Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Having Trouble With Removing Winreanimator/braviax.exe!


  • Please log in to reply
13 replies to this topic

#1 Fekore

Fekore

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 15 March 2008 - 07:41 PM

My computer has recently been infected with some type of Malware known as "WinReanimator." I was able to remove WinReanimator itself, but it seems that it is still lingering or it has introduced more viruses. I have tried running different programs to remove it such as HiJackThis, Ad-Aware, and SUPERAntiSpyware Free Edition. None of these applications are opening therefore I can't remove the infections.

I have downloaded another program called "Malwarebytes' Anti-Malware." It has been the only anti-spyware program that would open so far. It has found many different infections, most of them are deleted except a few which are "C:\WINDOWS\system32\univrs32.dat, C:\WINDOWS\system32\WLCtrl32.dll, and C:\WINDOWS\system32\braviax.exe." I have tried manually deleting them on my own, but this hasn't been successful. A message comes up saying that the program cannot be deleted; it is in use, I have tried re-naming and deleting them but it still would not work.

Some sypmtoms are the red "X" icon that is located in the toolbar which occasionally appears with a message saying that the computer is infected and to click here to download the most up-to-date anti-spyware for you. I have also been experiencing problems with Internet Explorer. Sometimes when I am surfing the web, my browser will be redirected to an unknown search page.

I hope somebody could give me a hand with removing this pest. Thanks in advance!

BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:46 PM

Posted 15 March 2008 - 07:54 PM

Hi Fekore
If you are running Win2000 or XP try this first: (not compatible with Vista)

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply.

Edited by Starbuck, 15 March 2008 - 07:56 PM.

BBPP6nz.png


#3 Fekore

Fekore
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 17 March 2008 - 02:35 PM

Here is what the Report gave me:

SDFix: Version 1.157

Run by Sean on Mon 03/17/2008 at 03:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Sean\Desktop\SDFix\SDFix

Checking Services :

Name:
Microsoft Int Service
ntio922

Path:
C:\WINDOWS\System32\_svchost.exe -A
System32\Drivers\ntio922.sys

Microsoft Int Service - Deleted
ntio922 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\drivers\beep.sys" 34816 03/11/2008 12:25 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version



Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\drivers\beep.sys" 34816 03/11/2008 12:25 AM
"C:\WINDOWS\system32\drivers\beep.sys" 34816 03/11/2008 12:25 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 03/14/2008 10:32 AM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 03/14/2008 10:32 AM



Checking Files :

Trojan Files Found:

C:\DOCUME~1\ALLUSE~1\DOCUME~1\SETTINGS\CONFIG.INI - Deleted
C:\WINDOWS\system32\lrito.ini - Deleted
C:\WINDOWS\system32\drivers\CGK04.sys - Deleted


Could Not Remove C:\WINDOWS\system32\cru629.dat

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed


The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 15:32:42
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\nethlpr.exe"="C:\\nethlpr.exe:*:Enabled:Windows Update"

Remaining Files :

C:\WINDOWS\system32\cru629.dat Found

File Backups: - C:\DOCUME~1\Sean\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 5 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 17 March 2008 - 02:45 PM

WLCtrl32.dll gets restored by a registry key everytime its loaded. To get rid of it, you first have to stop it by renaming the extension.

Then you have to remove the registry key:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32

A ComboFix script has to be used in some cases.

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:46 PM

Posted 17 March 2008 - 03:16 PM

Hi Fekore
As you can see there's 2 concerns in the SDFix report.

Could Not Remove C:\WINDOWS\system32\cru629.dat

and

The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe


The 1st file may not be easy to delete, but we can always try:
Step 1
Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
Step 2
Next, please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
You will need to use the 'keyboard arrow keys' to navigate on this menu.
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Then choose your usual account.

Step 3
Navigate to this file:
C:\WINDOWS\system32\cru629.dat
C drive.. Windows folder... System32 folder..... then the file.
Right click on the file in Bold and then select delete.

Reboot back into normal mode.

The other problem:

The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

Is suggesting that your copy of AntiVir has been infected.
Please uninstall this program and then reinstall it.

Once you have completed this..........

Step 4
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

BBPP6nz.png


#6 Fekore

Fekore
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 17 March 2008 - 04:27 PM

I am having problems with copying and pasting the entire Kaspersky Report, it seems that the file is too large to be copied. It keeps freezing when I try to select copy. Here is the first few entries that have been deteced:

Infected Object

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix.exe RarSFX: infected - 2 skipped

If the full report is required, I can try to copy and paste sections at a time. Thanks for the help so far.

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:46 PM

Posted 17 March 2008 - 05:03 PM

Hi Fekore,
You could try posting it over 2-3 posts..... or if it's not too much bother for you, Just paste the infected lines here.
It could help us.
Thanks

BBPP6nz.png


#8 Fekore

Fekore
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 17 March 2008 - 06:12 PM

I've tried copying small sections and pasting them into new posts, but the report always ends up freezing, which results in me having to close explorer. I keep on losing the sections that I copied earlier. I managed to find all the sections that were infected, here they are:

C:\Documents and Settings\All Users\Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Documents\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Sean\Desktop\SDFix\SDFix\backups\backups.zip/backups/cru629.dat Infected: Backdoor.Win32.Small.cyb skipped

C:\Documents and Settings\Sean\Desktop\SDFix\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Sean\Desktop\SDFix\SDFix\backups_old1\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped

C:\Program Files\mIRC\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Program Files\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Program Files\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Program Files\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped

I'm sorry for any inconvience that might result from not copying the full report. All of the other sections are categorized as "Object is locked," these clips above are the only ones that had a different result. Would there be any other way to post the entire report without sending any viruses to others? Thanks again.

Edited by Fekore, 17 March 2008 - 06:13 PM.


#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:46 PM

Posted 17 March 2008 - 06:36 PM

Hi Fekore

Would there be any other way to post the entire report without sending any viruses to others?

It's ok... sending a report like this won't transfer any virus's to anyone else.

Remove the following programs from your system:
SmitfraudFix
SDFix


That file is still hanging around:
C:\WINDOWS\system32\cru629.dat

Let's try something else on it.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\cru629.dat
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

BBPP6nz.png


#10 Fekore

Fekore
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 17 March 2008 - 08:49 PM

Here are the results from OTMoveIt2:

C:\WINDOWS\system32\cru629.dat moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03172008_214626

#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:46 PM

Posted 18 March 2008 - 03:36 AM

Hi Fekore

C:\WINDOWS\system32\cru629.dat moved successfully.

Nice one :thumbsup:

You can now remove OTMoveIt2 from your system.
Navigate to this folder:
C:\_OTMoveIt
Then right click on the folder in bold and select delete.

Because of all the deletions we have made it's recommend that you create a new restore point now.
The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Select the drive for cleaning then click OK
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
You may still need some other cleaning, we can't see everything from the logs and reports that we can use in this forum.

I suggest you post a HijackThis log for examination.
A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.

Read the Preparation Guide before posting a HijackThis Log.
Please read, and follow, all directions carefully

Run a log, and post it in the HijackThis Logs and Analysis forum.

Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response from the HJT Team, because they are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.


If you haven't heard back from them in 5 days, go to this topic, Haven't Had A Reply In Five Days?, and carefully follow all directions.

Edited by Starbuck, 18 March 2008 - 03:37 AM.

BBPP6nz.png


#12 Fekore

Fekore
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 18 March 2008 - 03:21 PM

Alright, thanks alot for everything you've done!

Edited by Fekore, 18 March 2008 - 03:21 PM.


#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:46 PM

Posted 18 March 2008 - 03:43 PM

It's not a problem, just glad i could help out.

BBPP6nz.png


#14 Fekore

Fekore
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 18 March 2008 - 03:50 PM

I fixed the problem of the re-occuring "X", I better do a HJT scan and post my results before anything else happens.

Edited by Fekore, 18 March 2008 - 09:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users