Virus message popup

I too have this infection it's called Brastk!

The infection is called Spyware2009 and comes with two things. First - in your bottom right toolbar a red circle with white cross. This gives a popup that includes the word "prevent" mis-spelled, thus highlighting it as a virus. Second, it comes with a file called Brastke.exe which will be in two places - one in C:Windows and one in C:WINDOWS/System32. I have found I can delete one via Explore under one user login and then have to go to another user login to kill the other before it gets started. This malware infection is quite clever in that it totally disables any anti-virus software installed (like Norton or AVG), it also will not allow you to run any newly downloaded software and in most cases will not allow you to open any webpages associated with anti-virus software - so you can open Norton motorcycle webpages, but not norton antivirus pages! As you will see, I have discovered the program, but not how to kill whatever is replacing the Bratsk.exe files when the PC is re-booted. The instructions I found elsewhere on the net include using Trend Micro's Hijack This to kill the startup program (as MSconfig is not going to work), but the virus won't allow the Hijack This to start up now I have downloaded it. I suspect it is a registry problem - but then I'm a basic user and I don't even know how to find those and kill the correct registry entries and none of the recommended software will open up - save 1 - Spyhunter 3. Can anyone offer any further help? Preferably something that does not involve downloading and running a program - because the little bugger won't let it happen!

I'd try Task Manager (if it isn't blocked from running by the spyware) and look in the process list for Brastk.exe and kill it. Then see if you can install/run anti-spyware. I gave my recommended 3 anti-spyware utilities in a previous post.

-- Andy

Download EndItAll
Extract, then run Setup
Then run the EndItAll application
Then click on the skull heads
Then close EndItAll

Then continue over to Viruses/Spyware/Malware Preliminary Removal Instructions

@Bobbye please update your link to the direct link provided here

One other thing about Bratsk - It killed my Cid malware problem which we have had for over 12 months now and could not get rid of! Frying pan and fire spring to mind.



Kimsland - I have just run enditall and there are no skulls - perhaps because I have surpressed the program by deleting the two Bratsk.EXE files in Windows and system32. Specifically, what I need to know is how to find out what puts these two EXE files back in the Windows and system32 files when i re-boot? If I can stop it doing this I can kill it. What i detailed above is enough to take back control of the PC - but it doesn't stop this thing preventing anti-virus software being opened and run. Thnaks for your help.



I think the thread "Viruses are destroying my computer and I need help" is the same issue. Perhaps this is affecting quite a lot of people worldwide.

It is obvious that a program is set to run at startup, therefore editing the registry might be the best option. The problem is where to look for the entry;

HCU or HLM

Click to expand...

Run regedit:

1. Win logo key + R, then type regedit
2. When regedit opens browse to the following:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Click to expand...

Look here for any strange entries.

Also browse to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

Click to expand...

Look for any strange entries.

Also observing the string value should reveal the location of the file.
Note:Before you delete anything be sure that it is the offending entry. Posting it for conformation maybe best.

Please go to MSCONFIG Diagnostic mode
Start->Run-> MSCONFIG

Then restart your computer

In Diagnostic mode none of your startups will happen.
This may help to continue repairing your issue

But once all is done, you will need to go back and run MSCONFIG and return it to Normal mode

kimsland said:

Please go to MSCONFIG Diagnostic mode
Start->Run-> MSCONFIG

Then restart your computer

In Diagnostic mode none of your startups will happen.
This may help to continue repairing your issue

But once all is done, you will need to go back and run MSCONFIG and return it to Normal mode

Click to expand...

This is a lot simpler. :grinthumb

In reply to tw0rld

Under: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] nothing appears incorrect.

Under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] there's (under suspicion):-

(Default) Reg_SZ (value not set)
Carpservice Reg_SZ carpserv.exe
dmtxe.exe Reg_SZ C\Windows\system32\dmtxe.exe
dmzsy.exe Reg_SZ C\Windows\system32\dmzsy.exe
Kernalfaultcheck Reg_Expand_SZ %systemroot%\system32\dumprep 0 -k
Love default global mess Reg_SZ C\Documents and settings\all users\Application Data \ great coal love default \ warn once.exe - wtf???
Pinnacle Driver Check Reg_SZ C\Windows\System32\PSDrvCheck.exe
winlogin Reg_SZ

Everything else looks kosher

Thanks for your assistance

Kimsland - re your MSconfig re-boot - I don't feel confident enough to follow your instructions since "In Diagnostic mode none of your startups will happen" - so what will happen and "once all is done, you will need to go back and run MSCONFIG and return it to Normal mode" - will it be obvious how to do this? If I lose the tinternet through following these instructions I lose all the help I am getting from you guys.

Thanks again

Once the infection or issue is resolved, you can then return MSCONFIG back to normal

Or use the Msconfig Cleanup utility (preferred)

Kimsland?

First things first - does anything look wrong in the list I supplied - anything on the "kill" list? What about the loving coals thing?

Second - do I run the MSconfig cleanup (which I have just downloaded) instead of doing the MSCONFIG and re-boot your computer?

Third - you type MSconfig and a window pops up. What then? Do I just go start>turn off computer>restart? or do I change something in the MSconfig window?

I did say I am a basic user!

Unable to find any info on the entries below. My guess is that they are no good.
Do not delete anything yet. I would love to get conformation from others.

dmtxe.exe Reg_SZ C\Windows\system32\dmtxe.exe
dmzsy.exe Reg_SZ C\Windows\system32\dmzsy.exe
Love default global mess Reg_SZ C\Documents and settings\all users\Application Data \ great coal love default \ warn once.exe - wtf???

Click to expand...

I will leave you in tw0rld capable support
His support here is actually helping you more
I agree the above entries should be removed from startup, and then deleted

Tw0rld

I found this if it helps you with giving me advice?

http://www.techsupportforum.com/security-center/hijackthis-log-help/277674-iexplore-exe-virus.html

Huh! One of my old forums I was member on for a while
I find TechSpot much better
But I do refer to links to other sites as well

Please continue to follow tw0rld support (above ^^)

Apparently the warn once.exe file went by another name THAT SOFTWARE DEAD ONCE.EXE


This might explain your inability to run programs. Go ahead and delete those three entries, by browsing to their directories. Also run msconfig and deselect,

1. dmtxe.exe
2. dmzsy.exe
3. warn once.exe

click apply, then ok.

After restart use msconfig cleanup to remove those entries mentioned above.

@Bobbye please update your link to the direct link provided here

Click to expand...

Tanks kimlsland. I've been meaning to do that. Reminder helped.

Here's where I am up to

In Regedit I deleted the three entries you highlighted (tw0rld) by selecting each, right clicking and deleting.

I rebooted the pc - Bratsk.exe returned to the two locations in windows and system32.

I installed and ran MSconfig cleaner. This did nothing but come up with a box saying "there are no disabled startup items in MSConfig". The choices are select all / deselect all / quit. Not much help. Am I missing something?

I will have to return to this in the morning (UK time).

Please continue to offer more advice for the simplest of minds and abilities. I am determined to kill this bug.

Thanks

Sorry If Ididn't explain it properly. You needed to delete the files, not the registry entries.

Browse to C:\windows\system32
search for and delete dmtxe.exe & dmzsy.exe


Browse to
C\Documents and settings\all users\Application Data \ great coal love default
search for and delete warn once.exe

When finished with the above run msconfig and deselect,

1. dmtxe.exe
2. dmzsy.exe
3. warn once.exe
Click apply, and ok to exit click restart.
upon restart windows will display a dialog click the check box and click ok.

After restart use msconfig cleanup to remove those entries mentioned above.

Tw0rld

I navigated via Explore and could not find the dmtxe.exe & dmzsy.exe files. When I deleted them in regedit they must have gone. I found a folder for the "Great Coal Love" and deleted it.

I ran msconfig, but the files were not there to de-select (presumably this was on the startup tab).

I re-started and did msconfigcleanup - there was nothing to select

I re-booted the pc and hey presto ... Bratsk appeared again in Windows and system 32 !! (I also now know that the one in Windows makes the red circle/white cross appear on the taskbar, because if I delete it quick enough it doesn't come up, but I still have to go to another user to delete the system 32 one).

I have back-tracked ion the instructions and had another look in the regedit files from the earlier post 680074. There is still nothing suspicious in these files that can be causing this bug to reappear on re-boot. It would help if I could copy and paste them to a list here.

In [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] only these look suspicious..

(Default) Reg_SZ (Value not set)
CTooLBar Reg_SZ prcmon.exe
CTSyncU.exe Reg_SZ C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


the rest are associated with known applications i.e. Active Sync, Kill&Clean, Nokia, Popstop and Google taskbar.

In [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

Apart from a long list of known stuff there is (under suspicion):-

(Default) REG_SZ (Value not set)
Carpservice REG_SZ Carpserv.exe
csrss REG_SZ
IconixOEAddOn REG_SZ C:\Program Files\EMail ID\OEAddOn\OEdmn_2.exe
kernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k
NeroFilterCheck REG_SZ C:\WINDOWS\System32\NeroCheck.exe
PinnacleDriverCheck REG_SZ C:\WINDOWS\System32\PSDrvCheck.exe
SunJavaUpdateSched REG_SZ C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
TkBellExe REG_SZ C:\Program Files\Common Files\Real\Update_OB\Realsched.exe - osboot
winlogin REG_SZ

I notice in the windows & system32 folder in explore there are a lot of unusual .exe files with strange series of letter (if that helps). ie "ejekoku" - many appear to be MSDos applications.

I'm afraid it's back to trying to pin down what is putting Bratsk back in the Windows/system32 files on reboot.

Thanks for your help.

In [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] only these look suspicious..

(Default) Reg_SZ (Value not set)
CTooLBar Reg_SZ prcmon.exe

Click to expand...

Well "prcmon.exe" is a Trojan
So that registry entry can be removed
Then locate prcmon.exe in your Windows folder and remove it
(note you may need to end the process first through Task Manager, or just restart and then do this)

Hi - yes I've deleted that one. Still got Bratsk though if you have any more ideas?

Unhide hidden files

My computer > Tools menu > folder options > Click view tab > select show hidden files and folders > click ok and apply to exit.

Now browse to C:\windows\system32 and see if the dmtxe.exe & dmzsy.exe files are now there.

Also delete this file Bratsk

Deleting the registry entry will not delete the file itself.

if this doesn't work then somethign else is cousing the problem