Cannot remove cru629.dat

[Ted]

I've recently been infected with braviax.  It appears my antispyware fired up and either blocked or removed the main program because a search does not reveal traces of bravaix.exe.  However cru629.dat is installed in C:\Windows\system32\ folder and cannot be permanently removed.  I can remove it, however within 5 to 10 seconds, the file rrebuilds itself in the systems32 folder.  I've run a scan with TheStubware and two files appear as suspicious:

Auto-Run Programs: HKLM\NT\Windows\AppInit+Dlls=C:\WINDOWS\system32\cru629.dat
Recent Created Files: C:\WINDOWS\system32\cru629.dat  Created on 2009-9-12 3:21:15.


CLICK For TheStubware Log #1

 
EDIT: Log file linked.

[Michael]

Hi,

Please Launch TheStubware, click "Settings" in the "Scanner" window, then check "Use kernel mode" and click "ok", then click "Start scan" button and post your new log file here.

BTW, did you let TheStubware fix the two items ?

[Michael]

Hi Ted,

I think the braviax is hidden from all of your security programs. So please copy and paste the following text to a notepad, then save it :

Code:

<RSF>
<SERVICE>catchme</SERVICE>
<SERVICE>CrystalSysInfo</SERVICE>
<FILE>C:\WINDOWS\system32\cru629.dat</FILE>
<FILE>C:\Windows\braviax.exe</FILE>
<FILE>C:\Windows\System32\braviax.exe</FILE>
</RSF>

Then drag and drop it to TheStubware window, it may prompt you to restart Windows, just do it, after Windows is restarted, check if the problem is gone.

[Ted]

Hi Michael.

Thanks for your help.

I ran the customized removal script you sent.  Here are the results:

********************************
Customizing Removal started...
Fix Service : [catchme] : Deleted successful.
Fix Service : [CrystalSysInfo] : Deleted successful.
Fix File : [C:\WINDOWS\system32\cru629.dat] : Deleted successful.
Fix File : [C:\Windows\braviax.exe] : This file doesn't exist, it might be deleted already.
Fix File : [C:\Windows\System32\braviax.exe] : This file doesn't exist, it might be deleted already.
Customizing Removal finished!
********************************

I then immediately checked the C:\WINDOWS\system32\  folder for the cru629.dat file and yes, it had regenerated itself again.  BTW, I forgot to mention that I had tried SDFix, OTMoveit2 and MalwareBytes, all with the same results.  The file can be deleted, but regenerates itself within a few seconds.  Browsing to the end of the system32 folder, and using OTMoveIt2, I can delete the file.  I see the list shrink by one file and within 4 to 10 seconds, the new cru629.dat file is created and appended to the end of the file list (in the syste32 folder).  The same if I change the filename.  A new file is immediately created.  One other thing, I did a basic Windows search for cru629.dat within the files and it was found in "backups".  I deleted the file from backups.  Didn't correct the problem.

The next step, I'll launch TheStubware using "kernel mode" and post the log file here as requested.

Thanks again Michael for your help.

Ted

[Ted]

Here are the results of the scan using "kernel mode"....

CLICK for Stubware Kernel-Mode Log #2

***************************************



Image of the two suspicious items after scan:






Thanks again Michael

[Michael]

Hi Ted,

Can you let TheStubware fix the two items and confirm this item is fixed successful :

Auto-Run Programs : HKLM\NT\Windows\AppInit_Dlls=C:\WINDOWS\system32\cru629.dat

Then click "Start Scan" again and check if the above item comes back, if it does come back, click "Active Monitor" tab and check if something in the log list.

[Ted]

Hi Michael, I did as you suggested, here are the steps:


First I had Stubware delete the items.




Second I ran a new scan in kernel mode.  Both items returned.






Third the active monitor.  Many items (1006).  It appears the cru629.dat file is quite active.
Here is the logfile of the active monitor.

CLICK to Download the Stubware Active Monitor Logs #3




EDIT:  Michael, I've edited the previous two posts by uploading the text files to a server (in .txt format) and linking - rather than cluttering this thread with the text  (As I did in this post with the active monitor file).


Thanks again Michael.

[Michael]

Hi Ted,

Can you do this :

1. Launch TheStubware
2. Click "Active Monitor" tab
3. Set its work mode to "Block Mode"
4. Then click "Scanner" tab and click "Start Scan" button
5. Fix the two items
6. Then restart Windows
7. After Windows is restarted, run TheStubware scanner again and check if the two items are back.

Michael

[Ted]

Hi Michael,

I ran the procedure you recommended.  The results:

1) One of the two items was removed. The following suspicious item remained after restarting Windows:
    "Recent Created File:  C:\WINDOWS\system32\cru629.dat Created on:2009-0-12 3:21:15"

One note, SpySweeper failed to initialize correctly when I restarted Windows.  Here is the active monitor report:

*************************************************
12:25:45 [SpySweeper.exe:3260] Attempt to add an entry to auto-run settings [path : HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray"] Blocked
12:26:11 [WgaTray.exe:1972] Attempt to inject into winlogon.exe [path : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings] Blocked
12:26:11 [WgaTray.exe:1972] Attempt to inject into winlogon.exe [path : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] Blocked
*************************************************

One additional test:

1) I used Stubware in "Block Mode" to fix the one suspicious item listed above.
2) I immediately ran another scan without restarting Windows.
3) This time your Stubware did not find the cru629.dat file.  I verified with Windows Explorer, the file has not been rewritten to the folder.

Note, I haven't yet restarted Windows to verify whether or not the file will return on a reboot.

Michael, what are your recommendations to prevent the file from returning when I return Stubware to "Go through mode".  Or to prevent the file from returning when I restart Windows?

Thanks again for your help.

Ted



Edit:  Info added

[Michael]

Hi Ted,

Please restart Windows and check if the cru629.dat comes back, I guess it should not come back. From the process we worked on, I think this malware worked in this way :  the cru629.dat will be injected into every win32 process at Windows startup due to this registry entry :

Auto-Run Programs : HKLM\NT\Windows\AppInit_Dlls=C:\WINDOWS\system32\cru629.dat

This entry cause every win32 process to be inserted by this "cru629.dat", once the cru629.dat is active, it will monitor itself from being deleted and monitor the registry entry from being deleted. Once the registry entry is deleted or the file is deleted, it regenerated them immediately. So we set the Active Monitor work in block mode, when TheStubware deleted the registry entry, the regeneration operation by the cru629.dat will be failed. When you restart Windows, because that registry entry is already fixed, so the cru629.dat will not be injected, then it becomes inactive, so the deletion to the file will be successful. So please restart Windows and check if it comes back to prove my guess.

Thanks,
Michael

[Michael]

For the issue that TheStubware also blocks SpySweeper operation to registry, you can set the Active Monitor work in Prompt Mode, then when SpySweeper tries to add something to registry, it will give you a prompt window and you can choose to let it go or block it.

[Ted]

Hi Michael

When I restart Windows this time, should I leave Stubware in "Block Mode" or return it to "Go through mode".  I haven't restarted Windows yet since the last scan.  I was waiting for your reply.

Ted

[Michael]

Please leave it in block mode when you restart.

[Ted]

Hello Michael,

It appears your assessment was correct.  I left Stubware in "Block mode", restarted Windows, and no trace of cru629.dat.  I then used the "Go through mode" and restarted Windows several times, without the pesky file returning.

The only issue I have is, before I posted to the forum, I ran TheStubware and it found 6 suspicious items.  I unchecked all but the 2 related to cru629.  And fixed the selected items.  However Stubware reported that it fixed all 6 items.  I know one of the 4 remaining was related to SpySweeper, and the other three, I don't recall.  I wasn't concerned at the time because all 4 were unchecked.  However, I haven't been able to open Webroot SpySweeper since.  This is not an issue as I can reinstall it.  The other three, I am not sure of the importance of the process that was removed.

Question, is there a means to undo something that has been fixed, or is there an automatic log of items that have been fixed to determine if the other three are required for the process.

And thanks Michael for your help.  I think this problem would have been very difficult to resolve without your Stubware software and your technical support.  Maybe you can look into the reason for the unchecked items being 'fixed' and whether or not I can view the 3 deleted process.

Thanks again

Ted

[Michael]

Hi Ted,

In TheStubware installation folder, which is defaultly "C:\Program Files\TheStubware", there is a subfolder called "Quarantine", this subfolder is used to backup the deleted files, all files in this subfolder is ended with ".bad" as extension name. You can check if the spysweeper files in this subfolder.  One thing you may need to know, only the scanner can delete files and remove registry entries, the "Active Monitor" only can block suspicious opeartions such as an operation to add an entry into registry, If something appears in Active Monitor log list, it just means Active Monitor detected this operation, the opeartion was either blocked or went through depending on the work mode.

Still in the folder "C:\Program Files\TheStubware", there should be a text file "firstscan.log", this is the log file when you run TheStubware for the first time, so if you can find it, please post it and I can check what the 6 items you have fixed.