ssrattus

Have spent several hours trying to remove this completely and still some issues remain.

You get the "usual" white cross in a re circle in the task manager and the box saying install Antivirus 2009 etc.

It hides its processes so nothing is seen in taskmanager, it is using rootkit techniques.

System restore does not work. Stopping it cleans out the copies of the above files stored in the System Volume Information folder were the restore point files are kept.

Many antivirus/malware apps won't run, including Malware Antimalwarebytes.

HJTinstall doesn't run, Schmitfraud and vundofix only run when changing the file name.

IE and Firefox won't open most antivirus sites (urls resolve to the localhost address when you try to ping these sites) and for other sites you often end up at unexpected sites.

The cure:

Well haven't completely fixed it.

The files associated with it found to date and mentioned on the net are:

C:\WINDOWS\brastk.exe
C:\WINDOWS\karna.dat
C:\WINDOWS\DRIVERS\beep.sys
C:\WINDOWS\System32\karna.dat
C:\WINDOWS\SYSTEM32\brastk.exe
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys
C:\WINDOWS\SYSTEM32\DLLCACHE\figaro.sys
C:\WINDOWS\SYSTEM32\DRIVERS\beep.sys

Also found a copy of svchost.exe in C:\WINDOWS\SYSTEM32\DRIVERS that should not be there.

Safemode deletions of the files mentioned above, removal of all mentions of the files in the registry eventually got rid of them. Running Schmitfraud using a different name may have helped. Avira antivirus does install OK and may have helped.

http://z-oleg.com/avz4.zip from Kaspersky may have helped too.

But eventually found when going back to the normal boot it stuck at the "windows is starting" point just before the username and password entry point. Booting to a XP disk and running Repair console and running chkdsk.exe /r fixed something and allowed a normal log in.

Have got rid of the self replicating brastk.exe etc and no white cross saying I need to install antivirus 2009.

BUT still IE and Firefox won't go to most antivirus sites still and many antivirus apps won't run or install. So it still isn't fixed.

Through Process Explorer I can see where svchost.exe with DCOMLauncher is the probable cause of the IE and Firefox problems, but the files themselves are OK and stopping this process causes a restart and stopping the DCOM service prevents a normal boot.

I am at my wits end now and a clean install may be the best answer.

BTW beep.sys is a normal system file that has been contaminated and can be copied back from another PC later. It is used because it is also run when in safe mode making getting rid of this malware all the more difficult.

Mysterex

did you try installing malware bytes again as that should fix the browser problems - otherwise try the portable thinstalled (sandboxed) version of malware bytes

best4less

ssrattus I got rid of one the other day i threw every program at it and then did a system restore then deleted all the system restore files and then threw everything at it again and registry cleaners LOL
and it still clean after 2 weeks, but you are right it has taken me about 4 hours LOL

__________________
Please wipe your feet before walking all over me

ssrattus

Tried 4 versions of portable malwarebytes and they either don't run, if they run they don't update and don't find anything. Tried updating it on my good PC and then running it on the infected and it doesn't run.

Tried rootkit unhooker, doesn't run on the infected PC nor does the sopos anti rootkit.

ssrattus

Given up, first time a virus/trojan has beaten me. Formatting as I write.

Woodstock

did ya have Malwarebytes running live (systray) ???

__________________
Trust thyself only, and another shall not betray thee.

ssrattus

Don't think so.

BTW, Posting with the newly installed Windows XP SP3 Vienna Concept right now, less than an hour from start of format (60GB) to up and running. Of course there are lots of other things to install yet.

SPLog

A couple a programs I find useful for manually checking and removing unwanted programs - Process Explorer and AutoRuns.

Process Explorer
Process Explorer

AutoRuns for Windows
AutoRuns for Windows

rob916

hijackthis is also good for checking for autoruns and processes.

__________________
There is ALWAYS a better way to do things.

Jaz808

I used these tools

Malwarebytes
HiJackThis
SmitFraudFix
Dail-a-Fix
ATF Cleaner
FixPolicies

any finally got rid of it, also VirusLabs Response 2009 is the same

ssrattus

HJT would not install, even when re-named.

Parts of this malware is rootkit based meaning that the processes are hidden and the registry entries don't show in the registry. The files mentioned in the first post were not rootkit based.

therufus

We need to find the a$$hats that made this and perform sexual acts upon them using tractors.

rob916

I was thinking more along the lines of Tiger Tape and vasoline.

__________________
There is ALWAYS a better way to do things.

wileecotye

format c: /s is the best cure
mac OSX and then Linux -no more problems

mutanti

When Im Doing Clients Computers I quite often remove there hard drive and scan it from my Office Service Computer which has the side panel off pretty much all the time for this purpose.
Does wonders for getting rid of Crap out of Clients computers....
I usually scan externall with MalwareBytes, AVG and it usually takes the worst out of the hard drive I then reinstall and scan again with Spybot S&D as well as AVG & Malwarebites again...

ssrattus

Yep that would have been a probably been a viable solution mutanti. But with this particular PC a reformat and clean install wasn't to hard as the majority of the data is kept on the other partition.

therufus

I find MBAM problematic when scanning remotely. If I can install it on a problematic system, update it, then scan, it usually removes everything bad effectively. I have Avast + MBAM on our workshop machine to remotely scan hard drives and I've all but given up on MBAM for this purpose.