Infected with brastk.exe, karna.dat, antivirus2009...
Hello. I'll start with posting some system info: I have Windows XP Home
(SP2), and I use an HP Pavilion dv4000 series laptop. I'll provide any more
relevant specs as required. Towards the end of this message I will supply
the HJT logfile.
My computer got infected recently, and here's how I started noticing the
problem...I was just browsing the web normally, when all of a sudden my
computer restarted by itself. When it did restart, I noticed several
peculiarities:
1. First of all, there was a little white "X" on a circular red background
in my system tray in the lower right of my screen, and this launched a
little bubble saying "Your computer is infected! Windows has detected a
spyware infection! It's recommended to use special antispyware tools to
pervent (sic) data loss. Windows will now download and install the most up-
to-date antispyware for you. Click here to protect your computer from
spyware!"
2. Also, I have McAfee VirusScan Plus (a free-edition suite from
AOL/McAfee). McAfee's shields seemed to have been shut down. All of the
real-time protections (av, as, scripts, etc..) were disabled, and I was not
able to re-activate them by clicking "Fix Now" in the McAfee main panel.
3. When I opened up Internet Explorer, my home page was no longer Yahoo!,
but Google. So, I went to Internet options to change this back to "Yahoo",
but, even after doing this, my home page continued to revert to Google upon
subsequent restarts of my system.
4. I tried opening up "fsbl.exe" from my desktop (the F-Secure Blacklight
anti-rootkit scanner), but it would not open.
5. I also was not able to access the online scanners NOD32 and TM Housecall.
These are in my "favorites" in IE, but, when I clicked on them, I would get
a message from Google saying "Oops! This link appears to be broken. Page not
found--connection failure."
6. Out of curiosity, I tried searching for random things on Yahoo and
Google. And I noticed that several (if not all) of the links either took me
to the wrong page or back to that Google message I mentioned in the previous
point.
7. I also have McAfee SiteAdvisor, but its ratings were no longer present
for Google or Yahoo search results (but the SA bar was still present at the
top of the screen). Also, the search results from these sites looked
weird...the font-size was larger than it used to be, and I could not return
it to the normal size.
8. I tried opening up HiJackThis from my desktop, but it would not open.
9. I tried restarting my computer several times, but, each time, a few
seconds after it restarted, I kept getting a Blue Screen. All Blue Screens
were followed by an immediate automatic restart.
Now, let me describe for you what I did...
I restarted my computer again..then, I ran a full McAfee scan. McAfee's
real-time protections were still disabled, but I was able to run a full on-
demand scan. It turned up 3 infections, all of which I removed from my
system (I cannot recall what or where these 3 infections were). Then, I ran
Windows Live OneCare online scanner (the only online scanner I was able to
access in my "favorites"). This found 2 different infections: I don't
remember one of them but the other was called
"TrojanDownloader:Win32/Renos". OneCare said that this infection was
comprised of 12 "items" on my system (I can supply these 12 items if
desired). It was able to delete all of them (as well as the 2nd general
infection that I couldn't recall). However, one of the deletions required me
to restart my system (the file in question was C:\Windows\system32
\brastk.exe). Anyway, I proceeded to do as WLOC suggested, and I restarted
my system. Now, there were a few positive changes I noticed after the
restart. First of all, my home page was back to normal (Yahoo). Secondly,
the McAfee shields were up and functioning again. Also, the little white "X"
symbol in my system tray was no longer there. So, now I proceeded to try
some more disinfection steps...here's what I did:
1. I tried opening NOD32 online scanner again, but it wouldn't work. I
couldn't access the web page where the scanner was to be found.
2. I tried opening the TM Housecall online scanner, but, again, I could not
access the web page.
3. I tried navigating to the web page where I can download IceSword (a
powerful anti-rootkit app) from, but I was not able to access the page.
4. I tried opening fsbl.exe (F-Secure Blacklight anti-rootkit) again from my
desktop. This time it opened up, and I was able to run a scan. But, the scan
finished VERY, VERY quickly..like in less than 1 minute. Usually it takes
more like 4 or 5 minutes to complete. Anyway, nothing suspicious was found.
5. Finally, I was able to open and run HiJackThis.
Another abnormal event I should note that occurred AFTER I ran the McAfee
and WLOC scans and restarted my computer (as per WLOC's suggestion): I got a
pop-up message while on the internet saying "Attention! Do you want to
install AntiVirus 2009 to scan your computer now?" Then, below, there were 2
options "OK" and "Cancel". Obviously, I chose the latter.
Next, I sent the log of HJT to a knowledgeable person, and he told me to
delete 2 entries: one pertaining to a Yahoo! toolbar (which I do not have in
either of my 2 browsers: IE7 and Firefox 3) and the other was called
"AppInit_DLLs: karna.dat". This latter item was entry O20 in the log. I went
ahead and deleted both. Then, this person to whom I sent the log told me to
reboot my machine (I did), make sure that these 2 HJT entries were still
absent (they were), check to see if I could now open the other online
scanners (I could not), reboot into Safe Mode w/ Networking if I could not
open those scanners (I did), and try opening the scanners from there (they
still did not open). When I tried opening them from Safe Mode w/ Networking,
I got sent to a page saying "IE could not open the page" or something like
that.
So, the next thing I did was reboot back into Normal mode. When I did this,
I discovered that several of the initial problems I reported above were
back: that little white "X" was back in my system tray, McAfee's real-time
protections were disabled again, my home page had been converted from Yahoo!
to Google again, I still got sent to that "Google Oops" screen when trying
to open NOD32 and TM Housecall online scanners, Yahoo! and Google search
result links were still taking me to wrong pages, SiteAdvisor ratings were
still absent from Yahoo! and Google search results (and the search results
still looked odd as described above), and HJT would not open again from my
desktop (HJT failed to open in Safe Mode, as well).
I proceeded to try other online scanners (Norton, Panda, and Ewido), but
they all failed in normal mode (I didn't try these 3 in safe mode, since I
assumed they would fail just as NOD32 and TM Housecall had). I then tried
installing the Scan-Only (free) version of Webroot Antivirus with
Antispyware. This resulted in a Blue Screen (the contents of which I can
supply, if needed) towards the very end of the installation process. So, I
went ahead and tried installing it in safe mode with networking. To do this,
I first downloaded the Webroot Safe Mode Installer to my desktop (since the
Windows Installer doesn't work in safe mode). Then, I opened up the Webroot
Antivirus with Antispyware installation file from my desktop and tried to
install it once again (in safe mode this time). But once again, I got the
same Blue Screen message towards the very end of the installation process.
So, currently, this particular software cannot be installed on my machine in
EITHER normal or safe mode.
Now, there are a few more observations I would like to mention:
1. From safe mode (with networking), I opened up msconfig, and I found an
entry with the startup name "brastk", the command "brastk.exe", and the
location "HKLM\SOFTWARE\Microsoft\Windows\CurrentVer." I disabled this
entry. But, upon a reboot into normal mode, this seems to have made no
difference: brastk started up again.
2. I found "brastk.exe" running in my Task Manager (in normal mode). I
clicked "end process" for it. But, on subsequent restarts of my system, it
always comes back.
3. In safe mode with networking, I did a computer search for "brastk.exe"
and "karna.dat". Each of these were found in C:\WINDOWS and
C:\WINDOWS\System32. This discovery was made subsequent to the scans by
McAfee, WLOC (which apparently was supposed to have deleted brastk.exe from
these 2 locations), and HJT (which apparently was supposed to have deleted
karna.dat). I did not try to delete them, though, because I highly doubted
it would have made any difference. I also found entries in my registry with
the data names "brastk" and "karna."
4. McAfee has quarantined a trojan called "NTRootkit-AC" located in
C:\WINDOWS\system32\drivers\beep.sys. I also saw an entry called "beep" in
my registry (this was the "data" name).
5. I found a malicious file called "delself.bat" in c:\WINDOWS\system32. I
also saw a data name in my registry called "delself". This is apparently
associated with infections by brastk.exe and karna.dat.
6. I found the following data names in my registry (which are apparently
associated with infections by brastk.exe and karna.dat): braviax, figaro,
scvhost (NOT svchost), 2009, antivirus2009, wini10581.exe, univrs32, and
internet. I'm not sure if "internet" is malicious or not, but it was located
along with these other entries. These are just some possible malicious
entries that I found....there may be more.
7. I did some research, and someone said that this malware I seem to have
can corrupt/infect csrss.exe (in C:\WINDOWS\system32) and also winlogon.exe
(same location). I am not sure if mine are infected, though. I also found an
entry with the data name "csrss" in my registry...this was located along
with the malicious entries noted in the previous point.
8. I have tried creating a manual restore point on my machine, but it does
not work. The virus seems to have shut down my ability to do this.
9. While surfing the internet, I got a Blue Screen with the following
message: "Page_fault_in_nonpaged_area."
10. I continue to be unable to reactivate McAfee's real-time shields in Safe
Mode w/ Networking.
11. I have Webroot Window Washer on my system. This has an option to wipe
the entire Free Space on my hard drive. Out of curiosity, I tried performing
this task from both normal and safe modes, but it would not start
(wwDisp.exe was having trouble launching).
12. I tried defragmenting my hard drive using Windows' own built-in
defragmenter, but it would not start from either mode.
13. From normal mode, in Internet Explorer 7, I went to "Tools" and then
"Manage Add-Ons" to see if there was anything odd there. I didn't see any
malicious entries, but, under "Add-Ons currently loaded", there were only 3
entries there: one for the Google Toolbar (which I have), one for the
SiteAdvisor toolbar (which I also have), and one which just said "research".
Usually, there are SEVERAL entries listed here...not just 3.
14. The Google "PageRank" meter doesn't work any more (this is a small bar
that informs you about the "importance" of a page).
And here is my HJT logfile (note: the Google Toolbar listing is OK, since I
normally have that installed on my system):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:12 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 6505 bytes
Thanks very much...I appreciate anyone's help.
(SP2), and I use an HP Pavilion dv4000 series laptop. I'll provide any more
relevant specs as required. Towards the end of this message I will supply
the HJT logfile.
My computer got infected recently, and here's how I started noticing the
problem...I was just browsing the web normally, when all of a sudden my
computer restarted by itself. When it did restart, I noticed several
peculiarities:
1. First of all, there was a little white "X" on a circular red background
in my system tray in the lower right of my screen, and this launched a
little bubble saying "Your computer is infected! Windows has detected a
spyware infection! It's recommended to use special antispyware tools to
pervent (sic) data loss. Windows will now download and install the most up-
to-date antispyware for you. Click here to protect your computer from
spyware!"
2. Also, I have McAfee VirusScan Plus (a free-edition suite from
AOL/McAfee). McAfee's shields seemed to have been shut down. All of the
real-time protections (av, as, scripts, etc..) were disabled, and I was not
able to re-activate them by clicking "Fix Now" in the McAfee main panel.
3. When I opened up Internet Explorer, my home page was no longer Yahoo!,
but Google. So, I went to Internet options to change this back to "Yahoo",
but, even after doing this, my home page continued to revert to Google upon
subsequent restarts of my system.
4. I tried opening up "fsbl.exe" from my desktop (the F-Secure Blacklight
anti-rootkit scanner), but it would not open.
5. I also was not able to access the online scanners NOD32 and TM Housecall.
These are in my "favorites" in IE, but, when I clicked on them, I would get
a message from Google saying "Oops! This link appears to be broken. Page not
found--connection failure."
6. Out of curiosity, I tried searching for random things on Yahoo and
Google. And I noticed that several (if not all) of the links either took me
to the wrong page or back to that Google message I mentioned in the previous
point.
7. I also have McAfee SiteAdvisor, but its ratings were no longer present
for Google or Yahoo search results (but the SA bar was still present at the
top of the screen). Also, the search results from these sites looked
weird...the font-size was larger than it used to be, and I could not return
it to the normal size.
8. I tried opening up HiJackThis from my desktop, but it would not open.
9. I tried restarting my computer several times, but, each time, a few
seconds after it restarted, I kept getting a Blue Screen. All Blue Screens
were followed by an immediate automatic restart.
Now, let me describe for you what I did...
I restarted my computer again..then, I ran a full McAfee scan. McAfee's
real-time protections were still disabled, but I was able to run a full on-
demand scan. It turned up 3 infections, all of which I removed from my
system (I cannot recall what or where these 3 infections were). Then, I ran
Windows Live OneCare online scanner (the only online scanner I was able to
access in my "favorites"). This found 2 different infections: I don't
remember one of them but the other was called
"TrojanDownloader:Win32/Renos". OneCare said that this infection was
comprised of 12 "items" on my system (I can supply these 12 items if
desired). It was able to delete all of them (as well as the 2nd general
infection that I couldn't recall). However, one of the deletions required me
to restart my system (the file in question was C:\Windows\system32
\brastk.exe). Anyway, I proceeded to do as WLOC suggested, and I restarted
my system. Now, there were a few positive changes I noticed after the
restart. First of all, my home page was back to normal (Yahoo). Secondly,
the McAfee shields were up and functioning again. Also, the little white "X"
symbol in my system tray was no longer there. So, now I proceeded to try
some more disinfection steps...here's what I did:
1. I tried opening NOD32 online scanner again, but it wouldn't work. I
couldn't access the web page where the scanner was to be found.
2. I tried opening the TM Housecall online scanner, but, again, I could not
access the web page.
3. I tried navigating to the web page where I can download IceSword (a
powerful anti-rootkit app) from, but I was not able to access the page.
4. I tried opening fsbl.exe (F-Secure Blacklight anti-rootkit) again from my
desktop. This time it opened up, and I was able to run a scan. But, the scan
finished VERY, VERY quickly..like in less than 1 minute. Usually it takes
more like 4 or 5 minutes to complete. Anyway, nothing suspicious was found.
5. Finally, I was able to open and run HiJackThis.
Another abnormal event I should note that occurred AFTER I ran the McAfee
and WLOC scans and restarted my computer (as per WLOC's suggestion): I got a
pop-up message while on the internet saying "Attention! Do you want to
install AntiVirus 2009 to scan your computer now?" Then, below, there were 2
options "OK" and "Cancel". Obviously, I chose the latter.
Next, I sent the log of HJT to a knowledgeable person, and he told me to
delete 2 entries: one pertaining to a Yahoo! toolbar (which I do not have in
either of my 2 browsers: IE7 and Firefox 3) and the other was called
"AppInit_DLLs: karna.dat". This latter item was entry O20 in the log. I went
ahead and deleted both. Then, this person to whom I sent the log told me to
reboot my machine (I did), make sure that these 2 HJT entries were still
absent (they were), check to see if I could now open the other online
scanners (I could not), reboot into Safe Mode w/ Networking if I could not
open those scanners (I did), and try opening the scanners from there (they
still did not open). When I tried opening them from Safe Mode w/ Networking,
I got sent to a page saying "IE could not open the page" or something like
that.
So, the next thing I did was reboot back into Normal mode. When I did this,
I discovered that several of the initial problems I reported above were
back: that little white "X" was back in my system tray, McAfee's real-time
protections were disabled again, my home page had been converted from Yahoo!
to Google again, I still got sent to that "Google Oops" screen when trying
to open NOD32 and TM Housecall online scanners, Yahoo! and Google search
result links were still taking me to wrong pages, SiteAdvisor ratings were
still absent from Yahoo! and Google search results (and the search results
still looked odd as described above), and HJT would not open again from my
desktop (HJT failed to open in Safe Mode, as well).
I proceeded to try other online scanners (Norton, Panda, and Ewido), but
they all failed in normal mode (I didn't try these 3 in safe mode, since I
assumed they would fail just as NOD32 and TM Housecall had). I then tried
installing the Scan-Only (free) version of Webroot Antivirus with
Antispyware. This resulted in a Blue Screen (the contents of which I can
supply, if needed) towards the very end of the installation process. So, I
went ahead and tried installing it in safe mode with networking. To do this,
I first downloaded the Webroot Safe Mode Installer to my desktop (since the
Windows Installer doesn't work in safe mode). Then, I opened up the Webroot
Antivirus with Antispyware installation file from my desktop and tried to
install it once again (in safe mode this time). But once again, I got the
same Blue Screen message towards the very end of the installation process.
So, currently, this particular software cannot be installed on my machine in
EITHER normal or safe mode.
Now, there are a few more observations I would like to mention:
1. From safe mode (with networking), I opened up msconfig, and I found an
entry with the startup name "brastk", the command "brastk.exe", and the
location "HKLM\SOFTWARE\Microsoft\Windows\CurrentVer." I disabled this
entry. But, upon a reboot into normal mode, this seems to have made no
difference: brastk started up again.
2. I found "brastk.exe" running in my Task Manager (in normal mode). I
clicked "end process" for it. But, on subsequent restarts of my system, it
always comes back.
3. In safe mode with networking, I did a computer search for "brastk.exe"
and "karna.dat". Each of these were found in C:\WINDOWS and
C:\WINDOWS\System32. This discovery was made subsequent to the scans by
McAfee, WLOC (which apparently was supposed to have deleted brastk.exe from
these 2 locations), and HJT (which apparently was supposed to have deleted
karna.dat). I did not try to delete them, though, because I highly doubted
it would have made any difference. I also found entries in my registry with
the data names "brastk" and "karna."
4. McAfee has quarantined a trojan called "NTRootkit-AC" located in
C:\WINDOWS\system32\drivers\beep.sys. I also saw an entry called "beep" in
my registry (this was the "data" name).
5. I found a malicious file called "delself.bat" in c:\WINDOWS\system32. I
also saw a data name in my registry called "delself". This is apparently
associated with infections by brastk.exe and karna.dat.
6. I found the following data names in my registry (which are apparently
associated with infections by brastk.exe and karna.dat): braviax, figaro,
scvhost (NOT svchost), 2009, antivirus2009, wini10581.exe, univrs32, and
internet. I'm not sure if "internet" is malicious or not, but it was located
along with these other entries. These are just some possible malicious
entries that I found....there may be more.
7. I did some research, and someone said that this malware I seem to have
can corrupt/infect csrss.exe (in C:\WINDOWS\system32) and also winlogon.exe
(same location). I am not sure if mine are infected, though. I also found an
entry with the data name "csrss" in my registry...this was located along
with the malicious entries noted in the previous point.
8. I have tried creating a manual restore point on my machine, but it does
not work. The virus seems to have shut down my ability to do this.
9. While surfing the internet, I got a Blue Screen with the following
message: "Page_fault_in_nonpaged_area."
10. I continue to be unable to reactivate McAfee's real-time shields in Safe
Mode w/ Networking.
11. I have Webroot Window Washer on my system. This has an option to wipe
the entire Free Space on my hard drive. Out of curiosity, I tried performing
this task from both normal and safe modes, but it would not start
(wwDisp.exe was having trouble launching).
12. I tried defragmenting my hard drive using Windows' own built-in
defragmenter, but it would not start from either mode.
13. From normal mode, in Internet Explorer 7, I went to "Tools" and then
"Manage Add-Ons" to see if there was anything odd there. I didn't see any
malicious entries, but, under "Add-Ons currently loaded", there were only 3
entries there: one for the Google Toolbar (which I have), one for the
SiteAdvisor toolbar (which I also have), and one which just said "research".
Usually, there are SEVERAL entries listed here...not just 3.
14. The Google "PageRank" meter doesn't work any more (this is a small bar
that informs you about the "importance" of a page).
And here is my HJT logfile (note: the Google Toolbar listing is OK, since I
normally have that installed on my system):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:12 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 6505 bytes
Thanks very much...I appreciate anyone's help.
0
Comments
Please read the instructions before doing anything else. That will make things easier to you.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
See HERE for help
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
For more information, please read A guide and tutorial on using ComboFix
1. None of the 3 links you provided to obtain combofix.exe works. Whenever I click any of the links, I get taken to a Google page saying "Oops! This link appears broken. Page not found--connection failure." Do you know of any other place from which I can download combofix?
2. I'm a little worried that combofix will not be able to automatically download the Windows Recovery Console. This is because when I tried visiting the Microsoft support site from which one can download the Console directly to the desktop (the link to this Microsoft site was in the ComboFix info page from bleepingcomputer.com), I was taken to the "Google Oops" screen. If the virus is preventing me from accessing that page, maybe it will prevent ComboFix from automatically finding and downloading it, as well?
Thanks so much...I appreciate your assistance.
Download SDFix to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
www.plunder.com/ComboFix-exe-download-156163.htm
Is this a safe site from which to dowload this file?
Also, I just searched and I found another site from which I can download SDFix.exe...it is this:
http://files.aoaforums.com/I3709-SDFix.exe.html
Is this a safe site from which to download SDFix?
Which one of these would you prefer that I download at this time?
Thanks again
http://www.mediafire.com/download.php?hryninowzyn
SDFix: Version 1.240
Run by xp on Mon 11/10/2008 at 05:57 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\TDSSdxcp.dll - Deleted
C:\WINDOWS\system32\TDSSshyf.dll - Deleted
C:\WINDOWS\system32\TDSSwppe.dat - Deleted
C:\WINDOWS\system32\TDSSnmxh.log - Deleted
C:\WINDOWS\system32\TDSSkkao.log - Deleted
C:\WINDOWS\system32\TDSSwubs.log - Deleted
Could Not Remove C:\WINDOWS\system32\TDSSottu.dll
Could Not Remove C:\WINDOWS\system32\TDSScrrn.dll
Could Not Remove C:\WINDOWS\system32\TDSSbvqh.dll
Could Not Remove C:\WINDOWS\system32\TDSSjpmr.dll
Folder C:\Program Files\Microsoft Security Adviser - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 18:14:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\xp\ntuser.dat, 0
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
C:\WINDOWS\system32\TDSSottu.dll Found
C:\WINDOWS\system32\TDSScrrn.dll Found
C:\WINDOWS\system32\TDSSbvqh.dll Found
C:\WINDOWS\system32\TDSSjpmr.dll Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 7 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 7 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 2 Oct 2006 50,280 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:16 PM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 6522 bytes
Thank you so much..
And here is the ComboFix report....thanks once again:
ComboFix 08-11-10.01 - xp 2008-11-11 1:07:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.243 [GMT -5:00]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\drivers\TDSSmxwe.sys
c:\windows\system32\TDSSbvqh.dll
c:\windows\system32\TDSScrrn.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSjpmr.dll
c:\windows\system32\TDSSkkao.log
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSottu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSshyf.dll
c:\windows\system32\TDSSwppe.dat
c:\windows\system32\TDSSwubs.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_TDSSSERV.SYS
\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-10 17:49 . 2008-11-10 17:49 <DIR> d
c:\windows\ERUNT
2008-11-10 17:35 . 2008-11-10 18:14 <DIR> d
C:\SDFix
2008-10-29 12:23 . 2008-10-29 12:23 <DIR> d
C:\Binaries
2008-10-29 12:22 . 2008-10-12 12:18 1,553,272 --a
c:\windows\WRSetup.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 16:17
d
w c:\documents and settings\LocalService\Application Data\SACore
2008-11-01 17:37 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-01 17:37 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-01 17:37 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-01 17:33 164 ----a-w C:\install.dat
2008-10-31 03:10
d
w c:\program files\Windows Live Safety Center
2008-10-29 17:24
d
w c:\documents and settings\All Users\Application Data\Webroot
2008-10-29 17:22
d
w c:\program files\Webroot
2008-10-29 17:22
d
w c:\documents and settings\xp\Application Data\Webroot
2008-10-18 21:59
d
w c:\program files\EsetOnlineScanner
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-09 21:43
d
w c:\program files\Google
2008-10-07 17:59
d--h--w c:\program files\InstallShield Installation Information
2008-10-07 17:59
d
w c:\program files\Trend Micro
2008-10-03 17:41 6,066,176
w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 07:57
d
w c:\program files\McAfee
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-05 21:47 140 ----a-w c:\documents and settings\xp\Application Data\wklnhst.dat
2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216
w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824
w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656
w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848
w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792
w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ----a-w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\dllcache\ntkrpamp.exe
2007-02-10 18:55 108,330 -c--a-w c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySecurer.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SECUREMAKER.lnk]
backup=c:\windows\pss\SECUREMAKER.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a
2008-07-10 08:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a
2004-12-03 15:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a
2005-05-04 12:59 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a
2008-07-10 09:51 289064 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a--c--- 2004-10-14 15:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a--c--- 2004-08-06 10:27 860160 c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 11:11 1388544 c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 05:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a
2007-11-26 13:47 1206600 c:\program files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-04-13 05:12 88209 c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-01 29808]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-08 198944]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-10-12 1066360]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [ ]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
2008-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-06-24 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe
.
Supplementary Scan
.
FireFox -: Profile - c:\documents and settings\xp\Application Data\Mozilla\Firefox\Profiles\a2qcmsr0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 01:10:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?1?5?0??????? ???B?????????????hLC? ??????
scanning hidden files ...
c:\docume~1\xp\LOCALS~1\Temp\RGI6.tmp
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmxwe.sys"
.
Completion time: 2008-11-11 1:11:54
ComboFix-quarantined-files.txt 2008-11-11 06:11:51
Pre-Run: 84,460,855,296 bytes free
Post-Run: 84,458,733,568 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
197 --- E O F --- 2008-10-24 18:01:25
How is your computer running?
Let's update your old Java:
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
- Double-click on JavaRa.exe to start the program.
- From the drop-down menu, choose English and click on Select.
- JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
- Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
- A logfile will pop up. Please save it to a convenient location.
Then download and install Java SE Runtime Environment (JRE) 6 Update 10.1. While using SDFix, I got a message from it saying "Protective Host files such as MVPS/HP hosts or Spybots Immunizer feature should be reapplied after using SDFix." I don't have Spybot, but do I need to do anything regarding MVPS/HP hosts (or any other "protective host files")?
2. Do you recommend that I reset System Restore?
3. Do you recommend that I keep SDFix, Combofix, and the Microsoft Windows Recovery Console (including any items placed into quarantine by SDFix/Combofix)?
4. Are there any other scanners you recommend that I should use to be CERTAIN that ALL infections are gone from my machine?
Also, I am currently searching my computer for malicious files or registry entries...I will of course inform you about anything that I find.
Thanks again
We will clean System Restore and remove all used tools later.
Please download Malwarebytes' Anti-Malware to your desktop.
Malwarebytes' Anti-Malware 1.30
Database version: 1395
Windows 5.1.2600 Service Pack 2
11/13/2008 5:08:08 PM
mbam-log-2008-11-13 (17-08-08).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103915
Time elapsed: 32 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 37
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbvqh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScrrn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSjpmr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSottu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmxwe.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0132775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0133775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0138775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0138776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0139775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0142775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0142776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0143775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0144775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0144776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0147775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0147776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148777.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148778.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0149777.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0151779.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0151780.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152781.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152782.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152784.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0153783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0153784.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0154783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155783.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155784.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155785.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155786.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155787.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0149778.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Congrats! Your computer is clean!
Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
- Click Start then Run
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- When shown the disclaimer, Select "2"
Note: Do not use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use.Please download OTMoveIt3 by OldTimer and save it to your desktop.
===========================================
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clean up System Restore
You can find instructions on how to disable and enable System Restore from these guides:
Disable And Enable System Restore
Windows XP System Restore Guide
Make Your Internet Explorer More Secure
This can be done by following these simple instructions:
- From within Internet Explorer click on the tools menu and then click on Options
- Click once on the "Security" tab
- Click once on the "Internet" icon so it becomes highlighted
- Click once on the Custom Level button.
- Change the "Download signed ActiveX" controls to Prompt
- Change the "Download unsigned ActiveX" controls to Disable
- Change the "Initialize and script ActiveX controls" not marked as safe to Disable
- Change the "Launching programs and files in an IFRAME" to Prompt
- Change the "Navigate sub-frames across different domains" to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Note that Internet Explorer is not the most secure browser. There are safer alternatives available like Opera and Firefox.Keep Your System Up to date
It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update site regularly.
Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Additional Utilities and Tips to Enhance Your Safety
- MVPS Hosts file --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
- Comodo BOCLEAN --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
- Winpatrol --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software
Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:Have a nice computing day and stay clean.
1. I searched for and found the files "brastk.exe", "karna.dat", and "delself.bat" in the "backups" folder. Are these problematic or indicative of more infections on my system? Can I safely delete these?
2. I found some registry entries pertaining to brastk.exe in my registry (using RegEdit). For example, I found the following:
My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Windows\system32\brastk.exe REG_SZ brastk
I also found a couple entries pertaining to delself.bat. Should I delete these manually, or are they basically harmless (since the scanners didn't catch them)? If they are harmful, should I go ahead and search for/delete any other particular "keywords" in RegEdit that may point to an infection?
3. Somebody sent me the following information regarding registry changes which occur with the brastk.exe virus:
"Information
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system.
File
<System>\brastk.exe
<System>\delself.bat
<System>\dllcache\beep.sys
<System>\dllcache\figaro.sys
Registry
Created Registry Values: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
brastk = "%System%\brastk.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Enable Browser Extensions = "yes"
Search Bar = "http://www.google.com/ie"
[HKEY_CURRENT_USER\Software\Microsoft\Security Center]
AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
brastk = "%System%\brastk.exe"
Registry Values were modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = "http://www.google.com/ie"
Search Page = "http://www.google.com"
Start Page = "http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = "http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1201 = 0x00000000
1804 = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1201 = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1201 = 0x00000000
1804 = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1201 = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1200 = 0x00000000
1201 = 0x00000000
1608 = 0x00000000
1804 = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = "http://www.google.com"
Search Page = "http://www.google.com"
ATTENTION
Once the virus installed on your computer, it will connect to http://do-scan-progress.com/?wmid=1058&l=33&it=2&s=1 and tries to download a file named wini10581.exe , puts it in the Windows directory and installs an application called XP AntiSpyware 2008 (or 2009) or XP AntiVirus 2008 or 2009."
I noticed that at least some of the registry entries under "created registry values" and "registry values were modified" were present in my registry. Should I delete them, or leave them alone? And what if there are any other "created" or "modified" values in my registry (maybe as a result of viruses OTHER than brastk.exe)? Is there any other action I should take based on all of this information?
Thanks again
A. I have run the RegSearch and provided the logfile below. Out of curiosity, I searched my registry for ALL malicious items from the logfiles of SDFix, ComboFix, and MBAM. I found only one other item in my registry that perhaps matches something that ComboFix found during its scan (setup.inf)...here is the logfile:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 11/15/2008 11:14:05 PM for strings:
; 'brastk.exe'
; 'setup.inf'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation]
"INF"="C:\\WINDOWS\\Downloaded Program Files\\setup.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{233C1507-6A77-46A4-9443-F871F945D258}\DownloadInformation]
"INF"="C:\\WINDOWS\\Downloaded Program Files\\setup.inf"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\brastk.exe"="brastk"
; End Of The Log...
B. Also, I searched my registry with Regedit and found 2 entries relating to "delself.bat" (a malicious file which has been deleted from my system already).....can I safely delete these?:
1. My Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
name: C:\Windows\system32\delself.bat
type: REG_SZ
data: delself
2. My Computer\HKEY_USERS\s-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache
name: C:\Windows\system32\delself.bat
type: REG_SZ
data: delself
C. And lastly, should I delete/modify any of the registry entries from the list that I provided in my previous post? For example, according to that list, 2 registry entries that are "created" by the brastk.exe virus are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1208 = 0x00000000
2500 = 0x00000003
I found both of these on my system...should I delete them?
I also found some of the entries that are apparently "modified" by the brastk.exe virus...do I need to "re-modify" them back to their normal forms?
Thanks once again very much...
To reset Internet Explorer 7 security settings, please follow the instructions here
http://pcsupport.about.com/od/fixtheproblem/ht/ie7securitydef.htm
1. Are you quite sure my computer is completely disinfected now? (so it would be safe to enter personal info/credit card info online?)
2. My free McAfee/AOL suite clearly failed me badly this time. Can you recommend a good FREE antivirus/antispyware/firewall (whether it be a suite or separate apps)?
Thanks again
Go ahead!
Yes, your computer seems to be clean. No malwares lurking there anymore.
With pleasure.
There are two AntiVirus (free, of course) I'd recommend: avast! Home Edition and Avira AntiVir Personal.
Both of these does excellent job. Note: use only one AntiVirus at a time!
As a FireWall, I recommend Comodo Firewall Pro. Can't find better.
Comodo have also free Security Suite that consist of AntiVirus and FireWall; more information here.
I'm using Malwarebytes' Anti-Malware and a-squared Free as my AntiSpyware tools.
There are also other ways to project the computer.
For example, I'm not using any AntiVirus program at the moment; instead I have DriveSentry proactive defence. Comodo Firewall includes similar protection (Defense+).
Other interesting tools are Sandboxie and Returnil Virtual System.
Last, don't forget backups!
Have a good night.
avast! home ed.
avira antivir personal
comodo firewall pro
comodo free suite
Also, for the comodo free suite, does that actively guard against spyware, too?
Thanks so much...
In this case, choose either avast or AntiVir and one Firewall (Comodo).
Or you can use Comodo Suite that consist of both (AntiVirus and Firewall).
If you're asking my recommendation, I would choose Comodo and Avast/AntiVir.
Thanks again
Please download OTMoveIt3 by OldTimer and save it to your desktop.
- Double-click OTMoveIt3.exe to run it.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not, delete it by yourself.
You can remove RegSearch manually. Just delete files.Thanks again
A. Files Infected:
1. C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP593\A0156133.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
2. C:\WINDOWS\system32\drivers\ttul.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
B. Registry Keys Infected:
1. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mukyojz (Trojan.Downloader) -> Quarantined and deleted successfully.
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mukyojz (Trojan.Downloader) -> Quarantined and deleted successfully.
Please do a final scan with Kaspersky Online Scanner
Note: Internet Explorer should be used
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 20, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 20, 2008 20:06:26
Records in database: 1397677
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 50596
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:37:45
File name / Threat name / Threats count
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.
I have not deleted anything yet..
Thanks