Have spent several hours trying to remove this completely and still some issues remain.
You get the "usual" white cross in a re circle in the task manager and the box saying install Antivirus 2009 etc.
It hides its processes so nothing is seen in taskmanager, it is using rootkit techniques.
System restore does not work. Stopping it cleans out the copies of the above files stored in the System Volume Information folder were the restore point files are kept.
Many antivirus/malware apps won't run, including Malware Antimalwarebytes.
HJTinstall doesn't run, Schmitfraud and vundofix only run when changing the file name.
IE and Firefox won't open most antivirus sites (urls resolve to the localhost address when you try to ping these sites) and for other sites you often end up at unexpected sites.
The cure:
Well haven't completely fixed it.
The files associated with it found to date and mentioned on the net are:
C:\WINDOWS\brastk.exe
C:\WINDOWS\karna.dat
C:\WINDOWS\DRIVERS\beep.sys
C:\WINDOWS\System32\karna.dat
C:\WINDOWS\SYSTEM32\brastk.exe
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys
C:\WINDOWS\SYSTEM32\DLLCACHE\figaro.sys
C:\WINDOWS\SYSTEM32\DRIVERS\beep.sys
Also found a copy of svchost.exe in C:\WINDOWS\SYSTEM32\DRIVERS that should not be there.
Safemode deletions of the files mentioned above, removal of all mentions of the files in the registry eventually got rid of them. Running Schmitfraud using a different name may have helped. Avira antivirus does install OK and may have helped.
from Kaspersky may have helped too.
But eventually found when going back to the normal boot it stuck at the "windows is starting" point just before the username and password entry point. Booting to a XP disk and running Repair console and running chkdsk.exe /r fixed something and allowed a normal log in.
Have got rid of the self replicating brastk.exe etc and no white cross saying I need to install antivirus 2009.
BUT still IE and Firefox won't go to most antivirus sites still and many antivirus apps won't run or install. So it still isn't fixed.
Through Process Explorer I can see where svchost.exe with DCOMLauncher is the probable cause of the IE and Firefox problems, but the files themselves are OK and stopping this process causes a restart and stopping the DCOM service prevents a normal boot.
I am at my wits end now and a clean install may be the best answer.
BTW beep.sys is a normal system file that has been contaminated and can be copied back from another PC later. It is used because it is also run when in safe mode making getting rid of this malware all the more difficult.
Last edited by ssrattus; 13-11-08 at 01:39 PM.
Look Here -> |
ssrattus I got rid of one the other day i threw every program at it and then did a system restore then deleted all the system restore files and then threw everything at it again and registry cleaners LOL
and it still clean after 2 weeks, but you are right it has taken me about 4 hours LOL
When you do things right, people won't be sure that you have done anything at all
Tried 4 versions of portable malwarebytes and they either don't run, if they run they don't update and don't find anything. Tried updating it on my good PC and then running it on the infected and it doesn't run.
Tried rootkit unhooker, doesn't run on the infected PC nor does the sopos anti rootkit.
Given up, first time a virus/trojan has beaten me. Formatting as I write.
did ya have Malwarebytes running live (systray) ???
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
A couple a programs I find useful for manually checking and removing unwanted programs - Process Explorer and AutoRuns.
Process Explorer
AutoRuns for Windows
hijackthis is also good for checking for autoruns and processes.
What happens if I press alt + F4?
I used these tools
Malwarebytes
HiJackThis
SmitFraudFix
Dail-a-Fix
ATF Cleaner
FixPolicies
any finally got rid of it, also VirusLabs Response 2009 is the same
HJT would not install, even when re-named.
Parts of this malware is rootkit based meaning that the processes are hidden and the registry entries don't show in the registry. The files mentioned in the first post were not rootkit based.
We need to find the a$$hats that made this and perform sexual acts upon them using tractors.
I was thinking more along the lines of Tiger Tape and vasoline.
What happens if I press alt + F4?
format c: /s is the best cure
mac OSX and then Linux -no more problems
When Im Doing Clients Computers I quite often remove there hard drive and scan it from my Office Service Computer which has the side panel off pretty much all the time for this purpose.
Does wonders for getting rid of Crap out of Clients computers....
I usually scan externall with MalwareBytes, AVG and it usually takes the worst out of the hard drive I then reinstall and scan again with Spybot S&D as well as AVG & Malwarebites again...
Yep that would have been a probably been a viable solution mutanti. But with this particular PC a reformat and clean install wasn't to hard as the majority of the data is kept on the other partition.
I find MBAM problematic when scanning remotely. If I can install it on a problematic system, update it, then scan, it usually removes everything bad effectively. I have Avast + MBAM on our workshop machine to remotely scan hard drives and I've all but given up on MBAM for this purpose.
Hi M8,
I had the same problem as you.
Format and re-install was the only solution for me, as none of the spyware or malware programs would run.
But scanning the infected HDD from another computer is a good idea.
If I ever run into this problem again will try extrernat scan.
Cheers
had it m8's pc other week .. was real prick ... disable avg and malwarebytes ... even typing those 2 words in firefox using google ..it just close firefox ... even in safe mode .. format and reinstall was only answer ..
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
I hate spending time removing viruses. At the first sign of infection I blow my install away with a clean image in 2 minutes. It takes longer than 2 minutes to complete the task but most of my stuff at home is server based (IMAP email server, file server, firewall, even a lot of apps) so I can recover and keep working in about 10 minutes to an hour for almost everything else. I use drive snapshot for imaging.
Bookmarks