Help - trying to remove BraveSentry etc

[jholland1964]

Download regsrch.zip to your Desktop.
1. Unzip the contents of RegSrch.zip to a convenient location.
2. Double-click on RegSrch.vbs.
3. If you have an anti-virus installed it might prompt you about a running script.
4. Please ignore this warning and allow the script to run.
5. In the "Enter search string (case insensitive) and click OK..." box, paste each string:
ASPI113210
CMDSERVICE
CORE
DRIVER
NETWORK_MONITOR
NEW_DRV
WINCOM32
Network Monitor
new_drv
RpcApi
windbg48

6. Click "OK" to search the registry for that string.
7. Wait for a few minutes while it completes the search.
8. Click "OK" to open the results in WordPad.
9. Copy and paste the entire results into your next post.

Do the above. I will get back with you shortly on those msconfig items. What PP means is that those items were disabled using msconfig, but they are still on the machine.

[StckFigure]

- No instances of ASPI113210 found
- No instances of CMDService found
- 2086 instances of Core found (see next post)
- 6930 instances of Driver found (see next post)
- No instances of NETWORK_MONITOR found
- No instances of NEW_DRV found
- No instances of WINCOM32 found
- No instances of Network Monitor found
- No instances of new_drv found
- No instances of RpcApi found
- 18 instances of windbg48 found

I'm assuming this is a good sign, since Core and Driver are so common, unless you expected it to find one of these and it's hidden. As before, if we can later do something to hide the posts with the results if there's any identifying info in them, since I'm not sure what's available from registry keys, that'd be fantastic.

[StckFigure]

Because CORE and DRIVER are so big, it'd be great if I could email them to you (the latter is nearly a megabyte - and it's a text file!) So I can't paste them here very easily, and they're too big to attach. I'll do it, of course, if you would rather, but I'm hoping it'll be a LOT easier to parse if I don't.

Here's the windbg48 one though.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "windbg48" 5/15/2007 12:20:32 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000]
"Service"="ÿÿÿÿÀÿwindbg48"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000]
"DeviceDesc"="ÿÿÿÿÀÿwindbg48"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\* ***+*windbg48]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000]
"Service"="ÿÿÿÿÀÿwindbg48"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000]
"DeviceDesc"="ÿÿÿÿÀÿwindbg48"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 \0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\* ***+*windbg48]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48\0000]
"Service"="ÿÿÿÿÀÿwindbg48"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48\0000]
"DeviceDesc"="ÿÿÿÿÀÿwindbg48"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\****+*windbg48]

[PhilliePhan]

I'm assuming this is a good sign, since Core and Driver are so common, unless you expected it to find one of these and it's hidden. As before, if we can later do something to hide the posts with the results if there's any identifying info in them, since I'm not sure what's available from registry keys, that'd be fantastic.

I'm leaning with you in this instance - Not finding all those others is good. I have seen instances where they have been a rea b!tch to remove. ('course this was a few months ago - looks like Combofix has been updated to nail a lot of those... )
sUBs and OldTimer and all the rest in the anti-malware community who put their time and effort into the creation of these free tools are to be commended!
I wrote a similar on to remove a few of the threats you had on your compy, but combofix puts my efforts to shame!

But I digress....

I figured Core and Driver would produce a lot of entries to be sifted through, but based on the results for the others, I'd wager that combofix removed them all. So probably no worries there.

-- As you may have surmised, I am not up to date on the latest baddies. With the weather improving plus other responsibilities, I have had to put fighting malware on the back burner for a bit
-- WINDBG48 looks like some sort of rootkit driver.... Definitely reeks of malware to me.

If you know how to backup those keys with regedit, I suggest you do that and then Delete them (or try to).
Otherwise, I can put together a "one click" registry merge to do it for you when I get home later tonight.

Judy can probably help as well.

After this batch, I suggest running Combofix again and post a new log and then we'll attack whatever remains.

Cheers
PP

[StckFigure]

Update, I just went back to the computer for the first time today and realized it was hung on the same thing as the other day.. that is, the windows update thing. This time it's on "4 of 6", presumably after I tried shutting down last night it went into this. Again, it looks completely like actual Windows, and may well be, but I am completely disconnected from the Internet, so it's only actual Windows if it was held in resevoir or something.

[StckFigure]

I sort of know how to backup things with regedit, but because it's only "sort of", it would probably be best if you could walk me through it so that I don't wreak havoc with my registry. What I would do is something to the extent of opening regedit, saving it all as "regbackup" or something, deleting those keys, and then seeing what happened. That's probably not the best approach, though. I'll run Combofix afterwards. Thanks!

Weather getting nicer? We're on tornado alert here today!

[PhilliePhan]

Weather getting nicer? We're on tornado alert here today!

Well . . . That's a side effect of warming up. Fortunately I live on rather high and rolling land - not really ideal for tornadoes, but we still get our share of warnings.

-- Actually, you can just save the scan of those keys you made with Bill James' RegSearch and that would be fine for a backup. Heck, even your post would suffice....

Using regedit, you just select "export" to export anywhere from a single key to the entire registry to notepad.

-- Or, you could copy the below in the quotebox to NOTEPAD and save it to your desktop as Fixme.reg
Then DoubleClick on it and allow it to merge into the registry.

There are some blank spaces in the keys that may be troublesome - you might indeed have to remove them manually...

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 ]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\* ***+*windbg48]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 ]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\* ***+*windbg48]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\****+*windbg48]

I've gotta run - Will try to check back tonight.

Definitely do the combofix again and post the fresh log.

Cheers
PP

[PhilliePhan]

Update, I just went back to the computer for the first time today and realized it was hung on the same thing as the other day.. that is, the windows update thing. This time it's on "4 of 6", presumably after I tried shutting down last night it went into this. Again, it looks completely like actual Windows, and may well be, but I am completely disconnected from the Internet, so it's only actual Windows if it was held in resevoir or something.

I'm not sure about this - Will have to read back more of the thread

As long as you stay disconnected from the internet and do not allow machine to download anything else, then we'll deal with that later.

Are you running a good firewall?


Gotta run - try to be back in the PM.

PP

[StckFigure]

update to the update update: Whatever Windows was downloading became un-hung, and it finished the 6 "updates" and finished shutting down.

[StckFigure]

For a firewall, I'm just running Windows', which I know stinks. Should I get a software or a hardware firewall?