Help! Another Bratsk.exe victim

[danielle1234]

I know there are a lot of threads on this, but I am very lost and really need help.

The last thing I recall was my spybot popping up and asking if i wanted to change the registry to add bratsk.exe, I of course said NO! and low and behold, it didnt matter at that point. Now I cant run any spyware programs, install anything, or even reach any webpages that have to do with the spyware you have requested.

The good news is that I was able to download and install Malwarebytes anti malware. It is currently running and has found no objects infected! I deleted the bratsk.exe file off of my windows file in the c drive, but I am unable to remove it from system32 file....it says access denied under all users.

What should my next steps be in solving this problem? I am in desperate need....i dont want to lose any important things from my computer.

 

[danielle1234]

I've been trying hard to follow the 8 steps but the only one that is working right now is teh malwarebytes program. Nothing else on the list will download or run.

I dont know what to do.

 

[danielle1234]

Okay@ JUst got SAS to run! sweet!

Will post logs in the AM....will my computer be okay to remain on all night or should I shut down? I am afraid to lose things.

 

[emeraldhue]

THE SOLUTION

Boot to safe mode.

Delete karna.dat and brastk.exe in C:\Windows (or C:\WinNT) and C:\Windows\system32.

Delete wini10###.exe in C:\Windows\system32.

Replace beep.sys in C:\Windows\system32\drivers from a backup source or simply delete it. Make sure the good file does not exceed 10k.

Delete the entire Antivirus 2009 folder in C:\Program Files.

Remove the brastk string from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Remove the Antivirus 2009 string from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Modify the AppInit_DLLs string from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows by removing karna.dat.

Remove the Antivirus 2009 key (entire subfolder) from the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

Restart Windows normally.

Reinstall your antivirus software.

 

[danielle1234]

Wow great!

Just ran HJT and here is my log. Pleae let me know if I need to take any further action. This is after system restart in normal mode.

 

[rf6647]

Things are still not right

O20 - AppInit_DLLs: karna.dat

F-secure processes that are running makes for an extremely long list

Post the 3 logs: MBAM, SAS, HJT (follow the sequence if possible)

 

[Gokuldas]

what is HJT

Wow great!

Just ran HJT and here is my log. Pleae let me know if I need to take any further action. This is after system restart in normal mode.

Hi, I am really new to this world.... could you please tell me what is HJT?? and what the log file contains ??

 

[skein4]

It is the program Hijack This, and it checks your registry and reports a log of its findings.

SAS is Super Anti Spyware. MBAM or MBW or MWBAM is Malwarebyte Anti Malware. These are the three main programs these guys use to clean out your system.

Read the "8 steps to virus removal" at the top of the security forum for the links and better explanations.

 

[Gokuldas]

Thanks for your support. I got the 8 steps now..

 

[emeraldhue]

danielle1234,

Open your registry and locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. Make sure the AppInit_DLLs string does not contain karna.dat. Remove it from the string (do not delete the actual string) if otherwise.

Open your command prompt and type:
cd\windows\system32
dir /od

Your screen will scroll quickly, listing all of the files and subdirectories by date and time in ascending order. On the bottom of the list, you will see the most recent files. Post those file names containing dates listed within this week so that we can determine if those files are harmful.

 

[Gokuldas]

Not able to Run Hijack this

It is the program Hijack This, and it checks your registry and reports a log of its findings.

SAS is Super Anti Spyware. MBAM or MBW or MWBAM is Malwarebyte Anti Malware. These are the three main programs these guys use to clean out your system.

Read the "8 steps to virus removal" at the top of the security forum for the links and better explanations.

I got Hijack this programe on my laptop (got infected files) the programe is not running..But when I try to run on my desktop (uninfected) its running fine and producing the log file. On the laptop, if I got to task manager I am able to see Hijackthis.exe running on the process Tab. Please help me out in getting the log file out from my Laptop which is infected by "Antivirus pro 2009" last week.

 

[rf6647]

Gokuldas. Please open your own thread.

In advance, my apology for not being able to fully understand your situation.

Mflynn zipped scripts he created to hobble what appears to be your case.

.{{{ script by mflynn zipped to zap bug screwing update/download

Safe mode with networking may be necessary to obtain and update tools If this does not work, this tends to confirm the need to unzip & use the scripts (above).

 

[danielle1234]

UPDATE:

Logs are attached. Rebooted and so far, no weird things are happening.

Here are the 3 requested logs. Please let me know what further steps I should take to make sure my system is purged of this terrible virus!

Thanks so much for your help, this forum is great!

 

[rf6647]

Thanks for the good news. Sharing progress and impressions helps us work to a happy ending.

HJT - tick / Fix; User discretion.
This may be the ISP. Other possibility is a relation to O4 below.
Retain this only if used for a specific purpose to avoid firewall restrictions.

O15 - Trusted Zone: http:// * . trymedia.com (HKLM) whois= RealNetworks, Seattle CA; Does not appear on blacklists

This is handled by removing the application. User discretion.
RunScanner supplied description of program

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

You expressed a desire to be sure that the computer is rid of the infections. ComboFix can give us another view if you chose to use it.
ComboFix instructions courtesy of Blind Dragon.