Problems with Braviax and running antispyware progs

Welcome to Major Geeks!

First download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

You don't need to attach a log from this running right now. We needed you to run this new version so that some steps in the below fix will work. We will create another new log later.

Now run the C:\MGtools\SysBU.bat file by double clicking on it. It will run quickly and you may notice a quick command prompt window flash by.

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving many files here like you are doing.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java(TM) 6 Update 14
Java(TM) 6 Update 2
Java(TM) 6 Update 3

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Never do anything we don't ask you to do as stated in the READ & RUN ME. If you ran Avenger twice, the second run would delete a log from the first run if it ran.

When you just double click on avenger.exe, does it open up the program?

 

Please attach the below two files to your next message:
C:\Program Files\auth.txt
C:\Program Files\ywji.txt


Now try to delete the below files. Tell me what happens. Don't be surprised if you cannot delete some or all.
C:\Documents and Settings\Tyr\Application Data\kucy.bat
C:\Documents and Settings\Tyr\Application Data\qinakysat.bat
C:\Documents and Settings\Tyr\Local Settings\Application Data\nulazohoj.scr
C:\Documents and Settings\Tyr\Local Settings\Application Data\vedekeve.sys
C:\Documents and Settings\All Users\Application Data\agyd.bat
C:\Documents and Settings\All Users\Application Data\exuqyqa.bat
C:\Documents and Settings\All Users\Application Data\zizaguda.com
C:\Program Files\Common Files\fudeb.scr
C:\Program Files\Common Files\orurehym.dl
C:\WINDOWS\bexowahanu.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\eryj.reg
C:\WINDOWS\exonuwa.scr
C:\WINDOWS\install.dat
C:\WINDOWS\is-1BBB9.exe
C:\WINDOWS\is-1BBB9.lst
C:\WINDOWS\is-1BBB9.msg
C:\WINDOWS\kgt2k.INI
C:\WINDOWS\rumufe.inf
C:\WINDOWS\rylaq.bin
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\zeti.vbs

Also try to delete the below folders:
C:\Program Files\AntivirusPro_2010
C:\WINDOWS\45235788142C44BE8A4DDDE9A84492E5.TMP

 

Those files show that you have been working with some one else to remove this malware. Are you currently working on another forum?

Okay! Even the below file deleted? Double check to make sure it did not come back.
C:\WINDOWS\cru629.dat

See how many of the below you can delete:
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\imexupe.reg
C:\WINDOWS\system32\minix32.exe
C:\WINDOWS\system32\pzrgujec.txt
C:\WINDOWS\system32\wingenocx.dll
C:\WINDOWS\system32\wisdstr.exe
C:\WINDOWS\system32\ybibygizav.vbs
C:\WINDOWS\system32\ysuk.reg
C:\WINDOWS\system32\_scui.cpl
C:\WINDOWS\system32\chtqil.sys
C:\WINDOWS\system32\glmyw.sys
C:\WINDOWS\system32\gpwgflrg.sys
C:\WINDOWS\system32\ryrucbj.sys

Just stay online for as long as you can. This is a new type of infection and we are trying to learn all the ins and outs of it. So while you are online I can keep trying things. Normally you will have to wait for your thread to work its way thru our queues which are growing daily due to very complex malware (like yours) and the fact that so many people are getting this infection.

 

Okay now try the below steps! Make sure that you do not shutdown or reboot your PC until I say you can.

Look in Add/Remove Programs for Protection System See if it allows you to uninstall it.

Also delete the below two files:
C:\WINDOWS\Tasks\fjmbvsoa.job
C:\WINDOWS\Tasks\rhciksys.job

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Okay let's remove the old script logs.
C:\Program Files\auth.txt
C:\Program Files\ywji.txt

And it seems you missed a few. Delete these now and then double check. They could be reviving themselves after a few minutes.
C:\WINDOWS\system32\ybibygizav.vbs
C:\WINDOWS\system32\drivers\chtqil.sys
C:\WINDOWS\system32\drivers\glmyw.sys
C:\WINDOWS\system32\drivers\gpwgflrg.sys
C:\WINDOWS\system32\drivers\ryrucbj.sys

Also see if the system allows you to delete the below two system files which are infected and will reinfect you at reboot.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

My next steps will be the real test! We will need get Avenger to work.

 

The msg from Windows is because the beep.sys file is now (hopefully missing). Once we get everything fixed, we will get a new valid copy installed.

While I look at the new logs, do the below.

If the below folder exists, delete it.
C:\Program Files\GetModule

Also delete the old version of ComboFix.exe from your Desktop.

Now download the latest version of ComboFix but DO NOT RUN IT. Get it here: combofix.exe

 

Now just in case Avenger does not run exactly how we need, let's try to mess up the malware to hopefully block some of it from reloading. Create the below folders (yes folders not files) yourself. Name them exactly as shown with the .exe extension.

C:\windows\braviax.exe
C:\WINDOWS\system32\braviax.exe

If you get the above dummy folders created, then continue on with the below. Do not continue if you have a problem creating these folders.

If you have any protection software running right now, shut it down.

Now we will try to run Avenger again. If it runs properly then when it reboots your PC and after reboot it will also try to run one program from MGtools and will also try to run ComboFix. So if you see ComboFix start to run, allow it to run.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay that was a typo! I had two || in there. I fixed it in my last message. Copy and paste it in now from my edit.

 

Avenger ran but not properly due to the ||. It did not get the infected files replaced that we need to replace.

I will post a new fix to run shortly.

 

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Then it did not run. At least not properly. Did you notice any error messages?

• Delete the current Avenger.exe file from your Desktop.
• Extract it from the ZIP file again to your Desktop.
• Delete the current MGlogs.zip file.
• Then reboot your PC into safe boot mode (assuming you can) and then try repeating the last fix.

Attach the new logs. If this does not work, you will need to boot to the Recovery Console to replace the bad file. Do you have your Windows Boot CD?

I will be signing off in a couple minutes. Have to get some sleep.

 

And another malware file has spawned.


C:\WINDOWS\system32\drivers\keav.sys

 

Well thanks for thinking of the information that trying to fix this helps us to collect. It does help. You seem to have a new version that has been blocking all attempts to run Avenger. Let's try one more thing.

Download this program Inherit.exe from sUBs and save it to your Desktop where you should still have a copy of the avenger.exe program.

• Now drag the avenger.exe file on top of the Inherit.exe file.
• Then wait for it to say "OK"

Now let's try again to use Avenger

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Then it's up to you what you would like to do. Since they only way to replace the file is when Windows is not running (which Avenger and ComboFix can normally do, but they do not run) then you are left with the below choices:

1. Recovery Console - but you have no CD
2. Slave the hard disk into another PC and manually copy the file to overwrite the infected one
3. Make a CD like below which allows you to boot to a Windows like environment but Windows is not really running from your hard disk, thus you can make changes
   • UBCD4Win
4. There are other Linux, Knoppix ...etc type boot CDs which can also be made and user
5. Format and reinstall which may be faster and easier for you since you have everything backed up. No sense wasting anymore time.

 

You're welcome. You may want to work thru the below after you reinstall:

How to Protect yourself from malware!