WinReanimator Removal Instructions (WinReanimator)

By Spatula on Feb 24, 2008 | Reply

I had Winreanimator headache yesteray too. I have no idea how I got infected… But here is how I cleaned it…

First of all I didn’t use any of the download softwares advertised on the web. They looked suspicious… It might just be me. (but I didn’t see any post from anybody indicating that any of them worked. There were nice web sites and etc. but no posts. I might be wrong but…)

Neverthe less you can clean it without those programs in about 1 minute.

Lets start.

1) First “Pause” the Winreanimator
2) Disconnect from the internet
3) Go to C:\Program files and locate “winreanimator” folder. We will delete this folder. You can’t delete it now bc the program is running.
4) Open the task bar (Ctrl Alt Del) go to Applications tab and stop the process tree of Winreanimator.
5) Before the Winreanimator kicks in again go to the winreanimator folder and delete it.
6) At this point it shouldn’t start again unless you click on the warning or Red X shaped icon in the task bar. Actually don’t even put your cursor on the icon. This activates the installation sequence.
7) Search your computer for Braviax.exe. It pops under C: & C:\Windows This is the file that downloads Winreanimator and installs The bad bad bad file….
9) If you delete it another ghost file just installs another one every time you start your computer. So we will delete the contents of it.
10) open a blank notepad application
11) drag the Bravix.exe into Notepad. This will show you what is in the file… It will be jumbled up characters and stuff. Just delete everything and type in some garbage in to it for the kicks.
12) Do the same thing to the other Bravix.exe file.
13) THE END

If you want to take the risk you can also go to the windows registery to clean out any mention of Winreanimator. If you don’t know what windows registery is I wouldn’t recommend it though. you can hurt your computer. To open up the registery just type “regedit” in the run window in start menu.

Hope this helps.

FYI: This process stops/cleans Winanimator but the presence of Winreanimator indicates that vundo trojan is in your computer as well. You should get your computer scanned w/ a spyware software to clean it out.

By mymy on Feb 24, 2008 | Reply

then what should I do with the red x icon??

please reply

By tom on Feb 25, 2008 | Reply

Spatula, you are amazing!!

By steve on Feb 27, 2008 | Reply

thank you soooo very much for the help. greatly appreciated, thanks too you too spatula.

By Shanna on Mar 4, 2008 | Reply

Thanks for the advice but it wouldnt let me change the Braviax.exe. file. It asks me if I want to save it and then It wont allow me to save it. So I close it and then it goes back to the original.

By Josh on Mar 7, 2008 | Reply

Hey im having the same problem Shanna is. I cant seem to save it and stop this maddness.

By Sher on Mar 9, 2008 | Reply

how do you pause winreanimator?

By jules14 on Mar 10, 2008 | Reply

not sure

By zafer123 on Mar 10, 2008 | Reply

IF YOU CANNOT DELETE THE 2nd braviax,exe file
try this:

The basic strategy is to use RENAMEing and CUT and PASTE
to get around the file delete restrictions

1) Using notepad create a blank “dummy” braviax.exe file and save it as braviax.exe in some folder other than where the undeletable braviax is

2) Now, using a right mouse click and PROPERTIES make this dummy file “Read Only” or else it will get replaced by the Winreanimator again

3) Go to the folder containing the undeleteable braviax.exe file

4) Instead of deleting it, Cut and Paste it into some other folder or rename it to some junk name (this is what gets around the delete restriction). Note: you will not be able to delete the renamed or cut/pasted file

5) Now cut and paste the dummy Braviax.exe file into the folder containing the undeletable but renamed braviax file

5) Restart (note you need to do everything else posted in the prior msgs)

good luck

zafer123

By Jim on Mar 11, 2008 | Reply

I tried what both Zafer123 and Spatula said to try to remove WinReanimator, but it won’t allow me to delete the file/program at all. It is highjacking and redirecting me to all kinds of websites!! It also wiped out my “Norton Anti-Virus in about 5 seconds (great system!!). Isn’t Norton supposed to stop this kind of stuff or at least let you know about it? Norton is absolutely useless!! Any help?

By Sai on Mar 12, 2008 | Reply

Spatula……..u really rok………..thanx

By wtf on Mar 13, 2008 | Reply

i did what Spatula said, and what zafer123 said, but i’m still having problems with pop-ups and shit.. what else can i do?

By stubbler on Mar 15, 2008 | Reply

* Download and install a reputable spyware detection and removal program such as Spyware Doctor which is available free as part of the Google Pack. Spyware Doctor did not detect or remove the braviax/cru629 infection, but is useful in detecting and removing the crap that it downloads.

* Disconnect your computer from the Internet. If the crapware can’t find the Internet, it can’t download any more crap.

* Restart your computer from the installation CD in Recovery Console mode. With my PC, I had to hit F12 during the boot process and tell it to boot from the CD ROM. When the “Welcome to Windows Installation” window came up, I pressed R to enter the Recovery Console. (These instructions are specifically for XP.)

* Navigate to the Windows directory. (If you are at the C:\> prompt you would type cd windows and hit enter. If you need to back up to get to the C:\> prompt, type cd .. and hit enter until you get there.)

Once you are at the C:\WINDOWS> prompt
type C:\WINDOWS>del braviax.exe and hit enter.
When your computer returns to the prompt,
type C:\WINDOWS>del cru629.dat and hit enter.

* Navigate to the System32 directory by typing C:\WINDOWS>cd system32 and hitting enter.
Once you are at the C:\>WINDOWS\SYSTEM32> prompt type C:\>WINDOWS\SYSTEM32>del braviax.exe and hit enter.
Then type C:\>WINDOWS\SYSTEM32>del cru629.dat and hit enter.

* Navigate to the C:\WINDOWS\SYSTEM32\DLLCACHE> directory. ( type C:\>WINDOWS\SYSTEM32>cd DLLCACHE )
Type C:\WINDOWS\SYSTEM32\DLLCACHE> del beep.sys and hit enter.

* Navigate to the C:\WINDOWS\SYSTEM32\DRIVERS> directory.
Type C:\WINDOWS\SYSTEM32\DRIVERS>del beep.sys and hit enter.

* Type exit and hit enter to exit the Recovery Console and reboot the computer. You will want to reboot in safe mode. To do this on my PC one must begin madly pressing F8 until a boot menu comes up. Once you have booted to safe mode, open regedit (Click on the “Run” option on the Start menu, type regedit into the text box and hit enter). Once the Registry Editor is open, select My Computer. Then click on the Edit menu item and select Find. In the find dialog box type in braviax . When the search finds a value or key containing the word braviax, delete it. Keep searching until all instances have been found and deleted. Repeat this process for cru629. When all instances have been found and deleted, close the Registry editor. Your computer should now be clean of this crap. You may run Spyware Doctor, your anti-virus, and Windows Defender (which should now be runnable). Spyware detectors may find crap that braviax downloaded.
you can then copy the beep.sys files from a clean xp system and paste into the C:\WINDOWS\SYSTEM32\DLLCACHE and C:\WINDOWS\SYSTEM32\DRIVERS

congrats ypur system should now be clean

By Don on Mar 15, 2008 | Reply

WinReanimator is supposed to be an antispyware program but it actually is a disguised sypware program designed to introduce popup menus, redirect your browser to unwanted websites, and collect data from your computer.

It is difficult to remove because it places a file named braviax.exe into your system. This file opens a port to your modem and every few seconds it refreshes all of its files from the mother website. If you delete the files from the “srchasst” directory they will shortly reappear through the internet link. The file: braviax.exe is loaded by a registry entry whenever you start your computer. To disable WinReanimator, it is necessary
to disable the functions of braviax.exe To do this, one can deliberately corrupt this file and then make it READ ONLY. The malware will start to load but no longer run on system startup. And it cannot replace the corrupted
version of braviax.exe by writing over it. These changes are accomplished in SAFE MODE from a COMMAND LINE PROMPT using a program called attrib.exe located
in C:\windows\system32\ directory. The changes cannot be made from within the normal windows operating system because you will be denied access to the files.

The malware website can change the names of its downloaded files. If this should happen and braviax.exe is not found on your computer, download a freeware program called: CurrPorts v1.33.

By running this program one can itentify the name of any file that is opening a covert port to your modem. By observing the networking screen of the windows TASK MANAGER program, one can watch as repetitive refreshing
of the malware files is taking place as you try to delete them.

Should the file on your machine be braviax.exe, the steps to disable WinReanimator are:

1. Shut down your computer and disconnect your modem, to prevent the refreshing of files.
2. restart your computer.
3. when you hear a beep, press F8
4. select: run in SAFE MODE from a COMMAND PROMPT.
5. change to directory: C:\Windows\System32
6. Type: Dir braviax.exe
7. If this file exists, do not delete it. Type:
Notepad braviax.exe
8. cut out most of the contents of the file to corrupt it, save, and exit notepad.
9. To change the attribute of the file: braviax.exe to READ ONLY.
type: attrib R braviax.exe
10. type: Dir cru629.dat
11. If this file exists, do not delete it. Type: Notepad cru629.dat
12. cut out most of the contents of the file to corrupt it, save, and exit notepad.
13. To change the attribute of the file: cru629.dat to READ ONLY.
type: attrib R cru629.dat
14. If it exists, change to the directory: C:Windows\srchasst and delete all of the contents one by one, leaving the directory empty.
15. restart your computer with normal entry into windows.
16. type: START, RUN, REGEDIT. Find and delete all references to WinReanimator.
17. If you restart your computer now and do a virus scan the report should be a clean computer.

By John G on Mar 17, 2008 | Reply

Spatula’s directions above are excellent except he mispells Braviax.exe a few times. You are searching for “Braviax.exe” NOT “Bravix.exe”. They are only in the locations he said. ALso, there are files in c:\Windows\Prefetch that can and should be deleted, anything that starts with Braviax and/or winanimator. I found both there and deleted both and now my computer is free from that crap!

By ihatebraviax.exe on Mar 25, 2008 | Reply

spyhunter will report it found reanimator when u free scan it but if u purchase the software it is vulnerable

By ogman on Mar 28, 2008 | Reply

braviax.exe I did a Ctl Alt Del and went to processes, then ended the process named braviax.exe. This allowed me to delete braviax.exe
Hope this helps. (By the way Spatula! Excellent instructions!!! I was actually able to go to Start > Programs > Winreanimater > uninstall. This took the folder out, however, the red X was still there. After killing the process, I was able to remove braviax.exe. Then rebooted and all was GREAT! Thanks!!!! (I would have never known the process name without your excellent instructions!)

By matt on Mar 29, 2008 | Reply

nothing is working..
i have corrupted the file and saved it..
but ever time i reboot its there..

By angma on Apr 3, 2008 | Reply

i had the same problem..i went to start >all programs>winreanimator>uninstall,then it will say this is a system application what program do u want to use to open with i chose internet explorer and the hit ok and the red x was gone off my task bar ,but i cannot get it off my all programs menu.hope this helps a little.if any one can get it off program list please let me know..thank you have a good day.

By mpio on Apr 18, 2008 | Reply

Spatula, zafer123

people… you are amazing
tanks very much!!!!

By Dale on Jun 4, 2008 | Reply

I used your removal instructions and want to tank you very much, great success. One prob i encounteded when I replaced the info in the second Bravix.exe file found in a backup folder. I saved it as 1bravix.exe and all seems to work. I still have the pop-up warning redX which I assume can be removed with detection utility.
Thanks and many hard times for the little b^&*( that create these bogus spywares.
Thanks to pep’s with talent to nix these guys.

By Timoteo on Jun 19, 2008 | Reply

What about legal action against these cretins? Where is Winreanimator physically located? what can be done to f them up? Please somebody attack them.

By DawnOnYou on Jul 24, 2008 | Reply

I hope this works. I’ve been dealing with this WinReanCrap for a couple of months. I tried the F8 method, but it still came BACK. Today I opened “My Computer” and did a search for files containing “bravia” and found TWO files. Must be that backup file that Dale is referencing above. I named them 1braviax and 2braviax. I’m about to reboot…cross your fingers!

By stayfrwsh on Dec 19, 2008 | Reply

i can seeem to find the second braviax file i only found one that was named jus braviax

By Jonny on Aug 17, 2009 | Reply

There’s a better way around to these steps

9) If you delete it another ghost file just installs another one every time you start your computer. So we will delete the contents of it.
10) open a blank notepad application
11) drag the Bravix.exe into Notepad. This will show you what is in the file… It will be jumbled up characters and stuff. Just delete everything and type in some garbage in to it for the kicks.
12) Do the same thing to the other Bravix.exe file.

Don’t edit the file if it’s protected it wont let you change it, either by system or the trojan, instead if you have NTFS file system (if not you shout convert it using convert C: /FS:NTFS) go to security to that file and add Everyone to it and check Deny for all options, this will render the file inaccessible on next access.

By Aunti-Civ on Sep 19, 2009 | Reply

I used SDFIX in safemode, than created my own copies of Bravix.exe and braviax.exe and saved them, modified them to read only. Restarted and confirmed no activity using pc tools firewall plus.

By Aunti-Civ on Sep 19, 2009 | Reply

I used SDFIX in safemode, than created my own copies of Bravix.exe and braviax.exe (system32) and saved them, modified them to read only. Restarted and confirmed no activity using pc tools firewall plus.