Very persistent braviax variant - logs attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by ricovox, Aug 24, 2009.

  1. ricovox

    ricovox Private E-2

    I'm a pretty savvy computer user, and I have never encountered a virus or malware that I couldn't get rid of (with the help of a quick internet search)... until now.
    A few weeks ago I was using a newly installed IE8 to browse the web. I mistakenly thought that many of the security holes had been patched in this browser, but I was very wrong.
    The browser locked up and then my whole system locked up, and then slowly as I regained control, I saw the red circle with white X that is characteristic of braviax.exe. Indeed when I hit ctrl-alt-delete I saw braviax.exe, which I immediately killed (maybe this wasn't the best choice). Subsequently I ran an anti-virus scan that found nothing.
    However I know that the malware is still present on my machine:
    1) I cannot get firefox to run. The process starts, but then gets killed (no error or anything. just disappears from the process list.)
    2) Whenever I try to run Malwarebytes' AnitMalware or HijackThis or RootKitRevealer, the process is killed (I don't know what kills them). When I try to run those programs again I get the error: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
    (I tried to run SeDebug-Restore.exe, but the program had an error: "\cscript.exe" is not recognized as an internal or external command...
    Note that cscript IS installed in the correct location on my pc)

    I ran SDFix, which removed some files, but the problems I discussed above still persist. There are no more braviax popups, I have booted into a preinstalled environment and I have run SAS and malwarebytes and they come up with nothing. I know I still have a problem, but my antivirus doesn't find it, and I can't think of anything else to do.

    I have attached all the recommended logs.
    Here are the results:
    1) SuperAntiSpyware:
    The program was run with the latest updates. No infected/suspicious files were found. The log is attached.

    2) Malwarebytes' Anti-Malware program:
    I was able to install the program and run it, but almost immediately during scanning, the program was forcibly closed by some other unknown process.
    Afterwards, when I tried to run it again I received the following error:
    Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

    3) Combofix:
    The program ran and then reached the point where it tries to reboot. The program hung at this point (for several hours) and the system was manually rebooted.
    Afterwards, the file "catchme.log" was found on the desktop. It is attached to this post.
    Notes: The program (I assume) left the following files in the system:
    C:\ComboFix (which appears to be an junction point to C:\)
    C:\Qoobox (which contains several sub folders including "Quarantine"
    Another "catchme.log" was in "C:\Qoobox\Quarantine" (also attached)

    MGTools:
    The program ran and the log zip is attached.


    Thank you so much to anyone who can shed some light on this!!
     

    Attached Files:

    ricovox, Aug 24, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly for later steps to work. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Sean Walsh\Local Settings\Temp

    Now try to run SUPERAntiSpyware, Malwarebytes, and ComboFix per the cleaning instructions.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • the logs from SUPERAntiSpyware, Malwarebytes and ComboFix if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 28, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds