Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brastk Antivirus2009


  • Please log in to reply
13 replies to this topic

#1 midnight51

midnight51

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 07:05 PM

Hello, I have a computer that has recently been infected with these two trojans. I cannot seem to get rid of them no matter what i do! Whenever I restart into SafeMode and manually remove the registry entries and delete the said files they somehow duplicate themselves and reinfect the machine. I found something called SmitFraudFix.exe but whenever I try to run it, it gives me some illegal operation and quits, just will not run. Am at a loss, any advice on how to clean it? It seems I am minimially infected with only these two trojans and would like to be able to clean the system without having to reformat. Any help would be great.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:32 PM

Posted 26 November 2008 - 08:38 PM

The latest variants of this malware suite are extremely hard to disinfect, the quickest surest option is a reformat, even this might leave your router infected with a dns server that will reinfect.

You should try MBAM first

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

If it won't run or download please report back there are other approaches,

If you can't reload then the HJT forum is the surest way to remove the infection, however there may be a long wait
Chewy

No. Try not. Do... or do not. There is no try.

#3 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 08:52 PM

I'll try this - any idea how these get spread initially?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:32 PM

Posted 26 November 2008 - 09:26 PM

I'll try this - any idea how these get spread initially?


fake video codec

java exploits

activex exploits

P2P file sharing

and now even acrobat reader
Chewy

No. Try not. Do... or do not. There is no try.

#5 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 09:28 PM

This is great, incredible, I run the program and it just sits in memory and doesn't execute - just sits there no system processor allocation is at 0 and it does nothing.

Works fine on the PC I am currently using so I have no clue. I'm trying to run it from Safe Mode with Networking enabled

#6 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 09:32 PM

It seems so simple there is a list of maybe 4 or 5 files that are in c:\windows & c:\windows\system32 along with some temp files and garbage files it creates to replicate itself or whatever how can it be so difficult and how can it control my pc so much as I see no extra running tasks or anything, it's like it replaced normal system processes and integrated itself into the shell and is a pain in my butt

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:32 PM

Posted 26 November 2008 - 10:22 PM

You are dealing with a very advanced rootkit that even the experts are challenged to easily defeat

Let's try SDFix from safe mode


http://www.bleepingcomputer.com/forums/ind...mp;#entry948242
Chewy

No. Try not. Do... or do not. There is no try.

#8 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 10:50 PM

Yeah I tried SDFix as well - I redownloaded from your link but it basically acted in the same way that MBytes did. I dont even think it loaded into memory it just didnt run. BRB

#9 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 11:01 PM

Ah well I got it to work this time - I just renamed the file to SD.exe and it worked, funny... Looks like it is going to take a little bit will report shortly. Thanks for the help

#10 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 26 November 2008 - 11:46 PM

Here is the SDFix logfile it produced - I am still seeing the red X in the SYSTRAY telling me I'm infected so my guess is it did not clear everything up - will followup tomorrow, thanks for taking the time to help


SDFix: Version 1.240
Run by TAMI on Wed 11/26/2008 at 11:02 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 28160 11/25/2008 12:12 AM
"C:\WINDOWS\system32\drivers\beep.sys" 28160 11/25/2008 12:12 AM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 03:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 03:27 PM



Checking Files :

Trojan Files Found:

C:\DOCUME~1\TAMI\LOCALS~1\Temp\wrdwn2 - Deleted
C:\DOCUME~1\TAMI\LOCALS~1\Temp\wrdwn3 - Deleted
C:\DOCUME~1\TAMI\LOCALS~1\Temp\wrdwn4 - Deleted
C:\WINDOWS\system32\wini10331.exe - Deleted
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdv.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSoiqh.dll
Could Not Remove C:\WINDOWS\system32\TDSSbrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSScfum.dll

Folder C:\WINDOWS\system32\dtw5d - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 23:17:37
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\TAMI\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32\TDSSoiqh.dll Found
C:\WINDOWS\system32\TDSSbrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 12 Feb 2007 3,108,864 A..H. --- "C:\Documents and Settings\STEF\Application Data\U3\temp\Launchpad Removal.exe"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\TAMI\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:32 PM

Posted 27 November 2008 - 12:08 AM

The renaming trick will serve you well with this infection

MBAM may run now, if not try loading a new copy and rename as well

Don't underestimate this infection
Chewy

No. Try not. Do... or do not. There is no try.

#12 midnight51

midnight51
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio, United States
  • Local time:08:32 PM

Posted 07 December 2008 - 03:06 AM

Yeah, I ended up reformatting the machine, just wanted to drop a note and say thanks for the tips. That crap is bunk to boot man. What internet protection / antispyware / antiwhatever software do you recommend? I usually have Clean Slate on the aforementioned machine but somehow my family infected it and between formats I never got around to reinstalling it ... I WILL THIS TIME THOUGH!

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:32 PM

Posted 07 December 2008 - 12:24 PM

Yeah, I ended up reformatting the machine


You chose wisely, quickest and most effective

I usually reccomend avira av and comodo firewall

Spybot for Immunization of IE

Safe hex and vigilence are the most important protections
Chewy

No. Try not. Do... or do not. There is no try.

#14 galaxydefender

galaxydefender

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Virginia
  • Local time:08:32 PM

Posted 02 January 2009 - 11:42 PM

I had this exact thing happen to me. I have Win XP. I downloaded Spyware Terminator from CNet, which found this pest. But I could not get rid of it. No matter how many times I tried to get rid of it using restoring check points, or SS8 scans, or even Spyware Terminator. I had at the time System Suite 8, but even that would not even detect it. I even had that idgit red circle with a white X in the middle apper on my task bar. Meanwhile when ever I was on the Internet, I had a zillion popup versions of Antivirus 2008, 2009, or 360 besides a slew of disguisting crap sites.

Due to the fact that I was having a vision problem, I ended up getting my brother to install Malwarebyes, and this thing that cleans files (CCleaner). So with Malwarebytes we were able to get this "creature" off my PC, this brastk thing in Windows. All the malicious things are gone. Then had System Suite 9 put on my PC.

I don't think I can ever trust this computer to be trustworthy. It is my understanding that this was the Vundo trojan, which I'm assuming is a rootkit.

TANSTAAFL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users