Started off with brave sentry

Status
Not open for further replies.

lalesperance

Posts: 7   +0
All of a sudden brave sentry poped up on my computer. I closed out of it and deleted it from program files... A couple minutes later, the blue screen of death poped up for one second and my comp restarted. After that task manager was unable to be opened and I could not do anything. Even in Safe mode nothing could be run. explorer would not even open so it would just show the background when started up no matter what I do. I have files on this comp that I don't want to lose. Is there anything anyone can do to help? I cannot even run hijack this or anything. Now my cd rom drive has been shut off. The only thing I can do is start up in command safe mode and look around in the command window...
Any suggestions?
=/


Lucas
 
This is a pain as it runs even in safe mode, but I have removed it plenty of times a while back.

From command prompt and type explorer.exe

or

When sitting at the blank background try hitting the windows key on your keyboard + R at the same time. in the box that pops up type explorer.exe and hit enter

If we can get windows up we need to run a few tools, and get you a different browser as IE is the reason you have this now. Should have been using firefox or opera
 
ok. once I do that, what are the tools I need. I actually monkey'd around and got lavasoft ad-aware to scan. It found.
Win32.trojan.downloader.t.bs
Win32.worm.zhelatin
win32.trojanspy.peed
win32.backdoor.agent
virtumonde
bravesentry.

The reason I was using IE(which is sad) is because my firefox went to update and it messed up in the middle. and wont uninstall or install. or i cant even delete the mozilla folder. So that is a problem within itself which is not a concearn just yet as you can see.
If you have any ideas, I would much apreciate it.
Thanks,
Lucas
 
The BraveSentry infection is typically installed with quite a few other malware. i advise that you follow the instructions in the preliminary removal guide in order to have your computer fully cleaned after we run this tool.

go https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Go to step 10

Download tool 1 -smitfraudfix by S!ri

Boot into safe mode and run the tool selecting option 2.

After it runs disk clean up then...

It asks Do you want to clean the registry ? (y/n) answer Y

It says Computer will reboot now. Close all applications. press spacebar

Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer

Attach this log here. And we can go from there
 
this is what smitfraudfix says.
the text file.

SmitFraudFix v2.323
Scan done at 20:10:46.85, Sun 06/01/2008
Run from C:\SmitFraudFix
OS: Microsoft Windows XP [Version 5.1.2600] Windows_NT
The filesystem type is NTFS
Fix Run in safemode

>>>>>>>>>SharedTaskScheduler Before SmitFraudFix
!!! ATTENTION, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search CharedTaskSchedulers.dll

>>>>>> Killing Process
>>>>>>HOSTS
>>>>>>VACFIX

VacFix
Credits:Maleware Analysis & Diagnostic
Code S!Ri
>>>>>> Winshock2Fix
S!Ri S Ws2Fix; LSP not found.

>>>>>> GenericRenosFix by S!Ri
>>>>>> Deleting infected files



C:\windows\xpupdate.exe deleted
C:\windows\system32\svhost.dll deleted
C:\windows\system32\wininet.exe deleted
C:\Documents and Settings\hi\Application Data\install.dat deleted


>>>>>> IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


>>>>>> 404FIX
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

>>>>>> DNS
>>>>>> Deleting temp files
>>>>>> winlogon.system
!!! Attention, Following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskSchedulers.dll

>>>>>> Reboot

C:\windows\system32\kdns.exe Deleted

[HKEY_Local_Machine\software\microsoft\windows NT\Currentversion\winlogon] "system"=""

>>>>>> END






that is what that program found..

Lucas
 
Can you download Hijackthis for me as well and attach a log.

Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
 
here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Platform: Windows xp sp2 (winnt 5.01.2600)
Boot Mode: Safe mode

Running processes:
C:\windows\system32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\program files\lavasoft\ad-aware\aawservice.exe
C:\windows\system32\svchost.exe
C:\windows\system32\cmd.exe
C:\program files\trend micro\hijackthis\hijackthis.exe
c:\windows\system32\wbem\wmiprvse.exe

R1 = HKCU\software\microsoft\windows\currentversion\internet settings, ProxyOverride = *. local
F2 -Reg:system.ini: userinit=c:\windows\system32\drivers\ctfmon.exe
03 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\acroIEFavClient.dll
04 - HKLM\..\run: [TkBellexe] "c:\program files\common files\real\update_OB\realsched.exe" - osboot
04 - HKLM\..\run: [ntuser] C:\windows\system32\drivers\ctfmon.exe
04 - HKLM\..\run: [autoload] c:\documents and settings\localservice\local settings\application data\spool.exe
04 - HKLM\..\run: [DriveSystem] c:\windows\system32\maxpaynowtil.exe
04 - HKLM\..\run: [SystemDrive] c:\windows\system32\maxpaynow1.exe
04 - HKLM\..\run: [taskmon] c:\windows\taskmon.exe
04 - HKLM\..\run: [advap32] "c:\docume~1\derrick\locals~1\temp\6.tmp"/r
04 - HKLM\..\run: [c:\windows\system32\kdns.exe] c:\windows\system32\kdns.exe
04 - HKLM\..\run: [avg8_tray] c:\progra~1\avg\avg8\avgtray.exe
04 - HKLM\..\run: [kernelfaultcheck] 5systemroot%\system32\dumprep 0 -k
04 - HKLM\..\run: [nvcpldaemon] RUNDLL32.exe c:\windows\system32\nvcpl.dll,nvstartup
04 - HKLM\..\run: [nwiz] nwiz.exe /install
04 - HKLM\..\run: [ehtray] c:\windows\ehome\ehtray.exe
04 - HKLM\..\run: [srfirstrun] rundll32 srclient.dll,CreateFirstRunRp
04 - HKLM\..\run: [ntuser] c:\windows\system32\drivers\ctfmon.exe
04 - HKLM\..\run: [autoload] C:\documents and settings\derrick\local settings\application data\spool.exe
04 - HKLM\..\run: [herjek] c:\windows\herkek.exe
04 - HKLM\..\run: [windows update loader] c:\windows\xpupdate.exe
04 - HKLM\..\run: [bravesentry] c:\program files\bravesentry\bravesentry.exe
04 - HKLM\..\run: [service pack 1] c:\windows\system32\vedxg6ame4.exe
04 - HKUS\s-1-5-18\.. Run: [ntuser] C:\windowssystem32\drivers\ctfmon.exe (user 'system')
04 - HKUS\s-1-5-18\.. Run: [autoload] c:\documents and settings\local service\local settings\application data\spool.exe (user 'system')
04 - HKUS\s-1-5-18\.. Run: [firewall auto setup] c:\windows\temp\winlogon.exe (user 'system')
04 - HKUS\.default\..Run: [ntuser] c:\windows\system32\drivers\ctfmon.exe (user 'default user')
04 - Startup: shortcut to yzdock.lnk = c:\y.z_dock_61995\yzdock.exe
04 - Global startup: Post-it software notes.lnk = c:\program files\3m\psnlite\psnlite.exe
08 - extra context menu item: append to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll/acroappend.html
08 - extra context menu: convert link target to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu: convert link target to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu: convert selected links to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu: convert selected links to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu: convert selection to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu: convert selection to existing pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu: convert to adobe pdf - res://c:\program files\adobe\acrobat 8.0\acrobat\acrofavclient.dll/acroiecapture.html
08 - extra context menu item: E&export to microsoft excel - res//c:\progra~1micros~2\office12\ONBttnIE.dll
09 - extra button: (no name) - {08b0E5c0-4FCB-11CF-AAA5-00401C608501} - C:\program files\java\jre1.6.0_03\bin\ssv.dll
09 - extra 'Tools' menuitem: sun java console - {08b0E5c0-4FCB-11CF-AAA5-00401C608501} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
09 - extra button: send to onenote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - c:\program~1\microsoft~2\office12\ONBttnIE.dll
09 - extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - c:\progra~1\micros~2\office12\onbttnie.dll
09 - extra button: research - {92780B25-18cc-41c8-B9BE-3c9c571A8263} - c:\progra~1\micros~2\office12\refiebar.dll
09 - extra button: aim - {ac9e2541-2814-11d5-bc6d-00B0D0A1DE45} - c:\program files\aim\aim.exe
09 - extra button: messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
09 - extra 'Tools' menuitem: windows messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
016 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 control) - http://65.116.9.103/kxhcm10.ocx
016 - DPF: {DF780F87-ff2B-4DF8-92D0-73DB16A1543A} (PopCaploader object) - http://myspace.oberon-media.com/gam...8a4f52bf9/online/astropop/popcaploader_v6.cab
018 - Protocol: groovelocalGWS - {88FED34C-F0CA-4636-A375-3cB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
020 - Appinit_Dlls: avgrsstx.dll
023 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - c:\program files\lavasoft\ad-aware\aawservice.exe
023 - Service: AVG8 watchdog ( avg8wd) - AVG Technologies CZ, s.r.o. - c:\progra~1\avg\avg8\avgwdsvc.exe
023 - Service: FLEXnet Licensing Service - macrovision europe ltd. - c:\program tiles\common files\macrovision shared\FLEXnet Publisher\FNPLicensingservice.exe
023 - Service: HCEG - unknown owner - c:\Docume~1\derrick\locals~1\temp\HCEG.exe (file missing)
023 - Service: MNS Framework (MSNFramework) unknown owner - c:\windows\system32\mnsframework.exe
023 - Service: Network DDE NetDDEUPS (NetDDEUPS) - Unknown owner - c:\windows\system32\advapi32h.exe
023 - Service: NVIDIA Driver Helper Service (NVSVC) - Nvidia Corporation - C:\windows\system32\nvsvc32.exe

--
End of file-- 6632 bytes
 
Status
Not open for further replies.
Back