Braviax.exe and possibly Mondo virus - Kaspersky Killed

[8Networks_Tom]

Hi All,

I am an IT Support Technician who is working remotely. The remote PC has a virus which stays in the system tray (White X, red circle background) which the user double clicked on and installed XP Security Center. The virus has killed Kaspersky for Workstations 6, updated with latest signatures (at the time) and will not allow it to start.

I was able to run the Kaspersky Virus Removal Tool remotely (as system shell) and have the Manual Scan result attached. The automatic scan picked up numerous items which it neutralised, but the virus is still installed - I am running the automatic scan again now as I am sure it only removed 3 out of 21 threats before it decided it had to reboot.

Does anyone have a script to remove this horrible thing?

Its a 300 mile round trip to format the PC so it would be great if we didn't have to.

Please see post below for report.

Kind Regards,

Thomas Greenwood
8Networks, Manchester

Report Attached

Sorry

[drongo]

I am afraid, under terminal session it will not work well.
Is that a chance that someone will execute our scripts under local admin and logs of the Kaspersky Virus Removal Tool?

Can you run there hijackthis?

You can try this one:
Disable antivirus if it's running.
Please execute the following script in avptool:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\karina.dat','');
 QuarantineFile('C:\WINDOWS\system32\_scui.cpl','');
 QuarantineFile('C:\WINDOWS\System32\drivers\tcpsr.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Arx24.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\Beep.SYS','');
 TerminateProcessByName('c:\windows\system32\buritos.exe');
 QuarantineFile('c:\windows\system32\buritos.exe','');
 DeleteFile('c:\windows\system32\buritos.exe');
 DeleteFile('C:\WINDOWS\System32\drivers\tcpsr.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Arx24.sys');
 DeleteFile('C:\WINDOWS\system32\karina.dat');
 DeleteFile('C:\WINDOWS\system32\_scui.cpl');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('Arx24');
BC_DeleteSvc('tcpsr');
BC_Activate;
executerepair(6);
executerepair(8);
RebootWindows(true);
end.

Pack ( zip) (with pass virus)-> Qurantine_AVZ ( it is subfolder where your Kaspersky Virus Removal Tool exist)
Please upload it by link http://virusinfo.info/upload_virus_eng.php?tid=29653

Then make a new log in Kaspersky Virus Removal Tool and attach it to your next post.
Remember to lunch Internet Explorer before making a new log.