Brastke.exe infection - 8 Step Complete

[Mith]

Hello,
My system recently became infected with brastke.exe. I found this site while searching for a cure and am hoping someone can assist in finally removing it. I have completed the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and it did help a lot, although there is still something nagging my system. Running XP SP2. Each time I start up my computer now, Avira picks up laputhk.exe.

Attached are the three log files. Your help is immensely appreciated.

Thank you

 

[mflynn]

Good job.

Now update and run both MBAM and SAS again and if they come up clean you are finished.

Post me clean logs!

Mike

 

[Bobbye]

You are running two security suites. That means two antivirus programs and multiple firewalls. Symantec/Norton and Avira. Decide which you want to keep and uninstall the other: You are also running the BlackICE firewall. Any other firewalls should be disabled and both of the security suites may have a firewall included.

Symantec/Norton:

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

Avira:

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

BlackICE Firewall:

C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe

Please have SAS remove the Tracking Cookies and all other entries. Click on the lower left image here to enlarge, showing you which boxes to check:
http://superantispyware.en.softonic.com/images

Once that is done:
Reset Cookies:

Internet Explorer> Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Firefox: Tools> Options> Privacy section> Cookies> CHECK 'accept Cookies'> UNCHECK 'accept third party Cookies'

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
Valid LSP, but don't need 4 running. Remove 3
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: karna.dat

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

Run HijackThis again and post a new log.

 

[Mith]

Good job.

Now update and run both MBAM and SAS again and if they come up clean you are finished.

Post me clean logs!

Mike

I updated MBAM and SAS. Attached are the logs.

Bobbye: I disabled Norton (at least I believe it got it all), it's been outdated for quite some time. I disabled Black Ice as well. I followed everything below. Everything seems ok now, except for Avira still picks up laputhk.exe. I don't know what that is.

Thanks for all of your help!

 

[Bobbye]

Mbam, shows the malware in the System Restore points. They are protected files and the cleaning programs don't remove them. We will drop those restore points at the end. In the meantime, do NOT use System Restore.

SAS shows Tracking Cookies either remain or again. It appears you haven't done this yet:
Please have SAS remove the Tracking Cookies and all other entries. Click on the lower left image here to enlarge, showing you which boxes to check:
http://superantispyware.en.softonic.com/images

Once that is done:
Reset Cookies:
Quote:
Internet Explorer> Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
Firefox: Tools> Options> Privacy section> Cookies> CHECK 'accept Cookies'> UNCHECK 'accept third party Cookies'

It also appears that you did not have HijackThis remove the entries I left. If Norton/Symantec is not being used, you need to uninstall it. Please download and Save the removal tool. Don't run it yet.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

BlackICE:

If you are not going to use BlackICE, it needs to be removed also: The Proventia Desktop included the firewall and also has AV capabilities: we will remove it later.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Brett\actsf.exe \s,
O4 - HKLM\..\Run: [laputhk] C:\WINDOWS\system32\laputhk.exe \u
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
1. To remove BlackICE:
Right click on Start> Explore> Programs> ISS> Proventia Desktop> double-click on agentremove.exe
Proventia Desktop can be uninstalled by double clicking on the agentremove.exe file that is usually located in the C:\Program Files\ISS\Proventia Desktop subdirectory.

2. To remove the laputhk.exe process:
Right click on Start> Explore> Programs> Windows> System32> right click on laputhk.exe> delete

3. Disable these services:

Start> Run> services.msc. find each Service below and right click> Properties on the Service> Change the Startup type to Disabled> Stop the Service
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

4. Stop Startup processes:
Start> Run> msconfig> enter> Selective Startup> Startup menu< UNCHECK any of the following if present:

All symantec/Norton processes
All Proventia/ISS/BlackIce processes

Run the Norton Removal tool you save to the Desktop: Double click> Run.

When through, reboot into Normal Made. NOTE: you will get a nag message that you can ignore after checking 'don't show this message again.' Stay in Selective Startup.

Rerun HijackThis and post new log. If clean, we'll remove the cleaning tools and restore points.

 

[Mith]

Hi, Sorry for the delayed response. Busy busy! Anyway, things are running well, I followed the previous directions. Here are the logs. Hopefully everything is good. Thanks for all your help on this, my system is running very smooth, and with Norton gone my memory usage is very low too!

 

[Bobbye]

The Cookies have still not been reset and you have another batch of Tracking Cookies. I gave you directions for IE. Here is what to do for Firefox:
Reset Cookies in Firefox:

Tools> Options> Privacy tab> Cookies section> CHECK 'accept Cookies'> UNCHECK 'accept third party Cookies.
Download the following add-ons:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

Get all three of the easy List. These are filters that go with AdBlock Plus.

Delete the Prefetch files:

Right click on Start> Explore> Windows> Prefetch>> before you start the search go to Tools> Folder options> View tab> CHECK 'show hidden files and folders> then search. You have a Trojan Dropper Generic in the Prefetch files. I can tell which one so you need to delete all of these files: Edit> Select All> Delete.

Then go back in and re-hide the files and folders.

While still on Windows Explorer: Widows> System 32> look on the right screen for ~.EXE exactly like that> if seen, do a right click> delete. There is also a Trojan Dropper generic in this file. Do NOT remove any other .exe files.

There are still no homepages set up. These are referred to as "IE Start & Search pages" and appear as R0, R1, R2 and R3 entries in the HijackThis log, You need to set the homepage so I can make sure it's not getting redirected.

When you have reset the Cookies: reopen SuperAntispyware and delete everything found. Click on the lower left image here to see where to check for this:
http://superantispyware.en.softonic.com/images

When the above has been completed, do one more scan with your antivirus program, updating right before. Please let me know if it's clean and also what the system of the system is. Have the original problems been resolved?

 

[Mith]

Ok, I did everything listed. Although there are 2 things I am unable to do:
- In Firefox I am only able to "Accept cookies from sites". That box is checked. I don't have the options you listed.
- I was unable to find ~.exe anywhere.

I have attached the latest logs. Everything seems to be running fine. I don't get the original problem anymore. The only things I can think of are every once in a while the AV picks up various strange Trojans. Or what it identifies as Trojans.

 

[mflynn]

Hi Mith

I presume the last MBAM scan was clean?

Get and run
http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html

Very deep scan will take hours but worth it.

Mike

 

[Bobbye]

Mith, you are still getting the Tracking Cookies. I have instructed you in removing the Cookies and in resetting the Cookies twice. You should have three places to set in Firefox> Tools> Options> Privacy> Cookies in Firefox:
1. CHECK 'allow Cookies'
2. UNCHECK 'allow third party Cookies
3. You choice of how long to keep Cookies (choose 'until I remove them')
I have use Firefox for 4 years since v.1. I am now using v3.0.4 and these settings have been available in all. Unless you do that, you will continue to get them.

You also have to rest Cookies in IE.
But we are going to have to deal with the ad.yieldmanager.com Tracking as follows:
Open Internet Explorer> Tools> Internet options> Trusted Zone> Sites> REMOVE ad.yieldmanager.com> then go to the Restricted Sites> Sites> type in *.ad.yieldmanager.com> Add>Apply> OK

While you are in Internet Options> Privacy tab> Cookies> Advanced> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

AVSCAN: you can delete the processes that have been quarantines. I agree that a follow up with an online scan is indicated.

HijackThis scan is clean, although it does show you have many unnecessary processes on Startup and have some Services set to Automatic that could be changed to Manual.