Spyware attack messed my desktop "Help"

[Candy_girl]

Ok I ran the tool but that grom something wasn't found in my system, but it said this at the end of the scan;

"Scan finished normally
For a detailed log, please refer to \gromozon_removal.log"

Shall I run the ccleaner instead?

 

[howard_hopkinso]

Ok, here are the manual removal instructions.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

bravesentry.exe
vxgamet[X2].exe
vxh8jkdq[X2].exe

win32.exe
xpupdate.exe
alg.exe

kerneles8.exe
maxd64.exe
taskdir.exe

voi[X1].exe
vxgame[X2].exe
dxvwabxj.exe


Close task manager.

Click start/run type regedit into the run box and press the enter key. Maximise the window and navigate and delet the following registry keys in the righthand pane.

HKEY_CURRENT_USER\software\bravesentry

HKEY_CURRENT_USER\software\bravesentry\scan

HKEY_CURRENT_USER\software\bravesentry\systemsecurity

HKEY_CURRENT_USER\software\bravesentry\updates

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runbravesentry

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bravesentry
BraveSentry

Close regedit.

Click start/run and type regsvr32 /u bravesentry0.dll and press the enter key. Do this for all the following files.

bravesentry1.dll
bravesentry2.dll
bravesentry3.dll

comdlg64.dll
msupdate32.dll
tio[X1].dll

winbixnkq32.dll
zlbw.dll

Next, locate and delete the following files if found.

bravesentry.exe
vxgamet[X2].exe
vxh8jkdq[X2].exe

win32.exe
xpupdate.exe
bravesentry0.dll

bravesentry1.dll
bravesentry2.dll
bravesentry3.dll

comdlg64.dll
msupdate32.dll
tio[X1].dll

winbixnkq32.dll
zlbw.dll

kerneles8.exe
maxd64.exe


taskdir.exe
voi[X1].exe
vxgame[X2].exe

desktop.html
Explorer 2238
dxvwabxj.exe

BraveSentry
BraveSentry.lnk

Run Ccleaner after you`re finished and post a fresh HJT log.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ok I did all of that, but when I typed "regsvr32 /u bravesentry0.dll" it said "the specified module couldn't be found"

then I ran ccleaner I don't quiet get it, especially when I click on "issues" and run scan all I get are unused/deleted extensions and programs , shall I fix the suspcious styff?

And When I ran the "Cleaner" and scanned some items , this is what I got (example)

http://www.sendspace.com/file/fa4x1l

(I had to upload it elsewhere cuz of the attach size limit)

Finally my new hijackthis log file.

 

[howard_hopkinso]

It doesn`t matter that some files cannot be found during the manual removal process. In fact this is to be expected. Did you complete the removal instructions? If not, you should do so and don`t worry if you can`t find some of the items listed.

You need to run Ccleaner as per the instructions, that means let Ccleaner delete everything it finds, both the clean up and the issues.

Your HJT log is clean.

How`s your system running?

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Yes I did everything you asked me to, I even ran the system on safe mode to make sure nothing's hiding somewhere!

As for the ccleaner , it kinda worries me a bit cuz when I check the "windows tab" "advanced" something like " windows size/location cache , it warns me that I might lose some data if I check it! and now you're telling to check everyhting and delete whatever it finds, are you sure I won't damage anything if I take such action?

My system is running well actually, except for when I check the task manager, there are some weird process are running like;

"Alg.exe , winlogon.exe , system"

Are these dangerous? I know alg.exe is but what about the others?

Also my desktop (icons in particular) is still lookin weird (attachment)!that's all that bothers me right now , but I'm guessing it has something to do with that spyware attack disabling the desktop options I mentioned before, the object policy thing! is there any way I get it back and control my desktop options again?

 

[tomrca]

Also my desktop (icons in particular) is still lookin weird (attachment)!that's all that bothers me right now , but I'm guessing it has something to do with that spyware attack disabling the desktop options I mentioned before, the object policy thing! is there any way I get it back and control my desktop options again?

i have the same processes running. and by the look of the desktop items, it looks as if they are locked. to unlock right click on a clear space on your desktop, select 'arrange icon by', then untick, 'lock web items on desktop'.

 

[Candy_girl]

Really? so they're not dangerous?

I did that but still nothing, the graphics are a bit weird! (see attachment) see how the name "Shaun Lowe" is too pixalated!

The desktop is fine when I restart , up until the icons starts to appear everything becomes weird like that! it seems like the desktop can't accept the wallpaper, because before the icons are loaded upon restart the desktop shows the background color then loads the wallaper that's when the desktop well again becomes weird!

I hope that makes sense.

 

[howard_hopkinso]

Alg.exe and Winlogon.exe are legit files provided they are running from the correct location.

I`d like you to post fresh AVG Antispyware and HJT logs.

This is so I can confirm or otherwise that Bravesentry if gone. This is a real nasty infection, that`s based on a rootkit.

I`ve only just come accross this infection in the last couple of days, so it`s pretty new, hence the difficulty in removing it.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Oh god a new infection huh? should I be worried?

Ok I ran a new antivirus scan today and this is the result (attachment) I'm not sure what this is exactly!

Also here are my HJT and Antispyware logs (attachment)

Lastly As I mentioned before I haven't yet ran ccleaner, which means I haven't removed anything issues or anything, cuz I'm worried about the warnings I got (the previous reply)

I guess that's it!

 

[howard_hopkinso]

I can see no more Bravesentry entries.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Have HJT fix this inactive entry.

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

Close HJT.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

kernels8.exe

Close task manager.

Run the Ccleaner programme exactly as per these instructions.

Download the Ccleaner programme from HERE.

Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times. Click on issues, then the scan for issues button. Click the fix selected issues button, followed by the fix all selected issues button. Do this several times, until no more issues are found.


Locate and delete this bold file/folder(if there).

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G5U7WXAN\2236[1].htm

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\kernels8.exe

Once your system has rebooted, turn system restore back on and rehide your protected OS files.


Post a fresh HJT log and a fresh AVG Antispyware log. Let me know if you`re still having problems.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ok I did everything according to instrucitons but still my stupid desktop is the same.

I give up!

But anyways here are my results, however both the antivirus scan and spyware scans didn't show anything , the kernel.exe thing was found but it didn't say that's it's a virus!

See (attachments)

 

[howard_hopkinso]

Your HJT log is clean.

Try this and see if it helps.

Right click your desktop and select properties. Click on the desktop tab and click the customize desktop button. Click the web tab and uncheck any webpages and the lock desktop box. click ok/apply/ok. Now right click your desktop again and select properties. Click the desktop tab and see if you can change your desktop pic.

Let me know the results.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[caravel]

Last night I was downloading something off a file hosting site and I accidently clicked on an ad that popped up and then froze my computer

Use Mozilla Firefox, not M$IE, it doesn't tend to have so many problems with software, installing whatever it likes on your machine.

later I got an error message from my windows security centre (I used windows xp professional edition) said that "my computer is infected with a spyware "and that I have to click on that balloon so as to get rid of it! so it downloaded some program called "Bravesentry" that kept scanning my computer and got a result of like 65 infected objects in my registry! whenever I tried to get rid of it it kept opening again and again.

That wasn't the security center but the program that the ad installed. The icon probably looked similar. It is now a common tactic for spyware to mimic anti spyware programs. Examples being the cursed Winfixer. These types of programs claim to detect several viruses and usually want you to pay to remove them, or a similar scam.

Then I closed the connection and the computer and when I came back I found that my desktop wallpaper is gone and all I have is the background color only! I tried to open windows task manager so as to see what's going on it was gone!

The spyware may have tried to exploit the active desktop, or changed/disabled it in some way. The active desktop is that particular bit of crapware that lets you display a web page on your desktop.

I paniced so I googled "How to fix the task manager" and it got me to this website that directed me to use the "group policy command via "Run" I got to finally understand what's going on , that the spyware disabled my desktop and my task manager so I enabled them again!

It's common for trojans and spyware programs to disable the task manager to prevent you from terminating their processes. Well done to M$ for even allowing this happen. :suspiciou

 

[Candy_girl]

Your HJT log is clean.

Try this and see if it helps.

Right click your desktop and select properties. Click on the desktop tab and click the customize desktop button. Click the web tab and uncheck any webpages and the lock desktop box. click ok/apply/ok. Now right click your desktop again and select properties. Click the desktop tab and see if you can change your desktop pic.

Let me know the results.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Ok I did that but nothing happened! the icons still look funny!

It seems like there's a tranparent layer of infection that covers my active/normal desktop you know! cuz when I click ctl/alt/delete the background or the color I chose from the option you gave me appears, so now I have like 2 background colors/wallpapers running! make sense?

 

[howard_hopkinso]

Ok, try doing a Windows repair as per this thread HERE. It might be that the infections you`ve had may have damaged some of your OS files.

Please let me know the results.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

I'm afraid I can't do this procedure cuz I no longer have the windows CD, I'm currently using xp professional and the only CD I have is the home edition! so I don't think I can use it, right?

Can I live with that messed up desktop, or it could infect or damage other running processes?

Anyways thank you very much Mr. Howard for everything I don't know how I would've survived this without you! you taught me so much this past week and I greatly appreciate it! so thank you soooo much.

Take care.

 

[tomrca]

my view is. you have had problem after problem, and as soon as one is fixed, another reveals itself. its probably best to save what you can onto disc, and format! until you can upgrade to xp pro, i am sure its far better and less stressful to work with home edition. don't you?

 

[howard_hopkinso]

You`re right, you can`t run a Windows repair of XP pro with a Windows Home cd.

I must say, I agree with tomrca, maybe you should bite the bullet and after backing up your important data, reformat and reinstall from scratch.

I`m sorry I wasn`t able to solve your problem.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

I figured formatting was the only way!

I'll try to though!

What are you talking about? you saved my computer and my life for that matter! I seriously would've died from panic if it wasn't for you. so I thank you sincerely Mr. Howard.

Take care.

 

[howard_hopkinso]

Thankyou very much for you kind words.

I get very disappointed, if I can`t fix a problem and end up having to advise someone to reformat.

Hopefully once you`re done formatting etc, you won`t have anymore virus/spyware problems. However, if you do, please post in this thread.

Good luck.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

You're very welcome! that's the least I could do!

Don't feel bad, even if we didn't solve the problem you still taught me loads of stuff I never knew before I feel smart because of you, now that's something right?!

I will don't worry!

Thank you very much.

Take care.

 

[tomrca]

your right there, he's good at what he does, and nice bloke to boot!!

 

[Candy_girl]

Hello remember me?

This time, I don't have a serious problem or anything but I was just scanning with hijackthis and I saw some weird object in the logfile.

The one that says bonjour something, I don't believe it's a valid program or something, right?

And as for my weird desktop problem, well it's still there! I'm sorry I couldn't format cause well, it will cost me too much.

 

[howard_hopkinso]

Have HJT fix the following.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

Other than the above, your HJT log is clean. However, you`re running an outdated version of HJT, see HERE for the latest version and post a fresh HJT log as per the instructions.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

EDIT: whoops howard got to you first. I'll let him deal with this.