brastk.exe ate my parrents machine.

First off let me start by saying I ran through all the steps that I was able to complete in the READ & RUN ME FIRST sticky, and will attach all available logs.

My sob story:

My dad calls me up and says, "the computer isn't working again." (Not much new here) So I go over and give it a look. there is this stupid red circle X icon down in the running tasks bar that keeps popping up with some obviously bogus "you're infected; download a better antivirus" message.

I can't seem to find where this message's task is in task manager, but I have comodo fire wall, antivirus, and boclean actively running in paranoid mode on his machine. (Yes he must have said it was ok to run the malware) So I pull up comodo's fire wall and find a few interesting things in the log.

My friend google tells me that brastk.exe (the most active program in the log) is a bad guy, and comodo says that av.dat created a couple registry keys to run brastk.exe on start up. I can't find av.dat on the hard drive, but I am able to delete the brastk.exe in the windows dir. There is another in the system32 dir that windows won't let me delete so I boot into cmd prompt only and kill it too. however when I restart both are back from the dead, and comodo says av.dat played with the registry again.

So I kind of half *** my way stepping through brastk.exe and come up with karna.dat, which also happens to be both in the win dir and the system32 dir. (The following websites found in brastk.exe might be victoms; but my guess would be more like perpetrators, and I do really want to kick them in the nuts: do-step-scan.com, do-monster-progress.com, domonster-progress.com, do-power-scan.com, dopower-scan.com, do-monsterscan.com, do-stepscan.com, doscan-progress.com, do-fixed-progress.com, domanaged-scan.com, domake-progress.com)

I kill all brastk and karna and it still grows back. So I kill them again, and replace with empty files. yay they no longer grow back. I use the windows system info to find beep.sys which lives in system32\dirvers, and system32\dllcache. google is indifferent about this one, it may or may not be a system file, but when I look into the file it does have karna and brastk in it.

this prompts me to go and update comodo av, yes i know i should have done that before this point. This doesn't work, comodo av cannot connect. This is odd, I go and ping antivirus.comodo.com, and it pings 127.0.0.1 just fine. ARGGGG. arp says there are no entries found. there are no important entries in the system32\drivers\etc\hosts or lmhosts.sam files on the machine. nbtstat -c says there are no names in chache. route print says nada useful. ipconfig /displaydns ah ha so this is where it lives, but ipconfig /flushdns doesn't get rid of it. so i browse the comodo website for a manual update, but was not able to find one in my limited attn span.

Ok installed AV/Fire wall fails me and won't update, google doesn't yet know all about this issue, and i must use another machine to even browse antivirus.comodo.com. it's time to give those major geeks guys a buzz. (Kudos to you all for not redirecting the ip addr in the browser bar. for example: http://74.86.201.210/showthread.php?t=35407 works just fine when http://91.199.212.171/ does not because it redirects to http://antivirus.comodo.com/)

Major Geeks Steps
I skimmed all this stuff first to down load at work onto a non infected/working machine, and saved all the files to a thumb drive.

CClean ran great. no issues, no whining, no problems.

SAS install did absolutely nothing when i double clicked it. so i renamed per instructions, and it installed. the update did not work because of the same 127.0.0.1 issue. although i was able to manually dnload the update, and this ran after i renamed it to sasd.exe. after install the SAS exe will not run, and if you rename it then it crashes before it will not run. However if you open up the SAS directory and find a RUNSAS.EXE, this I believe creates a copy of the SAS executable with a random file name (such a good idea). I ran the random SAS executable and was able to complete the SAS instructions as directed. Its log file is attached.

SpyBotSD installed after i renamed it, and updated after i found the manual update file. This one however will not run no matter howmany times you click it. And it still wouldn't run after it was renamed.

mb wouldn't install even after i renamed the install. see attached MBerror.jpg

after i downloaded the restore thingy from microsoft in order to drag onto combofix nothing happened when i dragged it on. it also wouldn't run when clicked/renamed.

MGtools.exe almost didn't run. I had to go into the MGtools dir and start the GetLogs.bat file manually. it's log is also attached.

Summary:
so this is where i am. two log files and a error picture attached.
most important exes won't run, most important dns are redirected to 127.0.0.1, comodo av is KIA, comodo fire wall with defence+ is alive and well, and comodo BOclean appears to be doing the same nothing that it always was doing.

Thank you for the help,
IdiotZ42

 

Some other things i forgot to mention.

av.dat is still MIA

the little red-x-circle icon down in the taskbar flashed that bogus message constantly while you're trying to do anything, and i found this same message embedded verbatim into brastk.exe

I also found no extension text files with weird filenames growing in the windows dir. they appeared to be some sort of terse status file, i will attach one the next time i'm over at my parents house.

 

I saved the file to the desktop, and tried to run it from there.

I beleive I did try running ComboFix.exe by double clicking it after the drag-n-drop didn't work. I started with the READ & RUN ME FIRST thread, so I did not see the "try it in safe mode" suggestion until I had finished with that thread. It said not to go back and try steps over again, so I didn't.

I had no problems doing this step. However I would like to at some future point reinstall the v1.4 and v1.5 JDKs. In order to be able to develop for Win95&98. If you have any suggestions on how to keep this separate from the active machines IE/internet I'd be glad to hear them.

When I ran HJT the following was not in the check list:
O4 - HKUS\S-1-5-21-177086865-21320931-3691902931-1007\..\Run: [A00F2C4CA03.exe] C:\DOCUME~1\DALEKA~1\LOCALS~1\Temp\_A00F2C4CA03.exe (User '?')

This ran fine, and gave me a success message.

After the PC shutdown it hung at the restart (black screen with blinking carrot) for a few long seconds. Then it came up into the normal XP login screen. When I typed the first character of the password into the prompt the PC immediately rebooted itself. After this it did not hang again when it was booting up. This time when it got to the login screen it allowed me to type in the password and login. When it finished loading the profile it had avenger.txt open in notepad, and an error message displayed (see attached avengerErr.jpg)

No other issues in the above steps, all ran as expected, and the requested logs are attached.

The internet 'filter' for lack of a better term is still active. E.G. it still redirects antivirus.comodo.com, forums.majorgeeks.com, and I'm sure many others to localhost.

The comodo antivirus is still KIA. I will probably have to reinstall this anyways; comodo has had a major update that combines both the antivirus and firewall, which was released sometime after the machine concocted the brastk influenza.

 

This did not help, but after I completed these steps I tried spybot s&d to see if the programs were still being blocked from loading.

this ran and found stuff to remove. (see attached log) After this I am now able to browse to forums.majorgeeks.com

Should i go back at this point and try some of the other steps that were not working before? Or install the latest version of Comodo?

 

both Malwarebytes and ComboFix install fine, and the update i downloaded for malwarebytes ran. but neither of the programs will load normally nor in safe mode when i click on them.

 

TDSSserv.sys did exist, and after I disabled it I was able to run both MalwareBytes and ComboFix (see attached logs).

 

attached is the MGlogs.zip, and as far as I can tell everything seems to be running correctly. I can get to the antivirus websites, and so far all of the programs i've tried running worked.

 

Thank you for all the help. I ran through the above, and it looks like I'm good to go.

Also I was wondering, in the above info it mentioned creating a restricted user account to surf the internet with. If I create a new account called surf, and set the run as on the firefox short cut to the surf account. what restrictions should i put on the surf account?