Support NeoGAF

[Loki]

This past Thursday after an IE freeze-up that I had to kill at the process level, I noticed an icon on my desktop that wasn't supposed to be there (delself.bat) and a red "X" alert box in the lower right corner of the taskbar with a text bubble stating that my computer was infected, and to "click here" to download anti-spyware to remove the threat (it also kept resetting my home page to google for some reason). I obviously didn't click on anything; my first instinct was to run spybot, but it wouldn't open (the process didn't even initiate in task manager).

To make a long story short(er), after the usual fiddling in safe mode and uninstalling/reinstalling my anti-spyware and AV programs, I seem to have rid myself of this problem. I had noticed a program named "brastk.exe" in my startup menu in msconfig, and unchecked it. Initial scans using Ad-Aware, MalwareBytes, Spybot, and AVG each returned a few threats, which I removed (one of which was the aforementioned brastk.exe). Subsequent scans performed over the past couple of days have been clean, and my computer's performance has been asymptomatic.

However, I just downloaded and ran a Hijack This registry scan, and have been googling anything that looks unfamiliar. In my AppInit_DLLs, I have a file named karna.dat, which, according to what I've read, frequently comes paired with brastk.exe and is considered malware. My questions are these:


1) Is deleting "karna.dat" from my AppInit_DLLs via regedit safe? I want to make sure it's not tied to any necessary system process (google says otherwise, but I'd like to ask the GA experts ). Is doing so simply a matter of clicking "modify" and then deleting the "karna.dat" text from the "Value Data" field? (I've never edited anything in the registry before.)

2) There is a "brastk" folder in the startup subfolder of the msconfig folder in the registry. One of the commands therein points to brastk.exe, which should no longer exist on my system. Can I delete the entire brastk subfolder safely? I assume this would remove it from my startup menu completely in msconfig? (As opposed to simply being deselected, as it is currently.)

3) How would you best judge when your computer is "clean"? I've been avoiding doing any online banking etc. since this occurred, and would like to know when I can resume normal activity. Originally I figured one week of problem-free use and clean scans, but now I'm worried about possible lingering malicious files/programs.


Both brastk.exe and karna.dat (or any files containing those strings) do not exist on my system according to searches (I allowed hidden files and protected OS files). In light of this, how do you think I should proceed re: the above questions? Any help would be appreciated. Thanks.

 

[Loki]

Bump for the day crowd. I know it's a lot to read, but I'd certainly appreciate it.

 

[C.Dark.DN]

Don't know.

Did a google search and found this http://www.prevx.com/filenames/1701361749031264050-0/BRASTK2EEXE.html

 

[ToxicAdam]

Just my opinion, but if an (updated) MalwareBytes or SUPERanti-spyware doesn't detect anything, you are about as safe as you can be.

 

[sky]

I'd recommend running MS's onecare scanner.
It takes a few hours, but it's extremely thorough... should help you determine if there's any extra crap sticking around.

http://onecare.live.com/site/en-us/default.htm

 

[Davidion]

Try this:

http://forums.mcafeehelp.com/showthread.php?p=535003#post535003

 

[clav]

Post your hijack log. I'll take a look at it.

If you want to try something new, bust out combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[Loki]

Just my opinion, but if an (updated) MalwareBytes or SUPERanti-spyware doesn't detect anything, you are about as safe as you can be.

Is SAS really good? I mean, is it in wide use? I was reading mixed reviews on it last night. Something to the effect that the program itself has been known to be hijacked as a vector for malware. Maybe I misread, though. I'm mostly concerned with lingering issues because of the registry stuff I mentioned above, which persists after all of my scans (which is why I wanna know if I can safely remove it manually).

Also, thanks for the responses everyone. It seems like you're all trying to help with question #3 (though DeathNote's post can be seen as trying to address #2 as well), but I'd also like it if someone could help out with the first two.

 

[I3rand0]

I just fixed this on my neighbor's PC. You need to delete 3 files - beep.sys, karna.dat, and bratsk.exe

 

[Scalemail Ted]

This is slightly off topic but i had that same damn malware.

I just used it as a great opportunity to wipe and refresh.

 

[Loki]

Post your hijack log. I'll take a look at it.

If you want to try something new, bust out combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks. Here it is:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4954 bytes


I've bolded the portion I'm concerned with. I do not have Viewpoint toolbar installed despite its presence above. Also, the BHO (second line of the second section) is legit, right? I just installed AVG8 a few days ago, after all. Thanks again.

 

[Loki]

I just fixed this on my neighbor's PC. You need to delete 3 files - beep.sys, karna.dat, and bratsk.exe

Yeah, the files don't come up on manual searches of my PC anymore, and all my scans come back clean. My only issue is with the registry entries for brastk.exe and karna.dat noted above. I'm not knowledgable enough to know whether they're now innocuous since the programs they call are seemingly no longer on my PC. Just wondering if I should (and can safely) manually delete these entries using regedit.

just used it as a great opportunity to wipe and refresh.

Yeah, I'm not too current on backups, which is why this isn't feasible atm. I'm kinda lackadaisical re: backups, unfortunately.

 

[Loki]

My questions are these:


1) Is deleting "karna.dat" from my AppInit_DLLs via regedit safe? I want to make sure it's not tied to any necessary system process (google says otherwise, but I'd like to ask the GA experts ). Is doing so simply a matter of clicking "modify" and then deleting the "karna.dat" text from the "Value Data" field? (I've never edited anything in the registry before.)

2) There is a "brastk" folder in the startup subfolder of the msconfig folder in the registry. One of the commands therein points to brastk.exe, which should no longer exist on my system. Can I delete the entire brastk subfolder safely? I assume this would remove it from my startup menu completely in msconfig? (As opposed to simply being deselected, as it is currently.)

3) How would you best judge when your computer is "clean"? I've been avoiding doing any online banking etc. since this occurred, and would like to know when I can resume normal activity. Originally I figured one week of problem-free use and clean scans, but now I'm worried about possible lingering malicious files/programs.

Come on, people -- I know you've edited your registries before. I haven't, so I need your input on whether this is safe.

 

[ToxicAdam]

Can't you just create a system restore point and then try it? If things go bad, you just restore.

 

[Loki]

Can't you just create a system restore point and then try it? If things go bad, you just restore.

I suppose, though I'd have to look into how to do that. In case you couldn't tell, I'm not the most savvy user out there. I guess I'll do that, then.

 

[joelseph]

Scan system restore if you have it enabled.