Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please, have I fixed these infections? (brastk.exe and others)


  • Please log in to reply
4 replies to this topic

#1 Vroomfondel

Vroomfondel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 24 October 2008 - 07:09 AM

Here is what happened - I am running WinXPhome SP3, and use AVGfree, Zonealarm and Spybot S&D.

After a few minutes of slow running and stuttering, my PC rebooted itself. When it restarted, I found that my AVGfree would not update, and that TrueVector (Zonealarm) would not run.

There was a pop-up balloon over the taskbar, warning me that my computer was infected and that I should use antispyware tools to prevent data loss. The warning looked like a windows alert but contained poor grammar and typos ("It is recomended... tool to pervent data loss...) so I didn't click on it.

I tried to run an AVG scan but got a message saying avgwdsvc has encountered a problem, and that no components were loaded.
I tried to run spybot S&D but it would not start. I renamed the executable and it still wouldn't run.

I downloaded Malwarebytes' Anti-Malware, installed and updated it, then ran a quick scan. It found an assortment of problems (svchost.exe infected, brastk.exe and svchost.exe set to run on startup, and a list of infected files with TDSS in the filename - I have the log, if it helps).

Anyway after a restart all looked OK - zonealarm appeared to be working and I was able to update AVG and run a scan. I ran Malwarebytes' full scan and it found nothing. Spybot also found nothing (apart from a few tracking cookies). AVG found a trojan Sheur.CQAR (av.dat) in system32 folder, and also in the system restore folders, which it quarantined. It also found and quarantined a PUP (adware.generic3.YWS).

I searched the windows/system32 folder and found a file TDSSosvd.dat with a created timestamp the same as all of the TDSS files that Malwarebytes' had removed, so I deleted it manually. It does not seeem to have returned.

So, all appears to be OK now but, how can I be sure? I'm concerned about the infection in the restore points (though it seems to be gone now). Since then I have run Adaware, CCleaner and SuperAntiSpyware free - my system looks clean but the reading I have done suggests that these infections are nasty and difficult to remove completely. Do I need to run these programs in safe mode? I do my banking on this machine so I would like to be sure it is clean (if that's possible...).

So, can anyone expert please advise what to do next? I've had the bank disable my online banking for the time being, until I'm more confident my machine is good.

Thanks for reading,
Vroom

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 24 October 2008 - 10:12 AM

suggest; fully update both malawarebytes and superantispyware; reboot; run a scan with malawarebytes in Normal mode and save the log

reboot in SAFE mode and run a DEEP computer scan with superantispyware (may take some time to do ) and save the report; reboot in Normal and post both reports for checking? :thumbsup:

#3 Vroomfondel

Vroomfondel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 25 October 2008 - 11:01 AM

Hi ruby1 - thanks for your advice. It's taken me a while but I've run the scans as you suggested. I ran SuperAntiSpyware in safe mode. The logs are pasted at the bottom of this post.

From reading the forums here a bit more, I'm concerned about the TDSS rootkit entries which mbam originally found. This rootkit is apparently seriously bad news? If I were to reformat and reinstall, is that necessary and/or worthwhile? Your thoughts please... Thanks once again.


*** Here are the scans I ran today:

Malwarebytes' Anti-Malware 1.30
Database version: 1316
Windows 5.1.2600 Service Pack 3

25/10/2008 15:22:18
mbam-log-2008-10-25 (15-22-18).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 318459
Time elapsed: 1 hour(s), 27 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2008 at 04:32 PM

Application Version : 4.21.1004

Core Rules Database Version : 3609
Trace Rules Database Version: 1595

Scan type : Complete Scan
Total Scan Time : 01:03:33

Memory items scanned : 160
Memory threats detected : 0
Registry items scanned : 5103
Registry threats detected : 0
File items scanned : 30191
File threats detected : 27

Adware.Tracking Cookie
C:\Documents and Settings\M\Cookies\m@go.globaladsales[1].txt
C:\Documents and Settings\M\Cookies\m@tribalfusion[2].txt
C:\Documents and Settings\M\Cookies\m@serving-sys[2].txt
C:\Documents and Settings\M\Cookies\m@eas.apm.emediate[1].txt
C:\Documents and Settings\M\Cookies\m@ads.adbrite[1].txt
C:\Documents and Settings\M\Cookies\m@ad.jemm-traffic.co[1].txt
C:\Documents and Settings\M\Cookies\m@tacoda[1].txt
C:\Documents and Settings\M\Cookies\m@bs.serving-sys[2].txt
C:\Documents and Settings\M\Cookies\m@xiti[1].txt
C:\Documents and Settings\M\Cookies\m@ads.bleepingcomputer[1].txt
C:\Documents and Settings\M\Cookies\m@kontera[1].txt
C:\Documents and Settings\M\Cookies\m@msnportal.112.2o7[1].txt
C:\Documents and Settings\M\Cookies\m@pcstats[2].txt
C:\Documents and Settings\M\Cookies\m@adstats.cdfreaks[2].txt
C:\Documents and Settings\M\Cookies\m@hotlog[1].txt
C:\Documents and Settings\M\Cookies\m@specificclick[1].txt
C:\Documents and Settings\M\Cookies\m@dmtracker[1].txt
C:\Documents and Settings\M\Cookies\m@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\M\Cookies\m@yadro[1].txt
C:\Documents and Settings\M\Cookies\m@indextools[2].txt
C:\Documents and Settings\M\Cookies\m@chitika[1].txt
C:\Documents and Settings\M\Cookies\m@revsci[2].txt
C:\Documents and Settings\M\Cookies\m@adbrite[1].txt
C:\Documents and Settings\M\Cookies\m@adlegend[2].txt
C:\Documents and Settings\M\Cookies\m@ad.yieldmanager[1].txt
C:\Documents and Settings\M\Cookies\m@2o7[1].txt
C:\Documents and Settings\M\Cookies\m@adserv.legitreviews[2].txt


*** Here is the original mbam log containing the TDSS entries which have given me the willies:

Malwarebytes' Anti-Malware 1.29
Database version: 1306
Windows 5.1.2600 Service Pack 3

22/10/2008 16:28:27
mbam-log-2008-10-22 (16-28-27).txt

Scan type: Quick Scan
Objects scanned: 49586
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10801.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSSbxbx.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfub.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoeqh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSproc.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhym.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Rootkit.Agent) -> Delete on reboot.

#4 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:07:41 PM

Posted 25 October 2008 - 02:02 PM

Vroomfondel, you were seriously infected. Let me, I see what is the situation now:

Download ESET SysInspector
http://www.eset.com/download/sysinspector.php

- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish

Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.


Posted Image

#5 Vroomfondel

Vroomfondel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 25 October 2008 - 04:18 PM

Thanks nod32fen,

I may be being overcautious but a quick google for ESET sysinspector gave me this:

"ESET SysInspector is prone to a local privilege-escalation vulnerability that occurs in the 'esiadrv.sys' driver. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges on a Microsoft Windows host operating system. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. ESET SysInspector 1.1.1.0 is vulnerable; other versions may also be affected."

source http://www.securityfocus.com/bid/31521/discuss

Are you sure I need to install this? You can understand a little reluctance on my part. Is there another way?

Thanks,
Vroom




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users