Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wini10801 brastk xpanitvirus2009


  • Please log in to reply
8 replies to this topic

#1 komayaka

komayaka

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:denver
  • Local time:04:56 PM

Posted 26 October 2008 - 02:58 AM

Hello helpers of the helpless. My predicament. Windows firewall came up with a block alert for scvhost.exe which I thought was weird so I decided to keep it blocked. Unexpected restart. Grr. Upon restart noticed a new icon on the icon bar saying my computer was infected. Oh sh*t went right to mind. :flowers: Also noticed my windows firewall was turned off. Decided to run an AVG scan and determine what was up. Upon scan an error happened for avgwdsvc.exe Details:
szAppName : avgwdsvc.exe szAppVer : 8.0.0.100 szModName : msvcr80.dll
szModVer : 8.0.50727.762 offset : 0001743b
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERc6a3.dir00\avgwdsvc.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERc6a3.dir00\appcompat.txt

I sent the error report. AVG kept scanning. I then stared to search the vast wonderland of information on the silly pop up. Also I had clicked on the pop up and noticed a download bar in progress. :thumbsup: Thinking I dont want to download that I closed the bar. Opened up Task Manager and clicked on the pop up again. Saw that wini10801.exe was starting when the pop up was clicked. Stopped the download bar. Searched computer for supposed file, deleted it. Also came up with another forum that had the same problem and he had to disable the brastk.exe in startup programs in msconfig. Did that. Did another computer scan for brastk and found two files. One in C:\WINDOWS and one in C:\WINDOWS\system32 deleted the one in C:\WINDOWS and could not delete the one in system32 because it was still in use. Now I am at the step of removing the rest of the slime trail. Prob need to get HJT and scan...please help. Oh and I don't use IE but Firefox/3.0.3

BC AdBot (Login to Remove)

 


m

#2 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 26 October 2008 - 04:14 AM

I had this a few weeks back.... scvhost.exe is a worm that lives in %systemroot%\system32. It tries to look like 'svchost.exe', which is usually a legit process. I remember using SUPERantispyware and MalwareBytes to clean the infection, so we'll do that. Download the programs
SUPERantispyware:
http://www.superantispyware.com/
MalwareBytes:
http://www.malwarebytes.org/mbam.php

Install the programs and update them both. Then run a quick scan with SUPERantispyware (not a very fast scanner), and remove any found threats. Restart your pc... Then run a Full Scan with MalwareBytes and remove any found threats. Please post any log files that appear on here... Please report back, then we will continue

#3 komayaka

komayaka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:denver
  • Local time:04:56 PM

Posted 26 October 2008 - 10:06 AM

ok I dowloaded both programs and installed malwarebytes fine. then couldnt get superantispyware free version to install. I then downloaded the pro, it installed fine. But when I try to run to program it wont boot up. I'm going to try a restart and see if that helps.

#4 komayaka

komayaka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:denver
  • Local time:04:56 PM

Posted 26 October 2008 - 12:35 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1322
Windows 5.1.2600 Service Pack 3

10/26/2008 11:30:38 AM
mbam-log-2008-10-26 (11-30-38).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 147626
Time elapsed: 44 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wrdwn9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbubv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSShrxx.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSkhyp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxcp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSvkql.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfmm.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) -> Delete on reboot.

#5 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 26 October 2008 - 02:23 PM

OK, now run a virus scan with ESET.... use Internet Explorer to go here:
http://www.eset.com/onlinescan/
. Tick the box that says 'Yes, I accept the terms of use' , then click 'Start'. The next page should start to appear, although it may look as if it hasn't worked properly, just give it a few seconds. Then press the next button to continue and it should start to download the files to scan your pc. You will probably get some alerts/active X/little yellow toolbar appear asking you to install software. Accept and install anything it asks. Once it starts to scan, you can leave the computer and no interaction should be neccasery.

other instructions:
http://forums.majorgeeks.com/showthread.php?t=149856
http://aumha.net/viewtopic.php?f=43&t=28775

When finished either navigate to or click Start, then Run and type in 'C:\Program Files\EsetOnlineScanner\log.txt' to view your log.... please post it back here when finished

Edited by iisjman07, 26 October 2008 - 02:26 PM.


#6 komayaka

komayaka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:denver
  • Local time:04:56 PM

Posted 26 October 2008 - 06:33 PM

the file only came up with
# vers_standard_module=3557 (20081026)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)

at:
C:\Program Files\EsetOnlineScanner\debuglog.txt

Edited by komayaka, 26 October 2008 - 06:34 PM.


#7 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 27 October 2008 - 01:57 AM

So did it scan properly? Did it detect anything?

#8 komayaka

komayaka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:denver
  • Local time:04:56 PM

Posted 28 October 2008 - 04:32 PM

some reason ie closes when ever the scan comes up. and i didnt notice anything come up during the scan.

#9 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 PM

Posted 28 October 2008 - 06:09 PM

Unfortunately, one or more of the detected items was a rootkit. A rootkit is

A rootkit is malware which consists of a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms, "Administrator" access) of a computer system, without authorization by the system's owners and legitimate managers. Access to the hardware (e.g., the reset switch) is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system.[1]

Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.


Rootkits are terrible infections that may permanently compromise your system.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the infection was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

* "When should I re-format? How should I reinstall?"
* "Help: I Got Hacked. Now What Do I Do?"
* "Where to draw the line? When to recommend a format and reinstall?"


NOTE I am not an expert in this field yet so do not quote what I have said here. I have given what I believe to be the proper information regarding some of the discovered infections. If a more knowledgeable member would please correct me if I'm wrong, that would be great. I should be learning from my mistakes (hopefully this was accurate information)

Edited by xblindx, 28 October 2008 - 06:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users