UPS Virus removal - braviax.exe and burito.exe

[laurentio]

A new threat, hard to remove as so far nothing can stop it or identify it.
It might arrive as an email from UPS, a zipped file that once opened will deploy braviax.exe and burito.exe on your system.
The bogus Packet Service messages claim a parcel sent by the user was undeliverable due to an incorrect address. The user is instructed to open an attachment containing a copy of the invoice. The attachment actually contains a virus which may infect the user's computer.





Here is the removal procedure:
-------------------------------------------------------------------
Before we start fixing anything you should print out these instructions or copy them to a Notepad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.cmd to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

----------------------------------------------------------------------------


Please perform a scan with Kaspersky Webscan Online Virus Scanner

1. Read the Requirements and Privacy statement, then select "Accept".
2. A new window will appear prompting you to install an ActiveX component from Kaspersky - "Do you want to install this software?”
3. Click "Yes" or select "Install" to download the ActiveX controls that allow ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
7. Click "OK".
8. Under "Select a target to scan", click on "My computers.
Kaspersky does not remove anything but will provide a log of anything it finds.

Please post your feedback

[gordon brownish]

We had this UPS virus on our work network with devastating results. 7 formatted computers, days of stress and hard work, installation and data recovery not to mention the costs or the business loss.
i believe that the one above is the new version as we had this problem more than 3 weeks ago
be very careful, this virus is for real

[laurentio]

yes, it is the new variant of UPS.
here is the resume of emails i have sent to our customers so far:


VERY IMPORTANT! (23-07-08 / 3:30AM)
Do not open any emails with UPS tracking code/number subject as it might be the new UPS virus.
The virus deploys braviax.exe and burito.exe and the removal procedure might lead to windows corruption.
Kind regards,

UPDATE (24-07-08 / 7:10AM)
http://urbanlegends.about.com/b/2008...us-warning.htm
The new virus is apparently a variant of the one described in the link above.

UPDATE (24-07-08 / 7:20AM)
http://wordpress.com/tag/ups-virus/
The new variant.

UPDATE ( 24-07-08 / 7:30AM)
A possible removal procedure might be found here:
http://support.bicester-computers.co...splay.php?f=31

[laurentio]

Apparently ComboFix can remove it via a special script muFch easier the the method posted above.
Also, F-Protect Antivirus can identify the UPS virus and quarantine it.
Download the 30 days fully functional trial from here and try it.


1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\karina.dat

Folder::
C:\WINDOWS\system32\wsnpoem

Driver::
Ppu54

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Ppu54.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\buritos]
------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Download Combofix from here (also, read the tutorial on how to use ComboFIx)

[laurentio]

FINAL SOLUTION:
Have just found an easier and quicker way to remove UPS, DHL virus, burito.exe, braviax.exe and not only.

1. Download Remove Fake Antivirus
from here
Install, update then follow the scanning instructions.

2. Download Malwarebytes
from here
Install, update then follow the scanning instructions.

3. Download Panda Cloud
from here
Install and update and restart when requested.

In most of the cases you won't be able to download/update on the infected computer. Just use a working PC, download on a USB stick then move them onto the infected PC and just follow the instructions. Also, the safe mode scanning is recommended.

It will take from 30 min or maybe more (depends on the level of infestations) but trust me, it works. I have just cleaned 4 computers.


Please let us know if the above posted solution has helped you or not.
It is not only about helping others but helping yourself and making us better. Open an account with us today and get an automatic confirmation email with your username and password that will save you time in future.
(It is free and it takes less than a minute)
Thank you.

[betsyd]

hi...i accidentally downloaded this ups virus

i have been trying to follow your instructions, but i am unable to open up the sdfix.exe file. any suggestions?

thanks

[laurentio]

hi there
I would jump to the last post of my thread. (the last solution posted) and try it.
If you still want to open SD then just rename it to SD2 and try installing again.

[Kristine]

Quote:

Originally Posted by laurentio

Have just found an easier and quicker way to remove UPS virus, burito.exe, braviax.exe and not only.

1. Download F-Prot Antivirus
from here
Install and update and restart when requested.

3. Download TR
from here
Install, update then follow the scanning instructions.

It might take 30 min or maybe more but trust me, it works. I have just cleaned 4 computers.

Fix listed here works!!! Thank you very much, Laurentio!! Well done!

[laurentio]

Hi Kristine,
Glad it worked and thanks a lot for the feedback. xx

[Maceter]

I have tried the FP and TR fix you suggested, but while both programs found a few items they both seem to have missed buritos.exe (and a couple of others which I have been led to believe are related).

I have done this repeatedly, with rebooting.

I'd really like to know if there is something else I missed. (I did the updates and have rerun them in the correct order). I have even gone and hunted down the files that the logs claimed it was unable to remove (presumably due to locks), then removed them (with the help of a program from a Hiren's CD).

The programs are up to date.

I'd love another idea - I'm at a loss.

I may be quite wrong, but I feel that I may need a program that can run before Windows boots and erase freely anything that may be related. Am I off-base completely? Is there a program like this? Am I missing something?

Thank you for your help.