TechSpot

Started off with brave sentry

By lalesperance
May 29, 2008
  1. All of a sudden brave sentry poped up on my computer. I closed out of it and deleted it from program files... A couple minutes later, the blue screen of death poped up for one second and my comp restarted. After that task manager was unable to be opened and I could not do anything. Even in Safe mode nothing could be run. explorer would not even open so it would just show the background when started up no matter what I do. I have files on this comp that I don't want to lose. Is there anything anyone can do to help? I cannot even run hijack this or anything. Now my cd rom drive has been shut off. The only thing I can do is start up in command safe mode and look around in the command window...
    Any suggestions?
    =/


    Lucas
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This is a pain as it runs even in safe mode, but I have removed it plenty of times a while back.

    From command prompt and type explorer.exe

    or

    When sitting at the blank background try hitting the windows key on your keyboard + R at the same time. in the box that pops up type explorer.exe and hit enter

    If we can get windows up we need to run a few tools, and get you a different browser as IE is the reason you have this now. Should have been using firefox or opera
     
  3. lalesperance

    lalesperance TS Rookie Topic Starter

    ok. once I do that, what are the tools I need. I actually monkey'd around and got lavasoft ad-aware to scan. It found.
    Win32.trojan.downloader.t.bs
    Win32.worm.zhelatin
    win32.trojanspy.peed
    win32.backdoor.agent
    virtumonde
    bravesentry.

    The reason I was using IE(which is sad) is because my firefox went to update and it messed up in the middle. and wont uninstall or install. or i cant even delete the mozilla folder. So that is a problem within itself which is not a concearn just yet as you can see.
    If you have any ideas, I would much apreciate it.
    Thanks,
    Lucas
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The BraveSentry infection is typically installed with quite a few other malware. i advise that you follow the instructions in the preliminary removal guide in order to have your computer fully cleaned after we run this tool.

    go http://www.techspot.com/vb/topic58138.html

    Go to step 10

    Download tool 1 -smitfraudfix by S!ri

    Boot into safe mode and run the tool selecting option 2.

    After it runs disk clean up then...

    It asks Do you want to clean the registry ? (y/n) answer Y

    It says Computer will reboot now. Close all applications. press spacebar

    Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer

    Attach this log here. And we can go from there
     
  5. lalesperance

    lalesperance TS Rookie Topic Starter

    this is what smitfraudfix says.
    the text file.

    SmitFraudFix v2.323
    Scan done at 20:10:46.85, Sun 06/01/2008
    Run from C:\SmitFraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] Windows_NT
    The filesystem type is NTFS
    Fix Run in safemode

    >>>>>>>>>SharedTaskScheduler Before SmitFraudFix
    !!! ATTENTION, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search CharedTaskSchedulers.dll

    >>>>>> Killing Process
    >>>>>>HOSTS
    >>>>>>VACFIX

    VacFix
    Credits:Maleware Analysis & Diagnostic
    Code S!Ri
    >>>>>> Winshock2Fix
    S!Ri S Ws2Fix; LSP not found.

    >>>>>> GenericRenosFix by S!Ri
    >>>>>> Deleting infected files



    C:\windows\xpupdate.exe deleted
    C:\windows\system32\svhost.dll deleted
    C:\windows\system32\wininet.exe deleted
    C:\Documents and Settings\hi\Application Data\install.dat deleted


    >>>>>> IEDFix
    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    >>>>>> 404FIX
    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri

    >>>>>> DNS
    >>>>>> Deleting temp files
    >>>>>> winlogon.system
    !!! Attention, Following keys are not inevitably infected!!!
    SrchSTS.exe by S!Ri
    Search SharedTaskSchedulers.dll

    >>>>>> Reboot

    C:\windows\system32\kdns.exe Deleted

    [HKEY_Local_Machine\software\microsoft\windows NT\Currentversion\winlogon] "system"=""

    >>>>>> END






    that is what that program found..

    Lucas
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Can you download Hijackthis for me as well and attach a log.

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  7. lalesperance

    lalesperance TS Rookie Topic Starter

    here is my HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Platform: Windows xp sp2 (winnt 5.01.2600)
    Boot Mode: Safe mode

    Running processes:
    C:\windows\system32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\svchost.exe
    C:\program files\lavasoft\ad-aware\aawservice.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\cmd.exe
    C:\program files\trend micro\hijackthis\hijackthis.exe
    c:\windows\system32\wbem\wmiprvse.exe

    R1 = HKCU\software\microsoft\windows\currentversion\internet settings, ProxyOverride = *. local
    F2 -Reg:system.ini: userinit=c:\windows\system32\drivers\ctfmon.exe
    03 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\acroIEFavClient.dll
    04 - HKLM\..\run: [TkBellexe] "c:\program files\common files\real\update_OB\realsched.exe" - osboot
    04 - HKLM\..\run: [ntuser] C:\windows\system32\drivers\ctfmon.exe
    04 - HKLM\..\run: [autoload] c:\documents and settings\localservice\local settings\application data\spool.exe
    04 - HKLM\..\run: [DriveSystem] c:\windows\system32\maxpaynowtil.exe
    04 - HKLM\..\run: [SystemDrive] c:\windows\system32\maxpaynow1.exe
    04 - HKLM\..\run: [taskmon] c:\windows\taskmon.exe
    04 - HKLM\..\run: [advap32] "c:\docume~1\derrick\locals~1\temp\6.tmp"/r
    04 - HKLM\..\run: [c:\windows\system32\kdns.exe] c:\windows\system32\kdns.exe
    04 - HKLM\..\run: [avg8_tray] c:\progra~1\avg\avg8\avgtray.exe
    04 - HKLM\..\run: [kernelfaultcheck] 5systemroot%\system32\dumprep 0 -k
    04 - HKLM\..\run: [nvcpldaemon] RUNDLL32.exe c:\windows\system32\nvcpl.dll,nvstartup
    04 - HKLM\..\run: [nwiz] nwiz.exe /install
    04 - HKLM\..\run: [ehtray] c:\windows\ehome\ehtray.exe
    04 - HKLM\..\run: [srfirstrun] rundll32 srclient.dll,CreateFirstRunRp
    04 - HKLM\..\run: [ntuser] c:\windows\system32\drivers\ctfmon.exe
    04 - HKLM\..\run: [autoload] C:\documents and settings\derrick\local settings\application data\spool.exe
    04 - HKLM\..\run: [herjek] c:\windows\herkek.exe
    04 - HKLM\..\run: [windows update loader] c:\windows\xpupdate.exe
    04 - HKLM\..\run: [bravesentry] c:\program files\bravesentry\bravesentry.exe
    04 - HKLM\..\run: [service pack 1] c:\windows\system32\vedxg6ame4.exe
    04 - HKUS\s-1-5-18\.. Run: [ntuser] C:\windowssystem32\drivers\ctfmon.exe (user 'system')
    04 - HKUS\s-1-5-18\.. Run: [autoload] c:\documents and settings\local service\local settings\application data\spool.exe (user 'system')
    04 - HKUS\s-1-5-18\.. Run: [firewall auto setup] c:\windows\temp\winlogon.exe (user 'system')
    04 - HKUS\.default\..Run: [ntuser] c:\windows\system32\drivers\ctfmon.exe (user 'default user')
    04 - Startup: shortcut to yzdock.lnk = c:\y.z_dock_61995\yzdock.exe
    04 - Global startup: Post-it software notes.lnk = c:\program files\3m\psnlite\psnlite.exe
    08 - extra context menu item: append to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll/acroappend.html
    08 - extra context menu: convert link target to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu: convert link target to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu: convert selected links to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu: convert selected links to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu: convert selection to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu: convert selection to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu: convert to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
    08 - extra context menu item: E&export to microsoft excel - res//c:\progra~1micros~2\office12\ONBttnIE.dll
    09 - extra button: (no name) - {08b0E5c0-4FCB-11CF-AAA5-00401C608501} - C:\program files\java\jre1.6.0_03\bin\ssv.dll
    09 - extra 'Tools' menuitem: sun java console - {08b0E5c0-4FCB-11CF-AAA5-00401C608501} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    09 - extra button: send to onenote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - c:\program~1\microsoft~2\office12\ONBttnIE.dll
    09 - extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - c:\progra~1\micros~2\office12\onbttnie.dll
    09 - extra button: research - {92780B25-18cc-41c8-B9BE-3c9c571A8263} - c:\progra~1\micros~2\office12\refiebar.dll
    09 - extra button: aim - {ac9e2541-2814-11d5-bc6d-00B0D0A1DE45} - c:\program files\aim\aim.exe
    09 - extra button: messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    09 - extra 'Tools' menuitem: windows messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    016 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 control) - http://65.116.9.103/kxhcm10.ocx
    016 - DPF: {DF780F87-ff2B-4DF8-92D0-73DB16A1543A} (PopCaploader object) - http://myspace.oberon-media.com/gam...8a4f52bf9/online/astropop/popcaploader_v6.cab
    018 - Protocol: groovelocalGWS - {88FED34C-F0CA-4636-A375-3cB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    020 - Appinit_Dlls: avgrsstx.dll
    023 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - c:\program files\lavasoft\ad-aware\aawservice.exe
    023 - Service: AVG8 watchdog ( avg8wd) - AVG Technologies CZ, s.r.o. - c:\progra~1\avg\avg8\avgwdsvc.exe
    023 - Service: FLEXnet Licensing Service - macrovision europe ltd. - c:\program tiles\common files\macrovision shared\FLEXnet Publisher\FNPLicensingservice.exe
    023 - Service: HCEG - unknown owner - c:\Docume~1\derrick\locals~1\temp\HCEG.exe (file missing)
    023 - Service: MNS Framework (MSNFramework) unknown owner - c:\windows\system32\mnsframework.exe
    023 - Service: Network DDE NetDDEUPS (NetDDEUPS) - Unknown owner - c:\windows\system32\advapi32h.exe
    023 - Service: NVIDIA Driver Helper Service (NVSVC) - Nvidia Corporation - C:\windows\system32\nvsvc32.exe

    --
    End of file-- 6632 bytes
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...