Help - trying to remove BraveSentry etc

**ShadowPuterDude** · 05-19-2007, 02:24 PM

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to AFSEGTGF Windows Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

AFSEGTGF Windows Service

Click on the "Back" Button. Click the 'Scan' button. Place a checkmark in the box next to the following lines:

O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe (file missing)

O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\flash.exe
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\keylog.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\LexFiles.ulf
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\system32\Uninstall.ico
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Your Sophos AntiRootkit log is incomplete. Which, leads me to believe that a RootKit is active on the system. What Anti-RootKit scanners have you run?

Post fresh logs for HijackThis and ISeeYouXP.

**StckFigure** · 05-19-2007, 03:11 PM

I just want to check before I do anything... I was trying to burn some data onto a DVD to make a backup, and I came across an error that Google led me to determine something happened to my ASPI layers and now the system can't communicate with the burner. Is it okay if I download new ASPI layers from http://aspi.radified.com/ (the site Google led me to eventually), or should I not do that now/ever?

**StckFigure** · 05-19-2007, 03:24 PM

Results from the newest run of things:

- AFSEGTGF Service was already listed as status: Stopped. I disabled the startup as required, though. Likewise, it (dsezu.exe) was not found in the HJT log, though the other one was and was checked and fixed.

- Killbox again found all ten files. On the reboot, my computer ran Checkdisk. I don't know why, but I mention it in case it's indicative of something.

- Besides Sophos, I've run the AVG Anti-rootkit a while back... perhaps somewhere in the first hundred posts... there may have been some others in there... Judy would probably remember/know better than I would.. I've run tons of things with only a slight idea for what some of them actually do!

How close do you think we are?

Coming soon: All new HJT and ISeeYouXP logs.

**StckFigure** · 05-19-2007, 03:33 PM

And here they are. I notice that the one thing I did (try to) fix in HJT is still there... that is, the O23 line that wasn't the ASF.. service. ISeeYouXP took a little longer this time around, too, as did boot-up, I think, though that could just be reflective of my own gauge of time.

This is my 150th post!

**ShadowPuterDude** · 05-19-2007, 03:35 PM

Originally Posted by StckFigure

I just want to check before I do anything... I was trying to burn some data onto a DVD to make a backup, and I came across an error that Google led me to determine something happened to my ASPI layers and now the system can't communicate with the burner. Is it okay if I download new ASPI layers from http://aspi.radified.com/ (the site Google led me to eventually), or should I not do that now/ever?

Actually, in this case it would be best if you uninstalled your CD/DVD burning software and reinstalled.

**ShadowPuterDude** · 05-19-2007, 03:54 PM

You've got some files that are being regenerated at system start.

Copy & Paste the contents of the following registry file, to your reply: C:\WINDOWS\system32\tmp.reg

**jholland1964** · 05-19-2007, 03:55 PM

What Anti-RootKit scanners have you run?

Post #17 download...AVG AntiRootkit...Results...no log generated, no rootkits to remove
Post #58 download...F-Secure Blacklight...Results no log generated, no hidden items found"

**StckFigure** · 05-19-2007, 04:05 PM

Reinstalling the CD/DVD software (DiscJuggler) will also install the ASPI layers, you mean?

I see an scvhost at least!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"SoundMan"="SOUNDMAN.EXE"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\Mc Update.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mca gent.exe"
"CTSysVol"="C:\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinFast Schedule"="C:\\WinFast\\WFTVFM\\WFWIZ.exe"
"Windows Update"="C:\\WINDOWS\\scvhost.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
@=""
"ATIMACE"="MACE.exe"
"runner1"="C:\\WINDOWS\\retadpu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227 A755E9C2933154389A"
"qwertybot.exe"="C:\\WINDOWS\\system32\\qwertybot. exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

**jholland1964** · 05-19-2007, 04:32 PM

Windows Update"="C:\\WINDOWS\\scvhost.exe
These three all showed in 1st HJT scan post #1
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe

qwertybot.exe"="C:\\WINDOWS\\system32\\qwertybot. exe"
Backdoor.Win32.Agent.alf TROJAN.
This one showed up in second HJT scan back in post #11
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe

**StckFigure** · 05-19-2007, 04:41 PM

Amazing that we've made SO much progress over something like ten days now, and some of the original baddies are still sticking strong.

stupid malware.

Thread: Help - trying to remove BraveSentry etc

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions