Help! Another Bratsk.exe victim

By danielle1234
Nov 13, 2008
  1. I know there are a lot of threads on this, but I am very lost and really need help.

    The last thing I recall was my spybot popping up and asking if i wanted to change the registry to add bratsk.exe, I of course said NO! and low and behold, it didnt matter at that point. Now I cant run any spyware programs, install anything, or even reach any webpages that have to do with the spyware you have requested.

    The good news is that I was able to download and install Malwarebytes anti malware. It is currently running and has found no objects infected! I deleted the bratsk.exe file off of my windows file in the c drive, but I am unable to remove it from system32 says access denied under all users.

    What should my next steps be in solving this problem? I am in desperate need....i dont want to lose any important things from my computer. :(
  2. danielle1234

    danielle1234 TS Rookie Topic Starter

    I've been trying hard to follow the 8 steps but the only one that is working right now is teh malwarebytes program. Nothing else on the list will download or run.

    I dont know what to do.
  3. danielle1234

    danielle1234 TS Rookie Topic Starter

    Okay@ JUst got SAS to run! sweet!

    Will post logs in the AM....will my computer be okay to remain on all night or should I shut down? I am afraid to lose things.
  4. emeraldhue

    emeraldhue TS Rookie


    Boot to safe mode.

    Delete karna.dat and brastk.exe in C:\Windows (or C:\WinNT) and C:\Windows\system32.

    Delete wini10###.exe in C:\Windows\system32.

    Replace beep.sys in C:\Windows\system32\drivers from a backup source or simply delete it. Make sure the good file does not exceed 10k.

    Delete the entire Antivirus 2009 folder in C:\Program Files.

    Remove the brastk string from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

    Remove the Antivirus 2009 string from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

    Modify the AppInit_DLLs string from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows by removing karna.dat.

    Remove the Antivirus 2009 key (entire subfolder) from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

    Restart Windows normally.

    Reinstall your antivirus software.
  5. danielle1234

    danielle1234 TS Rookie Topic Starter

    Wow great!

    Just ran HJT and here is my log. Pleae let me know if I need to take any further action. This is after system restart in normal mode.

    Attached Files:

  6. rf6647

    rf6647 TS Maniac Posts: 829

    Things are still not right
    Post the 3 logs: MBAM, SAS, HJT (follow the sequence if possible)
  7. Gokuldas

    Gokuldas TS Rookie

    what is HJT

    Hi, I am really new to this world.... could you please tell me what is HJT?? and what the log file contains ??
  8. skein4

    skein4 TS Rookie Posts: 39

    It is the program Hijack This, and it checks your registry and reports a log of its findings.

    SAS is Super Anti Spyware. MBAM or MBW or MWBAM is Malwarebyte Anti Malware. These are the three main programs these guys use to clean out your system.

    Read the "8 steps to virus removal" at the top of the security forum for the links and better explanations.
  9. Gokuldas

    Gokuldas TS Rookie

    Thanks for your support. I got the 8 steps now..
  10. emeraldhue

    emeraldhue TS Rookie


    Open your registry and locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. Make sure the AppInit_DLLs string does not contain karna.dat. Remove it from the string (do not delete the actual string) if otherwise.

    Open your command prompt and type:
    dir /od

    Your screen will scroll quickly, listing all of the files and subdirectories by date and time in ascending order. On the bottom of the list, you will see the most recent files. Post those file names containing dates listed within this week so that we can determine if those files are harmful.
  11. Gokuldas

    Gokuldas TS Rookie

    Not able to Run Hijack this

    I got Hijack this programe on my laptop (got infected files) the programe is not running..But when I try to run on my desktop (uninfected) its running fine and producing the log file. On the laptop, if I got to task manager I am able to see Hijackthis.exe running on the process Tab. Please help me out in getting the log file out from my Laptop which is infected by "Antivirus pro 2009" last week.
  12. rf6647

    rf6647 TS Maniac Posts: 829

    Gokuldas. Please open your own thread.

    In advance, my apology for not being able to fully understand your situation.

    Mflynn zipped scripts he created to hobble what appears to be your case.

    .{{{ script by mflynn zipped to zap bug screwing update/download

    Safe mode with networking may be necessary to obtain and update tools If this does not work, this tends to confirm the need to unzip & use the scripts (above).
  13. danielle1234

    danielle1234 TS Rookie Topic Starter


    Logs are attached. Rebooted and so far, no weird things are happening.

    Here are the 3 requested logs. Please let me know what further steps I should take to make sure my system is purged of this terrible virus!

    Thanks so much for your help, this forum is great!
  14. rf6647

    rf6647 TS Maniac Posts: 829

    Thanks for the good news. Sharing progress and impressions helps us work to a happy ending.

    HJT - tick / Fix; User discrection.
    This may be the ISP. Other possibility is a relation to O4 below.
    Retain this only if used for a specific purpose to avoid firewall restrictions.
    This is handled by removing the application. User discretion.
    RunScanner supplied description of program
    You expressed a desire to be sure that the computer is rid of the infections. ComboFix can give us another view if you chose to use it.
    ComboFix instructions courtesy of Blind Dragon.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...