Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2009, Brastk.exe, Karna.dat


  • This topic is locked This topic is locked
11 replies to this topic

#1 Wolfe Von

Wolfe Von

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2008 - 04:22 PM

The other day I found I had an infection. Antivirus Pro 2009, to be exact. I cleaned up AVP2009, only to find Brastk.exe, and stumble upon some sort of Rootkit. Computer seems to work fine, except some websites are blocked (including this one, which Im using a proxy to come to) and google searches get redirected to bogus webpages. Also some anti-malware programs are blocked, like Spybot, MBAM, etc. I've tried deleting brastk.exe and all of its components installed on the day of the infection, since I knew exactly when I got it. Most of them stayed away, some came back, like brastk.exe. I also deleted a modified version of Beep.SYS. Rootkit revealer shows some suspicious activity, such as things being blocked from the API.

I was going to run Combofix, but then I read the disclaimer and figured I might as well come here and see whats up. I am well versed in computers, and could handle the most of this myself, if it wasnt for this apparent rootkit.
It is very important that I get rid of this infection without messing up this computer. My real computer died, (power supply melted D=) and this is a computer from my dad's work. I am not sure how the infection occured, I didnt go to any high risk sites for this reason. Granted, my father told me not to install anything, so Ive been running Internet Explorer (guh). Right now that doesnt matter. Think of this as a government cover up type operation. Any help appreciated.

Edited by Wolfe Von, 21 November 2008 - 04:26 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 PM

Posted 21 November 2008 - 04:38 PM

There has been a rash of the TDSS malware that might be the culprit of not being able to install or run MBAM. If it is then this solution below might help. If it does then start in Normal Windows mode and try to update MBAM and do a scan. Then follow the directions above and post the requested information.



Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select DISABLE
Now RESTART your computer.
Download a copy of Malwarebytes but DO NOT run it yet.
Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
Once the program is installed go to the UPDATE tab and try to update the program if you can.
Then go to the SCANNER tab and run a Quick Scan and allow MBAM to fix anything found.


I would also run SDFix

http://www.bleepingcomputer.com/forums/ind...mp;#entry948242

As you have found out these newer infections are really hard to get rid of
Chewy

No. Try not. Do... or do not. There is no try.

#3 Wolfe Von

Wolfe Von
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2008 - 05:00 PM

Thanks DaChew, TDSS was actually mentioned in rootkit revealer. Disabling it seemed to fix the blocking problems, Im running Spybot S&D, then MBAM and SDFix, I'll let you know what happens.

#4 Wolfe Von

Wolfe Von
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2008 - 05:46 PM

Spybot yielded these results:

CoolWWWSearch.Svchost32: [SBI $7C91BE16] Autorun settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-3861880492-3179042328-3776152219-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST.EXE

Virantix: [SBI $CBCD2969] System file (File, fixed)
C:\WINDOWS\system32\dllcache\beep.sys

Win32.TDSS.rtk: [SBI $6DF4AEAD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS

MBAM found:

C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSbcdd.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wrdwn9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSbcce.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.

#5 Wolfe Von

Wolfe Von
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2008 - 05:55 PM

I can't quite get my computer to run in Safe Mode, (Im using the Tablet PC edition of Windows XP), when I tell it to load in Safe Mode, it just loads like normal. Do I run SDFix anyways?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 PM

Posted 21 November 2008 - 06:12 PM

reboot into normal mode rescan with mbam and post the whole log
Chewy

No. Try not. Do... or do not. There is no try.

#7 Wolfe Von

Wolfe Von
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2008 - 08:41 PM

Ran Super Anti-Spyware, found a bunch of stuff.
Rebooted.
MBAM found nothing. RootkitRevealer idled out after enumerating C: files, but found nothing.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:54 PM

Posted 22 November 2008 - 09:25 AM

Since you have a Trojan.TDSS infection, a warning is warranted:

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

So,, consider the uses of you pc and make a judgement on what you wish to try. If you want to clean your computer, I would move to the HJT forum and post a log. You can follow this guide starting at step (9) for instructions. The HJT team has access to more powerful removal tools that must be run under their supervision.


Let us know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Wolfe Von

Wolfe Von
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 22 November 2008 - 01:05 PM

I'd really like to not wipe this hard-drive. As I mentioned above, I DID catch the majority of this infection the day it happened. Today is the third day, and on the second day I apparently removed the rootkit. This computer had been used for some online banking and whatnot BEFORE the infection, but not afterwards. All information was logged out of.

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:54 PM

Posted 22 November 2008 - 01:20 PM

Then I would post a HJT log in that forum. They have the best tools for removal.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Wolfe Von

Wolfe Von
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 22 November 2008 - 01:25 PM

Thanks to both of you, DaChew and Rigel! I really appreciate guys like you who volunteer your time.
Already posted over there. =)

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:54 PM

Posted 22 November 2008 - 01:33 PM

You are welcome from both of us. Since you now have an open log, please follow only the advice of the HJT team member that takes your log. To avoid confusion, this topic is now closed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users