run: [caseyvideo]
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Angelic\xrt_cixd.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

Run CCleaner at the default setting with the Windows tab as the one on top.

After you let me know about the above I'll post you a few more things you need to do.

Thanks.
abri

 

Hi abri,

Java Runtime Environment has been installed.

I don't recognize any of the files you posted:

O4 - HKCU\..\Run: [caseyvideo]
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Angelic\xrt_cixd.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

I ran CCleaner.

I have McAfee - and finally found its quarantined items:

Programs and Cookies: Generic.Adware.b

Files: BIT1292.TMP
CATCHME.ZIP

AOL Spyware Zapper found Bifrost in a scan and asked me if it should quarantine (or maybe remove) it?

I decided to wait - and do what you tell me.

Thanks,

Tom

 

Use HijackThis as you did in Post 5, Step 1 to fix the above.

Yes, have AOL Zapper remove it. See this article:

http://en.wikipedia.org/wiki/Bifrost_(trojan_horse)


abri

 

Hi abri,

I ran analyse.exe to fix the three items you asked about.

I will remove Bifrost as soon as I can.

Thank you,

Tom

 

H berndt,
I didn't ask you if you reran analyse.exe (run a system scan) and see if it really did remove the three items in my last post to you. Tell me how your computer is running now?
abri

 

Hi abri,

Those three files:
O4 - HKCU\..\Run: [caseyvideo]
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Angelic\xrt_cixd.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
are still showing up when I run analyse.exe.

Otherwise, the coimputer boots up and seems to run fairly well. It seems a bit slower than before braviax decided to get the axe here.

Awaiting your orders, sir!

Tom

 

Hi berndt,

First an observation: you seem to have a piece of software and a user name which are the same. I can imagine some instances where this might lead to confusion.

Secondly, the slowdown you experience on your computer, did you notice this after Braviax or after installing McAfee Security Center?

1) Please go to C:\ and look for file names with the following structure and delete them:

C:\sqmnoopt12.sqm


2) Go to add/remove programs and uninstall the below:

Viewpoint Media Player

3) Install the current version of Sun Java from Sun Java Runtime Environment

4) Your security software may be blocking the items in HijackThis from getting fixed. Please shut down your computer and disconnect it from the internet. Then boot it back up while still disconnected and disable all of your McAfee and any other resident protection software you may have. After that rerun C:\MGTools.analyse.exe by double clicking on it, do a system scan and see if you can delete the following items this time:

O4 - HKCU\..\Run: [caseyvideo]
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Angelic\xrt_cixd.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

After you click fix, just close hijackthis.
Re-enable all your protections software adn reconnect to the internet.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Now run CCleaner at the default setting with the Windows tab as the top one.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Also, let me know if you got a success message after the registry patch REGEDIT4.


Let me know how things are running now?

abri

 

Hi abri,

Completed the list you gave ...

1) Removed all C:\sqmnoopt#.sqm files.

2) Removed Viewpoint Media Player.

3) (Re)installed current version of Sun Java from provided link.

4) Shut down computer and disconnected from Internet. Disabled all known protection software, including McAfee.

Ran C:\MGTools\analyse.exe. Clicked Fix. Program closed by itself.

Reconnected computer to the Internet and re-enabled security programs.

5) Created backup of registry with Erunt.

6) Double-clicked fixME.reg. Received message that it successfully merged with Registry.

7) Ran CCleaner.

8) Ran C:\MGtools\GetLogs.bat. Please see attached MGlogs.zip.

While the computer was not too swift before braviax.exe, it seems to me as if it's running a bit slower after braviax.exe. I know I have to backup and remove some files from the hard drive. That is at least one reason for the slowness. If you have other suggestions, please let me know.

Thanks again,

Tom

 

Hi berndt,

You still have Casey Video which is a bad item. Also, you have a lot of startup programs and services running. First let's start with trying to get rid of Casey.

1) Please look in Windows Explorer under C:\WINDOWS and see if you see the file caseyvideo.exe. If so, delete it. If you don't find it, try doing a search of your computer for caseyvideo*.* Include subdirectories and hidden files in the search. If you know approximately when it might have been installed, you can also add the dates.

Whether you find it or not, continue as follows:

2) Download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter caseyvideo and post back with the results in this thread (call it regsrch.txt).

3) Then I would like for you to run Avenger again as you did in post 5, step 2 only this time use the contents of this box:

After you complete Avenger, open the Avenger log and see if it deleted any of these files. If it didn't, please rerun it again after midnight (or the next day when the clock changes).

4) Whether it runs or not, please go to Using PandaActiveScan and follow the instructions for this online scan. It requires. Internet Explorer and you will have to have Active X enabled. It will fix some things and others it will just report When it's finished, please follow the instructions for retrieving a log and attach it to your next post. The log will be called activescan.txt

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the activescan log.


Let me know how things are running now?

abri

 

Hi abri,

I was able to do some of the previous list, items 3-5. Not sure what happened with #2.

1) I could not find caseyvideo in C:\WINDOWS. Nor did I find caseyvideo using Search (searching AFAIK every location, including hidden folders).

2) Downloaded RegSrch.zip and ran its VBS file. Saw an MS-DOS like window for a few moments. Then nothing. After half an hour, I continued with the next item on the list. So, for now, there is no RegSrch.txt file.

3) Ran The Avenger. The Avenger successfully deleted the files in the Quote box. Yippee!

4) Panda ActiveScan produced the attached file, ActiveScan.txt.

5) Please see the updated MGLogs.zip, too.

Seems like the computer is getting out of the molasses. And might be going downhill.

Tom

 

Hi berndt,

Your most recent log shows that Viewpoint Media Player and all the sqm files are still on your computer. Since you're able to install programs, you should also have the authority to uninstall them. Can you tell me what happened when you unintalled Viewpoint Media Player and the sqm files and why they might still be showing up in your logs? (open the MGlogs.zip, double-click on the newfiles.txt log and either scroll down to the Uninstalls list at the bottom to find the Viewpoint Media Player entry or else do a search for sqm). If you disabled all your security software and if Teatimer is not enabled ( I don't see it running ) then I don't know what restriction you might have which is preventing you from uninstalling or deleting things. Any thoughts on this?

From the description of your computer you've given me so far, CaseyVideo is not active. If it were you'd be getting popups caused by it.

abri

 

Hi abri,

About the
- sqm files -
Maybe I misunderstood post #16. In it, you asked me to delete all sqmnoopt#.sqm files. Was I supposed to delete the sqmdata#.sqm files, too? (The noopt sqm files deleted fine then - there used to be 20 of them, and I think there's two of them now.)

- Viewpoint Media Player -
I have a feeling the program really was deleted, and then it came back. The newfiles.txt file shows a Viewpoint folder being created (In C:\Program Files\) on April 14. I know I did not load it "by hand," especially not then. I'm guessing there's something in Viewpoint - or some program "watching" Viewpoint to re-load it if it's deleted.

Do you think that could be why Viewpoint doesn't stay gone?

Should I delete the sqmdata#.sqm files?

Thanks,
Tom

Could this post have a possible explanation - the Security tab?
http://forums.majorgeeks.com/showthread.php?t=156621

 

Hii berndt,

I was thinking of these files which are directly under C:\

Viewpoint is installed by AOL, so if you installed anything from AOL recently, it may have come in that way. Please try the following tool: ViewpointKiller

Let me know if this works.
abri

 

Hi abri,

I deleted the sqmdata*.sqm and sqmnoopt*.sqm files.

Using ViewpointKiller did the trick. Viewpoint is gone! ... dancer Ding! dong! The witch is dead ... :dancer)

The computer is faster than before the braviax garbage took place.

During a Startup, I get a Windows Explorer opens. Do you have any ideas on how I can stop that?

Thanks again,

Tom

 

lol

good!

When did it start?

 

Hi abri,

It started more than a year ago. I don't know how. I'm not sure who was at the computer when it happened. (Maybe someone opened Windows Explorer when the computer was booting up and the process got added to Startup. Probably not how it happened, but it's a theory, FWIW. lol) Anyway, it opens the System32 folder [C:\Windows\system32].

Also, did you have some suggestions about removing some programs/processes from the computer Startup?

Thanks,

Tom

 

Hi berndt,

First some words from Chaslang:

Let me see if it can be removed with a registry patch:

1) Please download and install Erunt. Use it to create a backup of your registry.

2) Next copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) How to deal with startup processes.

• First you should uninstall any software that you do not use.
• Second if you have processes still trying to load at startup even though you have uninstalled them. You can simple use HijackThis to easily remove the startup. That way you will not have to manually edit the registry.
• Third for software you do not want to uninstall but you don't want it to load at startup, look in the program for an option not to load when Windows starts and disable it this way. If you cannot find an option like that you have two possible actions:
  • if you never want it to load at startup, use HJT to permanently remove the startup.
  • if you sometimes want it to load at startup, use a program like Startup CPL to enable or disable as you see fit.

4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

5) Also, please tell me if you got a success message from running the registry patch.


abri

 

Hi abri,

Yes, it is a system32 folder that opens oduring Startup. Chaslang, thanks for the MSKB article about the problem. I think you're right about what's causing it.

1) Used Erunt to backup the Registry.

2) Used fixME.reg to merge with the Registry. Received a success message.

3) Deleted several unused programs from the computer.

4) Ran GetLogs.bat. Please see attached MGlogs.zip.

5) Was a success. Please see 2) above.

Thanks again,

Have a good weekend!

Tom

 

Hi berndt!

Did you do anything to resolve the Win32-opening Windows Explorer or is it resolved?

Please go through the final cleanup instructions which will remove the logs and programs we installed on your computer. If the above issue still exists, wait to reset your restore points until it has been resolved.

abri

 

Hi abri!

The system32 folder doesn't show up during a Startup any more! Thank you, abri! The Registry fix worked!

Now for a little cleanup!

I'd like to get rid of the unnecessary startup/boot-up processes and programs. Can you recommend a place where I can research this?

Again, many thanks!

Tom

 

Hi berndt,

Glad that helped.
Best information on programs is to simply start a thread in the Software Forum and post a list of the ones you're not sure about. Here are some additional tips as well:

abri

 

Re: Braviax.exe troubles - not no more!

:clapHi Abri,

Thanks again for your patience and professionalism in handling my computer problems. I don't know if words can let you know how grateful I am.

From a computer that didn't work to one that does - all I can say is - THANK YOU!!

You guys truly ROCK!!

Tom :clap

 

Berndt,
Thank you so much!
We really do appreciate the thank you's!
Happy and safe surfing!
abri