WinReanimator

R

Rhythmdoc

New member
Howdy,
I looked at the other thread with WinReanimator in it and I promise I will read and reply.

I am working on my friends machine running Win XP. I installed S&D (which I use religiously on my own machine) but when I try and run it....nothing. TeaTimer seems to be running.

I did download hijackthis and renamed it as suggested in the other thread, but had same outcome. Renamed S&D with same outcome. I tried to uninstall WinReanimator which appeared to work, but a bubble keeps popping up saying that Windows has detected spyware and to click the bubble to download a spyware removal tool, which of course starts WinReanimator and tries to do whatever it does. Neither HiJackthis nor S&D will run.

Help!!!
 
I just thought that I have no idea how up to date her operating system is. Should I try and update that now/first.
I guess I will wait for some suggestions before I proceed.
Me thinks I only know enough to be dangerous.
 
Last edited by a moderator:
Hi Rhythmdoc,

Let's see if you could get Deckard's System Scanner work.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
 
DSS Failed to start as well

Thanks for the response Blade81.
I downloaded the Deckard's System Scanner on a clean machine and transfered to the infected one. Absolutely nothing happens when I try and open DSS. Same as Spybot and HJT.:sick:
 
Hi

Seems to be a bit sticky but I won't give up just yet :)

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.

If you can't run MBAM in normal mode then try in safe mode
 
Malwarebytes' log

Malwarebytes' Anti-Malware 1.12
Database version: 731

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 58722
Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\users32.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\cru629.dat -> Delete on reboot.

Folders Infected:
C:\Program Files\WinReanimator (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT (Rogue.WinReanimator) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Robin\Local Settings\Temp\uninst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\WinReanimator.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0008034.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP50\A0008042.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP51\A0008623.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\pdbcopy.exe (Worm.Mydoom) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\unzip32.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\WinReanimator.exe (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\users32.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\univrs32.dat (Trojan.Agent) -> Delete on reboot.
C:\syskbzp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.






After running Malwarebytes WinReanimator is still poping up a window.
 
These were not removed

HKEY_LOCAL_\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
Data:
c:\Windows\System32\cru629.dat
C:\WINDOWS\System32\cru629.dat
C:\WINDOWS\System32\users32.dat
C:\WINDOWS\System32\univers32.dat
C:\WINDOWS\System32\braviax.exe

It prompted to do a restart, which I did and the WinReanimator is still working.


I will run Malwarebytes again and post log.
 
Hi

Let's try this one before MBAM.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 
ComboFix Log

Ran ComboFix:

ComboFix 08-05-07.2 - Robin 2008-05-08 15:47:51.1 - NTFSx86
Running from: E:\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\univrs32.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.



HJT still won't run!
 
Hi

Is that all that ComboFix created? Looks like it didn't finish up right. Please run ComboFix in safe mode if that was really whole CF log.
 
Ran it in safe mode and heres the log. I got:

ComboFix 08-05-07.2 - Robin 2008-05-08 17:43:49.3 - NTFSx86
Running from: C:\Documents and Settings\Robin\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

When I first installed Spybot on this machine, I noticed that Resident TeaTimer is running. I am not familiar with this one yet, but here is a log from it:

4/29/2008 1:44:31 AM Denied (based on user decision) value "WinReanimator" (new data: ""C:\Program Files\WinReanimator\WinReanimator.exe" /hide") added in System Startup global entry!
4/29/2008 2:30:55 AM Allowed (based on user decision) value "SpyHunter Security Suite" (new data: "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe") added in System Startup global entry!
4/29/2008 2:42:45 AM Allowed (based on user decision) value "Start Page" (new data: "http://www.msn.com") changed in Browser page!
4/29/2008 2:42:46 AM Allowed (based on user decision) value "Start Page" (new data: "http://www.msn.com") changed in Browser page!
4/29/2008 2:49:39 AM Allowed (based on user decision) value "SpyHunter Security Suite" (new data: "") deleted in System Startup global entry!
4/29/2008 3:02:14 AM Denied (based on user blacklist) value "WinReanimator" (new data: ""C:\Program Files\WinReanimator\winreanimator.exe" /hide") added in System Startup global entry!
4/29/2008 3:02:29 AM Denied (based on user blacklist) value "WinReanimator" (new data: ""C:\Program Files\WinReanimator\winreanimator.exe" /hide") added in System Startup global entry!
4/29/2008 3:02:39 AM Denied (based on user blacklist) value "WinReanimator" (new data: ""C:\Program Files\WinReanimator\winreanimator.exe" /hide") added in System Startup global entry!
5/7/2008 9:31:57 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/7/2008 9:32:00 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/7/2008 9:40:35 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/7/2008 9:40:35 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/7/2008 9:46:11 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/7/2008 9:46:12 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/8/2008 11:43:29 AM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/8/2008 11:43:32 AM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
5/8/2008 3:42:35 PM Allowed (based on user decision) value "Malwarebytes Anti-Malware Reboot" (new data: ""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript") added in System Startup global entry!
2008-05-08 15:57:30 Allowed (based on user decision) value "Malwarebytes Anti-Malware Reboot" (new data: "") deleted in System Startup global entry!
2008-05-08 15:57:34 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 15:57:35 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 15:57:44 Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
2008-05-08 16:02:08 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 16:02:09 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 17:33:27 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 17:33:29 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 17:33:30 Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
2008-05-08 17:33:30 Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
2008-05-08 17:33:31 Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!
2008-05-08 17:59:04 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 17:59:05 Denied (based on user decision) value "SearchAssistant" (new data: "http://www.google.com") added in Browser page!
2008-05-08 17:59:06 Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
2008-05-08 17:59:07 Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
2008-05-08 17:59:15 Denied (based on user decision) value "" (new data: ""%1" /S") changed in SCR Extension handler!
2008-05-08 17:59:21 Denied (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!


I am not sure if something I denied was ComboFix, should I turn TeaTimer off?
I am not using this machine on the net.
Thanks for sticking with me, I am trying to get to the posts throughout the day, as I can.
 
I am not sure if something I denied was ComboFix, should I turn TeaTimer off?
Click to expand...
Yes, you should turn it off. Then try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands:
  • cd\
  • cd C:\Documents and Settings\Robin\Desktop
  • Combo-Fix.exe

When done reboot back into normal mode and post contents of ComboFix log.
 
I guess I should say where I'm getting the log from, C:Combo-Fix\ComboFix.txt.
When ComboFix is done, it reboots the machine automatically. It says it is making the log, I noticed that the WinReanimator icon does not appear in the notification area at this time. Then ComboFix reboots machine again, and the icon for WinReanimator is back, and the log below is the only one I could find.


ComboFix 08-05-07.2 - Administrator 2008-05-09 0:46:14.5 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Robin\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
Hi

Is there any other ComboFix.txt file around on your C: drive?

At this point it won't do any harm to run GMER.

Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.
 
I did a search and found only these two ComboFix.txt files:

.:\\(0!|0\\0)
C:\\WINDOWS\\system32\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\config\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\csrss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\drivers\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\hal.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\lsass.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\ntdll.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\services.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\smss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\svchost.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\userinit.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\wbem\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\winlogon.exe\\(0!|0\\0)
C:\\boot.ini\\(0!|0\\0)
C:\\ntdetect.com\\(0!|0\\0)
C:\\ntldr\\(0!|0\\0)
C:\\WINDOWS\\(\\|0!|0\\0)
C:\\WINDOWS\\explorer.exe\\(0!|0\\0)

and:

ComboFix 08-05-07.2 - Administrator 2008-05-09 0:46:14.5 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Robin\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

GMER Log:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-09 12:03:52
Windows 5.1.2600 Service Pack 1


---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@appinit_dlls cru629.dat

---- EOF - GMER 1.0.14 ----
 
EDIT: Skip this post and try method in next post.

Hi

Let's do some more researching.

First, please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:​
  • Extended (If available, otherwise Standard)
Scan Options:​
  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only.
  • If the results of the anti virus scan itself will take more than one post to contain, you may upload it to http://rapidshare.com


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

__________________

After that go here and download Silent Runners.vbs (clicking the the download link works if you use IE. If you use FireFox, rightclick on the link and choose
Save Link As
to a new folder on your drive and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious.
 
Last edited:
Hi

Before we try Kaspersky and Silent runners let's give ComboFix one more try. Follow instructions below:
1. Uninstall Spybot for now.

2. Move Combo-Fix.exe file from your desktop to root of C: drive (C:\). That way we can access it on every account.

3. Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you moved Combo-Fix.exe to C: root):
  • cd\
  • Combo-Fix.exe

When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.
 
You must log in or register to reply here.
Back
Top