Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

brastk? no internet searches open or malware/virus protection works or opens


  • Please log in to reply
9 replies to this topic

#1 mcjakes

mcjakes

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 23 November 2008 - 12:02 PM

hello,

I'm having a pretty bad time with my computer.
I'm on a different computer as BC won't open on any internet program and i need soe help.
i think i have the brastk.exe trojan or worm or whatever it is.
I got it after opening a website, not even sure what it was, i think just a fake computer spare parts site. any ways.
i noticed that whateer i searched for on google or yahoo or whatever, if i tried to open the search resuts. a new tab would open and ii would be redirected to a random site, or one offering virus protection. i scanned with AVG and i think this is where it found brastk and deleted it.

however a day later when i went to re scan as a similar proble occured. AVG was encountering some pretty weird problems. wouldn't update and i couldn't get onto the AVG website or anything. something funky definately going on.

asit wasn't working i uninstalled it to reinstall see if it was working.

of course i now can't install it...hour glass and program is running in taskmanager but nothing.

i tried to install malware bytes as well.. following some advice i read off of yur forums but that also didn;t work
i read somehwere to try and change the name of the setup .. i changed to wow.exe and it ran but not successfully i don;t think. had to crash out of it. and now it does similar thing. runs in taskmanager as if running but doesn't actually open up.

Basically... any idea how to get these programs working. or what programs will work around whatever is blocking it so that i can get a log up ....

i need help. at the end of my tether.

thanks for any response. cheers.

Jack

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 23 November 2008 - 03:33 PM

Hello ,welcome, is this an XP machine?
Please try running MBAM. If needed rename desktop folder to mcjakes,if it wont open due to the malware.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 24 November 2008 - 04:59 PM

Hi boopme...yes it is running XP...i'm all updated to service pack 3 i think.

i tried running mbam before and had problems not only installing but then opening..it.


So i tried again after you said to. It got to the 'finalizing installation' part of the installation and did a similar thing and froze up my computer.
not that it is totally frozen, this is a symptom i have found since getting this virus. it disables my mouse and keyboard input until i open my task manager and close down a program or application that is running.
However this time i just left it with the 'finalizing installation' on the screen, when i came back half an hour later it had unfrozen and i clicked finish with update and run malware bytes checked .... i.e. all the default settings. (except i changed the name of the folder to 'mcjakes' as requested' so it wasn;t blocked)

NOW it still won;t work. it simply showed the hourglass for a second... then nothing. opened task manager and mbam is supposedly running.
is there any other programs like this i can run to get rid of... or at least search for what i have?
i ran Ad-aware... thinking it would not work. and it did , but only found cookies and 'whenUsave' ad aware which i duly deleted.

another issue i have found is that when i come to restart or turn off my computer. i click on start and turn off... then it crashes for a couple of minutes before the standby / turn off / restart option box pops up. not being able to click on anything...effectively disabling mouse and keyboard. then when i click on turn off... it says that sysvxd.exe has encountered a problem and must close... then it finally turns off... slowly.

any help? would a hijackthis log be helpful? i don;t know if i could get one but i presume the brastk or whatevr i have wouldn;t block this program from getting a log file would it?

thanks for your help. sorry for a slow reply.

Jack

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 24 November 2008 - 10:42 PM

Uninstall MBam again and reboot the PC.
Do you have SpyBot installed? If so please disable it for the scans. You can turn it on later.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

NEXT:
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 27 November 2008 - 05:55 PM

Ran both ATF and SUPERAntispyware...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/27/2008 at 00:42 AM

Application Version : 4.22.1014

Core Rules Database Version : 3653
Trace Rules Database Version: 1635

Scan type : Complete Scan
Total Scan Time : 01:33:18

Memory items scanned : 385
Memory threats detected : 1
Registry items scanned : 6649
Registry threats detected : 68
File items scanned : 91926
File threats detected : 1

Trojan.Dropper/SVCHost-Fake
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE

Adware.WhenU
HKU\S-1-5-21-1832278465-2979613754-3259273657-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\Install.dll [  ]

Adware.ColoradoSheep
HKU\S-1-5-21-1832278465-2979613754-3259273657-1007\Software\Microsoft\Windows\CurrentVersion\Run#mschkdsk.exe [ C:\WINDOWS\system32\mschkdsk.exe ]

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#build
HKLM\SOFTWARE\TDSS#type
HKLM\SOFTWARE\TDSS#affid
HKLM\SOFTWARE\TDSS#subid
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS#serversdown
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#2a4fe91c
HKLM\SOFTWARE\TDSS\connections#87214514
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe
HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe
HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe
HKLM\SOFTWARE\TDSS\disallowed#combofix.exe
HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe
HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe
HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe
HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\TDSS\disallowed#daft.exe
HKLM\SOFTWARE\TDSS\disallowed#gmer.exe
HKLM\SOFTWARE\TDSS\disallowed#catchme.exe
HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe
HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe
HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe
HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe
HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe
HKLM\SOFTWARE\TDSS\disallowed#techweb.exe
HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe
HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\versions
HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init
HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged







I took me a while to work out i had to change the file name of the installed .exe to get SUPERantispyware to run.

I just tried to run malware bytes thinking it would work if i changed the file name. but it is still being difficult...

any further suggestions as to what to do next?
what's happening with my computer? does this help you at all...

thanks so much for your help.

Jack.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 27 November 2008 - 09:20 PM

The problem here is a serious rootkit infection. I must post this warning first...
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 28 November 2008 - 02:19 PM

Hi there boopme,

thanks for your help. I think given the situation, I'd be happier in the knowledge I had just reinstalled windows. Will this remove all possibility of having a trojan or vulnerability on my computer? I.e. i'm not going to finish re-installing it all and then realise I've still got trojan issues. also when you say a reformat and reinstall. does this just mean starting from scratch. I.e. putting my windows XP disc in and reinstalling (wiping my computer) . or reformat what?

I have reinstalled windows before so this will not be too much hassle, however I do have a new , additional hard drive that was installed on my machine about a year ago. I did not do this myself and so have limited knowledge of whether I need to do anything different when installing windows. any help?

I also have an external hard drive that holds all my music, video and personal documents. so this is not so much of an issue for me. how can I be sure that this external hard drive is not infected, or will it just be the drive with the OS on that will be infected? can I just try scanning it while pugged into another machine?

Since becoming infected I havn't used my computer for online banking, the only thing i have done is use my gmail account however i have since changed my password on your advice.

one last thing... apart from buying a commercial anti virus software. what in your opinion is the best & most unobtrusive anti spy/mal/virus software to run on a machine. My previous experience with Norton and Mcafee products has always been bad. (Norton especially) with obtrusive and CPU using high on their agenda. AVG I found to be good although obviously not that good. i think this all possibly occured due to my lack of a good firewall... any opinion on best firewalls to have? i read that the best ones to have work both ways. whatever that means. what would you use as a good barrier to trojans and worms etc...

thanks for all your help. much appreciated.


Jack.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 28 November 2008 - 08:14 PM

Hello Jack,well I am at least happy to say it is the decision I would have made also.
I would scan that external drive also.
I am saying a FUll format (wipe the drive) and reinstall the OS.
READ these and if needed ask any questions before you proceed in the XP forum up top. They will gladly answer,especially for adding the external.

Some Re-installation Notes: from link above,,When Should I Format, How Should I Reinstall

How do I format my hard drive with XP installed so I can start over?

I would say that as protection goes...Here's what I use on my XP machine
AV=AVIRA, Spyware = Malwarebytes,Superantispyware and spywareBlaster. My Firewall is Comodo personal. All these are free versions and avaiable fro the BC list.
Freeware Replacements For Common Commercial Apps

If I missed something let me know.

Edited by boopme, 28 November 2008 - 08:38 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 30 November 2008 - 01:34 PM

hi there again, almost all back to normal now.

windows installed fine and all infections seem to be gone.

just a little thing about future protection...

i have comodo firewall, and Avira installed and they seem to be doing a trick.

However do you have all three of those spyware programs running at the same time? or just scan with them every now and then? how often is good to schedule them? weekly?

thanks for your help.

Jack.

Edited by mcjakes, 30 November 2008 - 01:37 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 30 November 2008 - 02:09 PM

Hi. sorry it's Avira Antivir...
I run them as on demand and update them prior to a scan every other day or so. I leave Spyware Blaster on full time and update that avery week.
Did you have Norton installed and no longer use it?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users