Tech Support Forum - View Single Post

Danceswithwolve · 10-29-2008, 06:51 AM

Yay! This comes to you from the infected computer, as IExplore is back on air again. Things were looking bad for a while, as just before I started the procedure you gave, the computer rebooted by itself and the traybar icon appeared again and then the computer hung. Fortunately after a couple of false starts I was able to copy SDFix and MBAM from the USB drive and follow your instructions.

So far so good. Have had a small number of error reports such as 'IEEE 1284.4 - 1999 Network Driver encountered a problem and needs to close' and 'Real Networks Installer encountered a problem and needs to close', but otherwise things seem to be working OK.

SDFix Report.txt follows:

SDFix: Version 1.238
Run by Owner on Wed 29/10/2008 at 11:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\TDSScjjh.sys - Rootkit.Win32.Agent.cku

Name :
TDSSserv.sys)

Path :
\systemroot\system32\drivers\TDSScjjh.sys

TDSSserv.sys) - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TDSSpgar.dll - Deleted
C:\WINDOWS\system32\TDSSsrvk.dll - Deleted
C:\WINDOWS\system32\TDSSsqda.dll - Deleted
C:\WINDOWS\system32\TDSSybpq.dll - Deleted
C:\WINDOWS\system32\TDSSurrv.dll - Deleted
C:\WINDOWS\system32\TDSSphgf.dll - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\TDSS6542.tmp - Deleted
C:\WINDOWS\system32\wini10802.exe - Deleted
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\msacm32.drv - Deleted
C:\WINDOWS\rasqervy.dll - Deleted
C:\WINDOWS\sdfinacs.dll - Deleted
C:\WINDOWS\sdfixwcs.dll - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\wuasirvy.dll - Deleted
C:\WINDOWS\system32\dllcache\figaro.sys - Deleted
C:\WINDOWS\system32\drivers\TDSScjjh.sys - Deleted
C:\WINDOWS\SYSTEM32\TDSSSVUX.DAT - Deleted
C:\WINDOWS\SYSTEM32\TDSSXUBY.LOG - Deleted
C:\WINDOWS\SYSTEM32\TDSSNMXH.LOG - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 23:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,fe,53,9d,23,52,ba,30,8a,1a,21,77,ad,8a,73,f8,54,5e,..
"hj34z0"=hex:16,34,13,15,a5,7d,61,d9,c5,2f,ef,20,ca,23,d5,be,ea,ab,9c,13,4b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys"
"TDSSl"="\systemroot\system32\TDSSnrse.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys"
"TDSSl"="\systemroot\system32\TDSSnrse.dll"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\c_253299.nls 133120 bytes executable
C:\WINDOWS\system32\c_253319.nls 410 bytes
C:\WINDOWS\system32\c_253349.nls 11877 bytes
C:\Documents and Settings\Owner\$SSP&\$7.$$p\$2.$$p\$1.$$p\c_253299.nls:EXE 124416 bytes executable
C:\Documents and Settings\Owner\$SSP&\$8.$$p\$4.$$p\$3.$$p\c_253299.nls:EXE 124416 bytes executable
C:\Documents and Settings\Owner\$SSP&\$9.$$p\$6.$$p\$5.$$p\c_253299.nls:EXE 124416 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 6

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"E:\\setup\\HPZnet01.exe"="E:\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"E:\\setup\\HPONICIFS01.EXE"="E:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\Aircraft\\LVLD_B763\\ConfigurationManager_767.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\Aircraft\\LVLD_B763\\ConfigurationManager_767.exe:*:Enabled:767-300 Configuration Manager"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 30 Oct 2004 196 A.SHR --- "C:\BOOT.BAK"
Sat 30 Oct 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 7 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 7 May 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sun 7 Aug 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 7 May 2005 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Wed 3 Oct 2007 24,663 ..SHR --- "C:\Documents and Settings\Owner\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"

Finished!

MBAM and RSIT logs to follow shortly in separate posts when run.

10-29-2008, 06:51 AM	#5 (permalink)
Danceswithwolve Registered User Join Date: Oct 2008 Posts: 14 OS: Windows XP SP2	Re: Infected with brastk.exe, wini10802.exe? Yay! This comes to you from the infected computer, as IExplore is back on air again. Things were looking bad for a while, as just before I started the procedure you gave, the computer rebooted by itself and the traybar icon appeared again and then the computer hung. Fortunately after a couple of false starts I was able to copy SDFix and MBAM from the USB drive and follow your instructions. So far so good. Have had a small number of error reports such as 'IEEE 1284.4 - 1999 Network Driver encountered a problem and needs to close' and 'Real Networks Installer encountered a problem and needs to close', but otherwise things seem to be working OK. SDFix Report.txt follows: SDFix: Version 1.238 Run by Owner on Wed 29/10/2008 at 11:03 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Rootkit Found : C:\WINDOWS\system32\drivers\TDSScjjh.sys - Rootkit.Win32.Agent.cku Name : TDSSserv.sys) Path : \systemroot\system32\drivers\TDSScjjh.sys TDSSserv.sys) - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\TDSSpgar.dll - Deleted C:\WINDOWS\system32\TDSSsrvk.dll - Deleted C:\WINDOWS\system32\TDSSsqda.dll - Deleted C:\WINDOWS\system32\TDSSybpq.dll - Deleted C:\WINDOWS\system32\TDSSurrv.dll - Deleted C:\WINDOWS\system32\TDSSphgf.dll - Deleted C:\DOCUME~1\Owner\LOCALS~1\Temp\TDSS6542.tmp - Deleted C:\WINDOWS\system32\wini10802.exe - Deleted C:\WINDOWS\brastk.exe - Deleted C:\WINDOWS\msacm32.drv - Deleted C:\WINDOWS\rasqervy.dll - Deleted C:\WINDOWS\sdfinacs.dll - Deleted C:\WINDOWS\sdfixwcs.dll - Deleted C:\WINDOWS\system32\brastk.exe - Deleted C:\WINDOWS\system32\delself.bat - Deleted C:\WINDOWS\wuasirvy.dll - Deleted C:\WINDOWS\system32\dllcache\figaro.sys - Deleted C:\WINDOWS\system32\drivers\TDSScjjh.sys - Deleted C:\WINDOWS\SYSTEM32\TDSSSVUX.DAT - Deleted C:\WINDOWS\SYSTEM32\TDSSXUBY.LOG - Deleted C:\WINDOWS\SYSTEM32\TDSSNMXH.LOG - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-29 23:16:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] "khjeh"=hex:20,02,00,00,fe,53,9d,23,52,ba,30,8a,1a,21,77,ad,8a,73,f8,54,5e,.. "hj34z0"=hex:16,34,13,15,a5,7d,61,d9,c5,2f,ef,20,ca,23,d5,be,ea,ab,9c,13,4b,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "group"="file system" "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys" "TDSSl"="\systemroot\system32\TDSSnrse.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "group"="file system" "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys" "TDSSl"="\systemroot\system32\TDSSnrse.dll" scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\system32\c_253299.nls 133120 bytes executable C:\WINDOWS\system32\c_253319.nls 410 bytes C:\WINDOWS\system32\c_253349.nls 11877 bytes C:\Documents and Settings\Owner\$SSP&\$7.$$p\$2.$$p\$1.$$p\c_253299.nls:EXE 124416 bytes executable C:\Documents and Settings\Owner\$SSP&\$8.$$p\$4.$$p\$3.$$p\c_253299.nls:EXE 124416 bytes executable C:\Documents and Settings\Owner\$SSP&\$9.$$p\$6.$$p\$5.$$p\c_253299.nls:EXE 124416 bytes executable scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 6 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:MSN Messenger 7.5" "C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe::Disabled:Microsoft DirectPlay8 Server" "E:\\setup\\HPZnet01.exe"="E:\\setup\\HPZnet01.exe::Enabled:hpznet01.exe" "E:\\setup\\HPONICIFS01.EXE"="E:\\setup\\HPONICIFS01.EXE::Enabled:hponicifs01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe::Enabled:hpqtra08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe::Enabled:hpqste08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe::Enabled:hpofxm08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe::Enabled:hposfx08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe::Enabled:hposid01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe::Enabled:hpqscnvw.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe::Enabled:hpqkygrp.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe::Enabled:hpqcopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe::Enabled:hpfccopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe::Enabled:hpzwiz01.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe::Enabled:hpqphunl.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe::Enabled:hpqdia.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe::Enabled:hpoews01.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\Aircraft\\LVLD_B763\\ConfigurationManager_767.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\Aircraft\\LVLD_B763\\ConfigurationManager_767.exe::Enabled:767-300 Configuration Manager" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe::Enabled:Logitech Desktop Messenger" "C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe::Enabled:enable" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:MSN Messenger 7.5" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe::Enabled:Logitech Desktop Messenger" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 30 Oct 2004 196 A.SHR --- "C:\BOOT.BAK" Sat 30 Oct 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys" Sat 7 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 7 May 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak" Sun 7 Aug 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak" Sat 7 May 2005 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak" Wed 3 Oct 2007 24,663 ..SHR --- "C:\Documents and Settings\Owner\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe" Finished! MBAM and RSIT logs to follow shortly in separate posts when run.