Brastke.exe infection - 8 Step Complete

Hello,
My system recently became infected with brastke.exe. I found this site while searching for a cure and am hoping someone can assist in finally removing it. I have completed the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and it did help a lot, although there is still something nagging my system. Running XP SP2. Each time I start up my computer now, Avira picks up laputhk.exe.

Attached are the three log files. Your help is immensely appreciated.

Thank you

Good job.

Now update and run both MBAM and SAS again and if they come up clean you are finished.

Post me clean logs!

Mike

You are running two security suites. That means two antivirus programs and multiple firewalls. Symantec/Norton and Avira. Decide which you want to keep and uninstall the other: You are also running the BlackICE firewall. Any other firewalls should be disabled and both of the security suites may have a firewall included.

Symantec/Norton:

Avira:

BlackICE Firewall:

Please have SAS remove the Tracking Cookies and all other entries. Click on the lower left image here to enlarge, showing you which boxes to check:
http://superantispyware.en.softonic.com/images

Once that is done:
Reset Cookies:

Firefox: Tools> Options> Privacy section> Cookies> CHECK 'accept Cookies'> UNCHECK 'accept third party Cookies'

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

Run HijackThis again and post a new log.

I updated MBAM and SAS. Attached are the logs.

Bobbye: I disabled Norton (at least I believe it got it all), it's been outdated for quite some time. I disabled Black Ice as well. I followed everything below. Everything seems ok now, except for Avira still picks up laputhk.exe. I don't know what that is.

Thanks for all of your help!

Mbam, shows the malware in the System Restore points. They are protected files and the cleaning programs don't remove them. We will drop those restore points at the end. In the meantime, do NOT use System Restore.

It also appears that you did not have HijackThis remove the entries I left. If Norton/Symantec is not being used, you need to uninstall it. Please download and Save the removal tool. Don't run it yet.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

BlackICE:

2. To remove the laputhk.exe process:
Right click on Start> Explore> Programs> Windows> System32> right click on laputhk.exe> delete

3. Disable these services:

4. Stop Startup processes:
Start> Run> msconfig> enter> Selective Startup> Startup menu< UNCHECK any of the following if present:

Run the Norton Removal tool you save to the Desktop: Double click> Run.

When through, reboot into Normal Made. NOTE: you will get a nag message that you can ignore after checking 'don't show this message again.' Stay in Selective Startup.

Rerun HijackThis and post new log. If clean, we'll remove the cleaning tools and restore points.

Hi, Sorry for the delayed response. Busy busy! Anyway, things are running well, I followed the previous directions. Here are the logs. Hopefully everything is good. Thanks for all your help on this, my system is running very smooth, and with Norton gone my memory usage is very low too!

The Cookies have still not been reset and you have another batch of Tracking Cookies. I gave you directions for IE. Here is what to do for Firefox:
Reset Cookies in Firefox:

Get all three of the easy List. These are filters that go with AdBlock Plus.

Delete the Prefetch files:

Then go back in and re-hide the files and folders.

While still on Windows Explorer: Widows> System 32> look on the right screen for ~.EXE exactly like that> if seen, do a right click> delete. There is also a Trojan Dropper generic in this file. Do NOT remove any other .exe files.

There are still no homepages set up. These are referred to as "IE Start & Search pages" and appear as R0, R1, R2 and R3 entries in the HijackThis log, You need to set the homepage so I can make sure it's not getting redirected.

When you have reset the Cookies: reopen SuperAntispyware and delete everything found. Click on the lower left image here to see where to check for this:
http://superantispyware.en.softonic.com/images

When the above has been completed, do one more scan with your antivirus program, updating right before. Please let me know if it's clean and also what the system of the system is. Have the original problems been resolved?

Ok, I did everything listed. Although there are 2 things I am unable to do:
- In Firefox I am only able to "Accept cookies from sites". That box is checked. I don't have the options you listed.
- I was unable to find ~.exe anywhere.

I have attached the latest logs. Everything seems to be running fine. I don't get the original problem anymore. The only things I can think of are every once in a while the AV picks up various strange Trojans. Or what it identifies as Trojans.

Hi Mith

I presume the last MBAM scan was clean?

Get and run
http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html

Very deep scan will take hours but worth it.

Mike

Mith, you are still getting the Tracking Cookies. I have instructed you in removing the Cookies and in resetting the Cookies twice. You should have three places to set in Firefox> Tools> Options> Privacy> Cookies in Firefox:
1. CHECK 'allow Cookies'
2. UNCHECK 'allow third party Cookies
3. You choice of how long to keep Cookies (choose 'until I remove them')
I have use Firefox for 4 years since v.1. I am now using v3.0.4 and these settings have been available in all. Unless you do that, you will continue to get them.

You also have to rest Cookies in IE.
But we are going to have to deal with the ad.yieldmanager.com Tracking as follows:
Open Internet Explorer> Tools> Internet options> Trusted Zone> Sites> REMOVE ad.yieldmanager.com> then go to the Restricted Sites> Sites> type in *.ad.yieldmanager.com> Add>Apply> OK

While you are in Internet Options> Privacy tab> Cookies> Advanced> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

AVSCAN: you can delete the processes that have been quarantines. I agree that a follow up with an online scan is indicated.

HijackThis scan is clean, although it does show you have many unnecessary processes on Startup and have some Services set to Automatic that could be changed to Manual.