Thread: Infected with brastk.exe, wini10802.exe?
View Single Post
Old 10-31-2008, 02:03 AM   #10 (permalink)
Gary R
Analyst, Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Posts: 110
OS: XP SP2


Re: Infected with brastk.exe, wini10802.exe?
OK, latest logs look good, time for a little tidying up, then I'll make a few recommendations for keeping clean.

The reason one of the instructions I gave didn't work with OTMoveIt, is because I'm ham fisted on the keyboard, :Commands shouldn't have 3 m's.

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately. Besides they're updated regularly so won't be of any use against future infections
  • Double click OTMoveIt3.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt3.exe (if still present).

Malwarebytes' Anti-Malware is Freeware, so you can keep or remove it as you wish. Personally I think its one of the better Anti-Spyware scanners around at the moment. However if you wish to remove it, use Control Panel > Add/Remove Programs

Next

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
  • Reboot.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check *Turn off System Restore*.
    • Click Apply, and then click OK.
  • NOTE: only do this once, NOT on a regular basis.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Quote:
Before I make any recommendations, I'd like to give a simplified overview of how your defensive systems work and what you can do to protect yourself better in future.

The average home computer has approximately 64,000 ports through which it can communicate. By default these ports are open and can be used by any programme which cares to access them, either from within the computer or from without. If you were to go online with a computer in this condition you would quickly be attacked and your computer would be infected.

To prevent this you install a Firewall. A firewall will close all open ports and you then open the ones you need by setting "rules" for them according to the instructions supplied with the Firewall programme. Usually you will have ports open for your Internet Browser, your e-mail client, and the update functions for various programmes.

These "open" ports will not be fully accessible, in that they will only allow a communication if it was instigated from within your computer. Any unsolicited communications from outside are blocked.

However if you are tricked into starting the communication, then as far as your Firewall is concerned it is a legit transaction and it will open the port. So by clicking on malicious links, replying to unsolicited e-mails and attachments, and downloading from unsafe sources, you are effectively bypassing any protection your Firewall supplies.

At this point your Anti-Spyware and Anti-Virus programmes take over. The real-time-protection in these constantly scan the data stream in your open ports looking for things that match with items in the database they have within them. If they find something then they will alert you, or quarantine it, or delete it, according to the rules set within the programme.

However as you can see, if the database does not contain details of the infection that's attacking you, then your Anti-Virus or Anti-Spyware programmes will not protect you. There are new infections (or new variations of old infections) created every day, which is why it's vital to keep your programmes up to date. Even with a fully updated database though, you are still playing catchup, which is why your Firewall, Anti-Virus and Anti-Spyware programmes cannot ever give you 100% protection.

Adding more and more programmes will not give you more and more protection, it's up to you to take some responsibility for your online actions, and modify them to give your programmes the best chance of protecting you.

Be careful what you click on.
  • Don't download anything from a site you do not know and trust. Remember, there's no such thing as a free lunch, if something seems too good to be true it is. Malware purveyors love to offer out freebies as bait knowing full well that one unguarded click is all it takes.
  • Don't reply to unsolicited e-mails.
  • Don't open e-mail attachments (even from friends) without checking with the source to ensure they actually sent them.
  • Don't use P2P file sharing programmes. Even the ones that don't come bundled (and many do) are not safe. By using them you are effectively downloading from an unknown source, with all the dangers described above.
OK, so how do we set about protecting you.

You should definitely have one of each of the following programmes.
  • Firewall
  • Anti-Virus
  • Anti-Spyware
You do not need more than one of each. More than one will cause conflicts, and will not improve your security.

If you don't already have them, then these are links to lists of free programmes.You'll increase your chances of not getting infected if you don't land on an infected website in the first place.

There are a couple of ways to do this
  • Block access to sites known to spread Malware.
  • Give you clear indication of which they are, so that you can make choices.
To block access to known bad sites we use a Hosts file.
Quote:
Download HostsXpert and unzip it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the programme.
  • Check to see if top button on left hand side says Make Writable ?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only ? to secure it against infection.
  • Exit the programme.
To give you an indication of which sites may contain bad links or suspect downloads I like to use Site Advisor.
  • This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit.

Remove known vulnerabilities
  • Update your Java

    Older versions have vulnerabilities that malware can and are using to infect systems.

    Quote:
    Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.

    Download JavaRa by Prm753 and unzip it to your desktop.
    • Double-click on JavaRa.exe to start the program.
    • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted.
    • When JavaRa is done, a notice will appear that a logfile has been produced.
    • Click OK.
      • The logfile will pop up.
      • Please save it to a convenient location.
    • Update Windows and Internet Explorer It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.
    • Use a "secure" browser Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
      Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.
    • Do not use P2P file sharing programmes I'd like you to read the Guidelines for P2P Programs where it's explained why it's not a good idea to have them.

      My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs you have installed.
    • Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.
Here's links to a few articles which are worth reading
__________________
Gary R is offline