Brastk aftermath

Status
Not open for further replies.
Hi all,

I started having problems a couple of days ago- a your computer is infected popup on the bottom right of the screen,which tried to launch a downloader for Antivirus 2009. Windows restore wouldn't work, several antispyware programs wouldn't run, and those that did couldn't solve the problem. At this stage general google searches for "your computer is infected popup" didn't find anything nearly as useful as this site.

I searched the computer for *.exe, and the most recent file was brastk.exe. I then googled for that and ended up here. I followed the instructions in post 4 of Danielle1234's thread, with the exception that I didn't have any Antivirus 2009 problems (think I pulled the plug on the internet in time to avoid these). In summary, I deleted:
c:\windows\karna.dat
c:\windows\brastk.exe
c:\windows\system32\karna.dat
c:\windows\system32\brastk.exe
c:\windows\system32\drivers\beep.sys

I've run through the eight recommended steps, and there are still one thing concerning me. Sophos stopped updating itself, so during the recovery process I switched to Avast. It looks as though the uninstall facility for Sophos has been deleted. Can anyone help me with this?

Avast found :
win32:patched-HH
win32:FakeAV-P
win32:Agent-QNI
as well as stuff in all of my system restore points.


Here are the requested log files for MBAM and HJT. Is there anything dodgy left over?


Thanks for your help,

Rich
 

Attachments

  • mbam-log-2008-11-17 (21-35-58).txt
    3.7 KB · Views: 6
Welcome to TS. I am the awkward type, so I will just blurt it out.

Oh Wow! You may have prevented some serious problems by your quick action.

However, this quote is troubling.
My lazy side is showing - I did not find a text match in HJT by that name.
Startup (O4) section has AVG8 items.
still one thing concerning me. Sophos stopped updating itself

MBAM Version > 1400 is available. Opens the possibility detected infection has morphed.
Malwarebytes' Anti-Malware 1.30 Database version: 1306 17/11/2008 21:35:58
C:\WINDOWS\system32\TDSSespn.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Program Files\SpywareRemover (Rogue.Spyware.Remover)

Here is where it gets interesting.
D/L file as a precaution. Execution reserved for later use if warranted by conditions.
Provided courtesy of mflynn

Update MBAM & SAS. Re-run the scans & post the 3 logs.

Please share progress & restate symptoms as they may change after the scans.

If tools do not update, the D/L file above has scripts that duplicate the file deletions your cited. It is quite extensive. It puts shortcuts on the desktop with targets to renamed executables: mwb.exe & sas.exe. (I'm not clear if scripts rename the (target) executables themselves)

If still no progress, deleted applications:mbam & sas.

Re-aquire the programs.
Download dot com is an alternative site. (phonetical spelling to prevent spider slurpers from recording link).
 
Hi rf, and thanks very much for your help.

I know that I've got Sophos and Avast running at the same time- when Sophos wouldn't update I downloaded Avast, and found that I couldn't uninstall Sophos. Eventually I'll get rid of one or the other of them. I think Sophos not updating is likely to be the cause of the problem, rather than a symptom of it.

I've now connected the infected computer to the internet and updated various programs so that I'm now using versions:
Avast 081118-0 18/11
MBAM 1411
SAS 4.21.004 Core 3643 Trace 1626
HJT 2.02
Zonealarm 7.0.483.000

I'll run the scans this evening. I ran an Avast scan last night (with the non-updated version) and it reported one instance of W32:Tidserv, but fortunately my external hard drive was reported clean.

One worrying thing happened- as soon as the infected computer was connected to the internet, ZoneAlarm started showing warnings of refused incoming connections, attempting to route stuff through my computer. This has never happened before, though I might just have changed the ZA settings to show more alerts. I've attached the logfile.

Let me know if you've any thoughts on this. For now, I've got another evening watching the computer do scans ahead of me...

Rich
 
Proposition: ignorance is bliss.
Proposition: ZA protecting my computer makes me extremely blissful.
Q.E.D. >> I am ignorant of the workings of ZA

I have a rudimentary understanding of ZA protecting my computer. I spend so much time on this board, I seldom venture there.

However, the ZA defaults are a very good beginning. If the popup message puzzles you, deny it. Tick the box to make this decision 'stick'. When things you expect to work stop working, then open up ZA. Most programs do not need to behave as a server (both zones). Until I properly configure new APPs, I routinely deny obtaining updates. If you cannot associate a program with IP, deny it.

Having said this, I do not have an understanding about the behavor of 'svchosts' (the popup name). In the program list, it appears as 'generic hosts process for win32'

In general, correlate your actions with the alerts.

Now more specific to this problem.

The attached file contains a listing of IPs from the ZA log. Some notations made.

At the beginning of the file is an example usage of "nslookup". It is run in the command prompt window.

This is a link to robtex.

These are what I was using to spot check IPs from the log.

The 'robtex' site will assemble information for whatever you plunk in the input box in the upper section of the page. In the large block just below the input box, the site reports findings if the input appears in blacklists. The rest is too verbose for me to describe.

Input = {ip, url, domain, AS} -- That's worked for me so far.

Use known url so that you can recognize "useful" results. Some url results do not populate the results table. Indicates the url has what I term a "private listing".

Private listings often protect sensitive networks. However, judging what you are observing, it must also protect servers who at best are not secure, at worst they are spewing poison. I just do not know.

Oh yeah, how 'bout those logs?
 
Thanks for the zonealarm advice rf. I'll start going through the list of IP addresses shortly.

I ran the three scans last night, and nothing was detected by either MBAM or SAS.

Here are the log files.

Thanks again,

Rich
 
From the logs, I judge that your computer is free of the infection. Re-review of your detailed reports shows where I did not credit your manual efforts to remove parts of the payload. This detail makes the initial MBAM log 'thinness' understandable.

This HJT entry matches 2 IPs in the ZA log file:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.gla.ac.uk:8080

I suggest looking at the Security Events logfile. It may report audit failures (exception to firewall policies).

Here is where it gets dicey. Your list of O23 entries is long. Many of the service names suggest it is a professional application on your computer. Some of these may open holes in the firewall if they represent a data stream.

Inspect "My Network Places" for connections to other networks.
You can use network monitoring tools from System Internals.

Aside from this network traffic, are there symptoms remaining?

[extra]
Here is more information Courtesy of Blind Dragon. Ignore the personal instructions above (======). It gives a sequence for clean-up and suggests opportunities to enchance security. Another link brings up a networking tutorial. Check out the goodies.
 
Hi rf, and again, thanks for your help. Having guys like you on this forum, giving up your time to help strangers does restore some faith in humanity.

I've got no symptoms at the moment- everything is running fine. The blocked incoming messages have reduced in number, to about every half hour They're all coming from local computers, which I presume to be a good sign. I've used TCP view and there are no established connections (apart from Firefox). Nothing is listed under "My Network places".

You're right about the number of O23 entries arising from National Instruments. Most of these relate to aspects of the program that I don't use, and I've set the firewall to block them. 'll try removing them one by one and see whether anything stops working. I'll also ollow the the advice given in Blind Dragon's thread.

Rich
 
Status
Not open for further replies.
Back