Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

One Last Nuisance


  • Please log in to reply
1 reply to this topic

#1 Dazappa

Dazappa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 27 August 2009 - 04:30 PM

So I had this lovely joy in my life called braviax... and after a very painful process it seems to be gone, mostly.

I classify myself as an experienced Windows user. I have experience with manually handling some of Windows' more delicate internals, including regedit.

1. Ran SDFix which ate braviax
2. Ran trend micro's house call which took out all remnants except for C:\Program Files\Protection System\core.dll
3. I booted into a bootable windows CD and removed that file manually

Braviax seems to have eaten AVG (which couldn't get rid of the virus anyway).

Now what's left is what I believe is a DLL loading itself inside of explorer.exe. Every ~15 minutes, IE will try to pop up with an ad. (I use Chrome as my default browser).

I used ProcessExplorer from sysinternals to find out that explorer.exe was the one launching internet explorer. I also used some other tool from sysinternals (forgot name) to monitor explorer.exe's activity, and doubly confirmed that it launced IEXPLORE.EXE

What made me believe this even stronger is this:
http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Here are my entries for this key:
CDBurn
PostBootReminder
SysTray
WebCheck
WPDShServiceObj

I am unsure if my actual explorer.exe is infected.

I tried to launch autoruns.exe also from sysinternals, but I believe very heavily that this virus blocks the use of it. After < 2 seconds of being open, it always closes. The virus then seems to lock the file. An example of why I think the virus locks the file is because I can no longer run the exe after running it once, but I can run the exe from the original .zip over and over ;)

Safe mode is a strong possibility. The virus, braviax, and this don't seem to be activated then. However, autoruns.exe does not run under safe mode, and I'm not sure if this last remnant loads itself in safe mode or not.

So aside from the IE popup, this virus seems to have been removed enough to no longer have self replicating, auto starting, etc. properties. But....
1. This last remnant is pesky. I strongly believe it is blocking certain programs from running. These include SpyBot, MBAM Installer, HijackThis Installer.
2. This last remnant may be affecting TaskManager


Tools at my disposal:
Windows Install disc
Windows Bootable CD
Kaspersky Rescue Disc (Bootable antivirus, didn't even remove braviax. Was unable to connect to the internet, not useful)
Ubuntu / Puppy / DSL (Live linux CDs)
Another Windows computer

Well I would have included a hijackthis log... but not being able to install it, I'm not sure what I should do next.

BC AdBot (Login to Remove)

 


#2 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:31 PM

Posted 29 August 2009 - 08:06 PM

Hello; please note I am not a staff member here, but perhaps I can help out a bit. I've read a lot of threads and collected some tricks:

- You might be able to run MBAM if you rename it before reinstalling. There's a guide here with renaming tips at the bottom (re Computer Pro):

http://www.bleepingcomputer.com/forums/ind...t&p=1395044


- SUPERAntiSpyware might help also, because it runs at its best under Safe Mode. A guide to it is here (re Budapest):

http://www.bleepingcomputer.com/forums/ind...t&p=1401125


Also, some infections may be running under the explorer.exe name. If you see multiple instances of explorer.exe running, that might be why. You could take a look with Processexplorer or something similar. To check if your explorer.exe is infected, run it by one of the online virus scanners (re extremeboy):

VirusTotal Online Scanner


VirSCAN


Let us know how it goes.

Good luck - Straythe

Edited by Straythe, 29 August 2009 - 08:07 PM.

***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users