Another braskt victim

By jeffstan · 24 replies
Nov 18, 2008
  1. hey guys,
    i was hoping some one could help me. i recently received an awesome surprise in the form of the braskt.exe virus. and i can't seem to get rid of it. that seems to be all that was downloaded onto my computer before i was able to shut it off. since i don't see karna.dat or any antivirus 2009 or whatever. i deleted the braskt.exe file from the system32 folder since that's the only place i can find it. i turned it off in the start up section of msconfig. but it's still on there.
    i was only able to get to step 3 of the 8 steps.
    i can't run or install: malwarebytes, superantispyware or hijack this.
    so i don't have any logs to show or anything. so i'm really at a loss for what to do next.
    i'm running windows xp with service pack 3.
    anyway, i really hope someone help me. thank you in advance.

  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    [​IMG]Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. jeffstan

    jeffstan TS Rookie Topic Starter

    hey man,
    thanks so much for getting back so soon.
    i was actually able to install hijackthis by renaming it. but it's not letting me attach or paste anything. it keeps saying i need 5 posts. so i guess i'll try that first.
  4. jeffstan

    jeffstan TS Rookie Topic Starter

    adding third post
  5. jeffstan

    jeffstan TS Rookie Topic Starter

    adding fourth post
  6. jeffstan

    jeffstan TS Rookie Topic Starter

    adding fifth post
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    When you click post reply to this message, scroll down to the additional options section

    Click on the button that says manage attachments

    Click browse

    Navigate to the file and select open

    Then upload the file
  8. jeffstan

    jeffstan TS Rookie Topic Starter

    ok, now i can hopefully paste this thing. it still won't let me add attachments. it just freezes my computer and crashes firefox. sorry.
    so this is what it gave me.

    (also i didn't fix anything or do anything else after getting the log)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:11:22 PM, on 11/18/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18241)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alias\mentalraysatellite3.4\bin\raysatserver.exe
    C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;*.local
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
    O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\downloads\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
    O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
    O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
    O23 - Service: mental ray 3.5 Satellite (32-bit)
    O23 - Service: RaySat Server (RaySatServer) - Unknown owner - C:\Program Files\Alias\mentalraysatellite3.4\bin\raysatserver.exe
    O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

    End of file - 5746 bytes
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    What I find interesting is how it looks just like the Mydoom worm from back in the day.

    Please move hijackthis from your downloads folder and make sure it is installed directly on the desktop.

    I know SDFix will remove this but it's a matter of whether you can run it.

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
  10. jeffstan

    jeffstan TS Rookie Topic Starter

    hey man,
    i tried every which way but i can't download sdfix. i tried typing in the link. clicking on it and saving link as.. and nothing worked.
    clicking on it opens a new window that gives me the failed to connect message in firefox.
    then saving links as.. gives me an error that says source file cannot be found.
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do you have access to a non infected computer? If so, we can download all of the tools we need to there, then transfer them by burning the installers to CD, or using a thumb drive/ pen drive / usb stick

    We should get smitfraudfix, combofix, + sdfix if you do, if not let me know and we can try another route
  12. jeffstan

    jeffstan TS Rookie Topic Starter

    ok. i went ahead and removed some of the things i didn't recognize from hijackthis.
    that allowed me to install and run malwarebytes finally. so i did that and removed 32 infected files.
    after that. i tried the sdfix download again and it worked this time. so i ran that. and now i have 3 logs i'll try and attach.
    the hijackthis log is after i ran malwarebytes and sdfix.
    ok. the sdfix report is too large of a file size so i can't attach that one.
  13. jeffstan

    jeffstan TS Rookie Topic Starter

    ok. i ran the combo fix also. then did a search with the smitfraudfix program. these are the logs from those two.
    ok. so it keeps freezing agin when i try and attach the smitfraudfix log. so i'll just paste it.

    SmitFraudFix v2.375

    Scan done at 21:31:22.23, Tue 11/18/2008
    Run from C:\Documents and Settings\macine_theater\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
    C:\Program Files\Alias\mentalraysatellite3.4\bin\raysatserver.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    »»»»»»»»»»»»»»»»»»»»»»»» C:\

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\macine_theater

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MACINE~1\LOCALS~1\Temp

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\macine_theater\Application Data

    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MACINE~1\FAVORI~1

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "FriendlyName"="My Current Home Page"

    »»»»»»»»»»»»»»»»»»»»»»»» o4Patch
    !!!Attention, following keys are not inevitably infected!!!

    Credits: Malware Analysis & Diagnostic
    Code: S!Ri

    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    Credits: Malware Analysis & Diagnostic
    Code: S!Ri

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    Credits: Malware Analysis & Diagnostic
    Code: S!Ri

    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix
    !!!Attention, following keys are not inevitably infected!!!

    Credits: Malware Analysis & Diagnostic
    Code: S!Ri

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

    »»»»»»»»»»»»»»»»»»»»»»»» RK

    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
    DNS Server Search Order:
    DNS Server Search Order:

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{222FDD1B-9A0C-4089-952F-46A367E59D30}: DhcpNameServer=
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{36928805-F5B5-4474-9741-ADC98052F68C}: DhcpNameServer=
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{947FB6EB-75DE-473A-BF4F-965369B2017F}: DhcpNameServer=
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{222FDD1B-9A0C-4089-952F-46A367E59D30}: DhcpNameServer=
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{36928805-F5B5-4474-9741-ADC98052F68C}: DhcpNameServer=
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{947FB6EB-75DE-473A-BF4F-965369B2017F}: DhcpNameServer=
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{222FDD1B-9A0C-4089-952F-46A367E59D30}: DhcpNameServer=
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{36928805-F5B5-4474-9741-ADC98052F68C}: DhcpNameServer=
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{947FB6EB-75DE-473A-BF4F-965369B2017F}: DhcpNameServer=
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

    »»»»»»»»»»»»»»»»»»»»»»»» End
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply


    After this run through the 8 step process, and make sure to follow the part about Java Runtime, then delete all old versions.

    I am going to bed, will check logs when I wake up
  15. jeffstan

    jeffstan TS Rookie Topic Starter

    ok. thanks man.
    i did that. and this is the log it gave back.
    also, i'm not sure if it's related, but after the computer rebooted while running combofix. the internet stopped working (i'm on my work computer right now)
    it was working fine before, then after the restart, nothing.
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That is strange, there was nothing removed that should have effected your internet

    Go to start -> run -> type combofix /u

    Let it uninstall itself, and see if your internet comes back.
  17. jeffstan

    jeffstan TS Rookie Topic Starter

    ok. i'll try that. thanks man.
    i did have another question you might know, whenever i restart windows now. it keeps asking me if i want to start in normal mode or windows setup mode. it gives me like 4 seconds to choose and if i don't choose normal mode the computer just restarts itself. do you happen to know how to get it to stop doing that and just start on normal mode everytime?
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This might be part of the problem,

    # Click Start and Run.
    # In the Run dialog box, type msconfig and then click OK.
    # In the System Configuration Utility, on the BOOT.INI tab, uncheck /SAFEBOOT.
    # Click OK.
    # When you are asked to restart the computer, click Restart.
  19. jeffstan

    jeffstan TS Rookie Topic Starter

    ok. i was able to walk my wife through some of this over the phone since i'm still at work. i think i figured out the internet problem. the drivers were uninstalled somehow on my ethernet card. so i updated those.
    as for the system config utility. all the boxes under BOOT.INI are unchecked. but they are also all greyed out. like i don't have admin privledges or something even though i do. and it's still asking which mode i want to use everytime the computer starts up.
    though i was slightly mistaken before.
    the options it gives are for:
    "windows recovery control" (i think)
    "windows home edition"
    "windows set up"

    i just choose home edition every time.
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Sounds like some system files may have been corrupted. You could try windows recovery console - it may or may not replace the corrupted system files. If you have a windows CD, I can walk you through replacing the corrupted files from the CD.

    The recovery console will attempt to replace the corrupted files, from a seperate folder on the drive, where copies are saved. As long as those copies have also not been corrupted then it should work. We still may need the windows disk though
  21. jeffstan

    jeffstan TS Rookie Topic Starter

    hey man,
    sorry it took me so long to get back.
    but i think i may have totally destroyed my hardrive. last night i got the internet working again and was working on the start up problem. each time i tried to start up the recovery console or load the actual recovery cd, the computer would crash and say there was a problem with the file nfts.sys.
    so, stupid me, thinking i could outsmart the computer. i just copied the nfts.sys file from my windows recovery cd and replaced the 'damaged' one on my hard drive. then i restarted and now my computer won't boot up at all. i can't get into safe mode, last known good config, and the recovery cd only takes me as far as the nfts.sys error page.
    so i'm at a loss now. i figure i'm just going to get a new hardrive now. try and save my files from the other one, then wipe that one clean.
    anyway i just wanted to say thank you very much for your help. i really appreciate it. what you guys do on here is fantastic.
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    No, print this out and follow it exactly

    1. Use the Windows XP startup disks or the Windows XP CD to restart your computer.

    2. When the "Welcome to Setup" screen appears, press R to select the To repair a Windows XP installation using Recovery Console, press R option.

    3. Type the number of the Windows installation that you want to access from the Recovery Console, and then press ENTER.

    4. Type the administrator password when you are prompted, and then press ENTER. If no administrator password exists, just press ENTER.

    5. At the command prompt, type the following commands (press ENTER after each command):
    cd \windows\system32\drivers

    ren ntfs.sys ntfs.old

    Note This step renames the corrupted Ntfs.sys file to Ntfs.old. If the Ntfs.sys file is not found, the file is missing.

    6. At the command prompt, type the following command, and then press ENTER:
    copy cd:\i386\ntfs.sys drive:\windows\system32\drivers

    Where cd is the drive letter for the CD-ROM drive that contains the Windows XP CD, and drive is the drive where you installed Windows XP.

    7. Remove the Windows XP CD from your CD-ROM drive, type quit at a command prompt, and then press ENTER to quit the Recovery Console.

    8. Restart the computer.
  23. jeffstan

    jeffstan TS Rookie Topic Starter

    i can't get to the welcome to set up screen. ( i don't think, it says welcome to windows at the begining, but there's no options or anything)
    when i try to boot using the windows cd. it loads up at first and downloads a bunch of files at the bottom. then it says "starting up windows" then it just goes to the error page.
    the only option i get before that is to press F6 for RAID drivers or some such
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    2. When the "Welcome to Setup" screen appears, press R to select the To repair a Windows XP installation using Recovery Console, press R option.

    when it says welcome to windows try to press 'R'

    When you reboot your computer - try tapping the button to enter setup - usually del, f1, or f2

    then use the arrows to go to boot section, and make sure the primary boot device is set to your cd-rom, then press f10 to save and exit
  25. jeffstan

    jeffstan TS Rookie Topic Starter

    yeah, i have it set up to boot from the cd-rom first.
    ok. i'll try again when i get home tonight. thanks man.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...