help with braviax

Did you recently download and running anything from Kaspersky? I wondering about the below folder.
C:\kav

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java(TM) 6 Update 3


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: iifcabx - iifcabx.dll (file missing)

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINNT\Temp
C:\Documents and Settings\Administrator.NORTHERNTOOL\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

No! And you don't want to do that anyway. It is a required integral part of your Windows OS. Without it, many websites will not be accessible and you will not be able to download and install your Windows Updates without it.

You still have problems we need to fix.

Please put your system into Normal Startup mode using MSconfig as requested in step 1 of the READ ME and remain in this mode. You should read this: Dealing with Startup Processes

Also note from now on, make sure that you are only logged into one user account while running any fixes. DO NOT use switch user, make sure you log out.

Uninstall SUPERAntispyware now as it seems to not have been installed properly. Do not reinstall yet.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Code:

 
O4 - HKLM\..\Run: [IESet] IExplorer.dll                                                              .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll                                                              .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll                                                              .dbt

After clicking Fix, exit HJT.


Run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the code box below, and paste it into the Input script here: part of the window:

Code:

Files to delete:
C:\WINDOWS\IExplorer.dll                                                              .dbt
C:\WINDOWS\system32\IExplorer.dll                                                              .dbt
C:\WINNT\fghtuernfg56nvd.exe
C:\WINNT\gfhy45juyhgr.exe
C:\WINNT\system32\explorer.exe
C:\WINNT\system32\f4dgd.exe
C:\WINNT\system32\explorer.exe
C:\WINNT\system32\rfhdfhw.exe
 
Registry values to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | SUPERAntiSpyware
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | IESet
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | IESet
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices | IESet
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | IESet

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now REDOWNLOAD and install SUPERantispyware from here: SUPERAntiSpyware

Now run SUPERAntispyware and save a log!
Also try running ComboFix as requested in the READ ME.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\avenger.txt
• SUPERAntispyware log
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now! It will require two messages to attach the four logs.

 

Are you renaming SUPERAntispyware.exe to SUPERAntiSpywarea.exe (notice the trailing 'a') or is it actually installing like this?

Do you know what the below file is that showed up on 3/3/2008?

Code:

 
2008-03-03 09:36 . 2008-03-03 09:36 20,480 --a------ C:\WINNT\quit.exe

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DirLook::
C:\temp\sanR24

Folder::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Rabio

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!