UPS Virus removal - braviax.exe and burito.exe

[dominicb]

Hi Laurentino, I have just spent all yesterday afternoon trying to rid a machine of the consequences of opening the new variant UPS virus, ran out of time so going back to the machine later this morning to try and finish resolving the issues.

I ran across your forum last night whilst researching the problem from my home so I'll be trying your latest advice in a couple of hours.

I know the virus's that come with now infamous UPS email ie Burrito, Braviax, Katrina etc, but have you come across a file called yej05.sys, that resides in windows\system32\drivers\ subdirectory? Unable to remove by any of my normal methods (kill, autoruns, etc) even in safe mode and with the work-around of renaming the tools to start up in the presence of the above named virus's.

I have googled the yej05 file name and it just comes back with hits from russian websites with no real information about what it is etc.

Do you know this file or have you come across it in your anti-spyware/malicious software removal work?

Any help or advice greatly appreciated, I'll leave another message after trying your new method to get rid of the base UPS virus.

[laurentio]

Quote:

Originally Posted by jd12345

Sorry, I'm just trying to rush through everything! Ok, so I'll download NOD32, then uninstall AVG, and then do a virus scan with NOD32. There are two computers in the house- can we get free trials on both of them?

Yes, you can have it on both computers.

[laurentio]

Quote:

Originally Posted by dominicb

...have you come across a file called yej05.sys, that resides in windows\system32\drivers\ subdirectory? Unable to remove by any of my normal methods (kill, autoruns, etc) even in safe mode and with the work-around of renaming the tools to start up in the presence of the above named virus's...

Hi Dominic and welcome to our support forum.

yej05.sys is definitely a service-driver file of a rootkit (Win32/Wigon.CK)that deploys files (running services) inside system32\drivers. See below:


C:\WINDOWS\System32\Drivers\Sxd15.sys');
C:\WINDOWS\System32\Drivers\Agl27.sys');
C:\WINDOWS\System32\Drivers\Chm05.sys');
C:\WINDOWS\System32\Drivers\Cin38.sys');
C:\WINDOWS\System32\Drivers\Eko62.sys');
C:\WINDOWS\System32\Drivers\Glp51.sys');
C:\WINDOWS\System32\Drivers\Msx62.sys');
C:\WINDOWS\System32\Drivers\Nty84.sys');
C:\WINDOWS\System32\Drivers\Pua27.sys');
C:\WINDOWS\System32\Drivers\Pua51.sys');
C:\WINDOWS\System32\Drivers\Puy50.sys');
C:\WINDOWS\System32\Drivers\Qvb61.sys');
C:\WINDOWS\System32\Drivers\Rwc62.sys');
C:\WINDOWS\System32\Drivers\Sxd05.sys');
C:\WINDOWS\System32\Drivers\Vbg40.sys');
C:\WINDOWS\System32\Drivers\Yei48.sys');
C:\WINDOWS\System32\Drivers\Yej05.sys');

The best removal tool in this case is AVZGuard.
The latest version is AVZGuard 4.30 and it can be downloaded from here

[Richard]

Thank you very (add several more very's if u want) much! This is, as you said, a tough one to get rid of, but I followed your steps at the bottom of your thread and it worked just great! No more problems! :You are helping a lot of people, my friend.

Richard

[Richard]

I should add this is in regard to that UPS buritos.exe virus!

Richard

[laurentio]

Dear Richard,
You see, words like these and people like you make us justify what we are doing. It is me who should say thank you, welcome to our forum and have a long and nice stay amongst us.
Kind regards,

[Munster]

Laurentio

Thanks the 'final solution' worked well, albiet I used the already installed TREND rather than the reccomended one. TREND seems ok but couldn't get rid of the Trojan, and their own reccomended removal method was a waste of time as it couldn't attack the cause

cheers

Robert

[rmcinnes]

Laurentio,
As promised, my feedback on the status of the Final Solution...
My Notebook is clean, and continues to perform better than ever before, thanks.
NOD32 is just great for me, it is quiet, especially on start up, and carries very little baggage.
McAfee just seemed to get fatter and fatter, consumed most of my very limited core memory [Sony VAIO PCG-XE17 maxed out at 256 MB] .

I have two minor but annoying problems, one resolved, the other outstanding...
a) Internet Shortcuts: Now resolved...
I struggled to restore [or create new] Internet Shortcuts, within My Favourites in Internet Explorer, on my Desktop, and in Start, All Programs, Folders.
This resolved today, by downloading Internet Explorer Version 7 latest version from Microsoft, and installing it over the top of the older version [Version 7.0.5730.13 is new and updated, Version 7.0.5730.11 was the old].

b) Internet Explorer Homepage is stuck on http://www.msn.com...
The Home page setting in Internet Explorer remain set, but have no effect. Internet Explorer always starts up with http://www.msn.com as the home page, which is very very annoying.
Newsgroup microsoft.public.internetexplorer.general has a few posts on this topic, and appear to blame a setting in third party packages that locks the Home Page.
They list typical packages as
Ad-aware's Ad-Watch, Spybot Tea Timer, SpywareBlaster, SpySweeper, Spyware Doctor, CounterSpy,
AVG Anti-Spyware, Norton AntiVirus, McAfee VirusScan and/or Antispyware, NOD32, and Zone Alarm.

I cannot find any setting in NOD32, so remain baffled at this time...

Thanks again, Your forum and your personal support has been just marvelous...

Robert

[teufelhunde93]

Quote:

Originally Posted by laurentio

hi Teufelhunde93,
It looks clean to me. I would anyway remove Mcafee as it didn't help against UPS and replace it with a proper antivirus. Doing so would also improve the speed of your PC with at least 30%.
Regards,

Thanks for your help Laurentio by posting this information for all of us to use to remove this very annoying virus!

By the way, what anti-virus do you recommend?

[laurentio]

NOD 32.
See more here:

http://bicester-computers.com/suppor...hread.php?t=25