Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brastk.exe, karna.dat and Antivirus 2009


  • Please log in to reply
3 replies to this topic

#1 Trentzip

Trentzip

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 18 November 2008 - 08:47 AM

Hi this is my first post to the forum. I hope someone is able to help me with my problem.

Well i was browsing the web looking for gameshark codes when suddenly my computer restarted all by itself. When i logged back in, a Popup appeared in the systems tray (Red circle with a white 'X') saying the following:


Your computer is infected!
Windows has detected spyware infection!
It is recomended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware!


I realised right away this was suspicious when i realised both "Recommended" and "Prevent" were spelt wrong.
So i clicked the [x] in the top right corner and suddenly my Nvidia firewall produced a message saying "Brastk.exe" was (i think) trying to access the network.
I immediately opened firefox to google this file and i realised that my homepage had been changed from the Firefox google page to just normal google. But i looked it up anyway and discovered every result had "virus" or "spyware"in the blurbs.
I clicked on the first result (a answers.yahoo post) which basically said someone was suffering the same symptoms as i was. I went back and then whilst attepting to do some more research, discovered bleepingcomputer, techsupportforum, majorgeeks, geekstogo, and a number of other websites were inaccessible (a new tab would open and lead to one of many random crap sites. So i tried to copy and paste the urls under each google result and found that got me nowhere (Web page cannot be found/inaccessible).

I have been using my housemate's computer for the last few hours to browse around and do some research, constantly coming across the suggestion of Malwarebytes to resolve my issue but i could not download from my pc. So i downloaded it to a usb stick via my mates pc and, as some websites suggested, renamed the file to testing.exe. I copied it to my pc and began installation. Everything runs fine until the very end when the bar is full and it says "Finishing Installation". At this point it stops and does not complete. I left it alone for a good half hour at one stage to no avail. And trying to cancel or close the installation process, or even click anywhere on the installation window at this point only gets me an error sound. I ended the task via the task manager, but i noticed that the shortcut was on the desktop and that there were an abundant number of files actually installed to the directory it was assigned. So i tried the renaming trick again to both the desktop shortcut and the .exe file in the directory, and tried to fire it up, but was not successful. I then uninstalled it.
Next i found a suggestion to stop the brastk.exe files from running on startup so i stopped them via START> RUN > msconfig. However it did not work and whenever the computer was restarted, it came up with a message box saying "You have used the System Configuration Utility to make changes to the way windows starts etc etc". I clicked it back to Normal Startup Processes (or wateva that box is called), and now i dont see the message anymore.
Next i found a suggestion on a microsoft forum to delete Brastk.exe and Karna.dat from both c:/WINDOWS/ and c:/WINDOWS/system32 but to download and use an application called KillBot to delete the system32 copy of brastk.exe. Killbot i downloaded to a usb stick via my mates pc and renamed and installed to my pc's desktop, renaming the file to diediedie.exe. The application ran but was unable to delete the file. all the others were deletable. After deleting these files it said to delete temp internet files and cookies etc so i went ahead and did this anyway despite previously failing to delete that last brastk.exe file.

Ive decided to go no further without professional help. Ive wasted hours upon hours and got nowhere. If need be i will eventually reformat the computer but i really do not wish to lose so much data.

Please help me.


It should be noted that i may not reply for anywhere up to 72 hours due to having to disappear for a couple of days due to work, but please still post your professional assistance as when i return home i will immediately begin posting updates on the situation.


Regards,
Trent

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:47 PM

Posted 18 November 2008 - 01:14 PM

Hi Trent, and welcome to BleepingComputer!

The infections you describe are associated with the TDSS rootkit. Since you have this rootkit, here is a word of warning...

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Since you said you wanted to try and clean this system, I recommend posting a log in the HJT forum. Please follow this guide: Start here. I am guessing that some of the programs it will ask you to run - wont, so if you have trouble, skip to the next step. Let me know if you have any problems posting your log.

Thanks,
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Trentzip

Trentzip
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 21 November 2008 - 12:47 AM

Well i am back from my work trip. I thought about it, went over my pc's files and came to the conclusion that nothing there is absolutely necessary, so i think i will go with your advice and reformat the pc.

Thing is i have never reformatted a pc before and wouldnt know where to start. Could someone please post step by step guide to reformatting my computer entirely?

Thanks,

Trent

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:47 PM

Posted 21 November 2008 - 08:10 PM

Hi Trent,

I would create a new topic in the forum of the operating system you have. They will walk you through the reinstallation. If you have a branded computer - Dell / HP / Acer, there maybe recover disks avalible.

Edited by rigel, 21 November 2008 - 08:36 PM.
fixed edit

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users