Infected, Figaro.sys, Brastk.exe and other details and questions.

Hello boys and girls, hope I come close to doing this right.
I have a lot to say and ask.
WindowsXPHome SP2.
Scenario.
Clicked on a image, doing a search, I thought I recognized the site and would
be safe, NOT.
Avast! popped up saying Alert was “HIGH” it was a “Figaro.sys” file
(I read one post here on this).
saying,
Sign of “Win32:Agent-QNI[trj]” Has been found in “C:\WINDOWS\system\dllcache\figaro.sys” file.
I accidentally “told avast to delete it”, (was going to move it to the chest,
but the click time lagged on my computer or something).
Right after I did that, my system rebooted.
as it booted and got to the desktop (I have Msconfig set to show every time)
I noticed in MSCONFIG 2 new entries both named the same,
“brastk”, “C:\WINDOWS\system32\brastk.exe”.
I unchecked them both hit ok etc, and then Windows Defender pops up.
“TrojanDownloader:Win32/Renos” Aler level HIGH, I told it to remove it.
Then I think it started a scan automatically, and found,
The same Trojan as above but this time since defender was scanning I was
able to see the file and directory it was referring to, which was the above,
“C:\WINDOWS\system32\brastk.exe”.
I told it to remove it.
Then I had to do some manual scanning, I did 2 or 3 Quick scans, each time
finding something a little different.
Then it found a
“TrojanDownloader:Win32/FakeRean.gen!C” Alert level HIGH.
Referring to the file and directory,
“C:WINDOWS\system32\wini101982.exe”.
I told it to remove it.
Then it found my home page has been changed,
from google to google, BUT I never ever had google as my home page,
So I told it not to allow it, I opened up Intner options and deleted the info
for the home page closed and did another quick scan and it found it again.
So I did it again then it was okay, I set it back to my page I use.
I have not used this computer or shut it down yet.
I did a FULL scan with the Heuristic search archives and all that with Defender
it appears okay.
Then I did a FULL thorough, Scan archives, heuristic etc scan with Avast.
Which took about 12 hours for 30 GB. of files on a 60GB Hard drive.

AND I think I want this to be another post, because it found some files
I downloaded, and I think they are FP’s, plus I have a question about
Avasts scanning fo downloads, and manually scanning local drives.
So anyway AVAST! only found these 4 files that I had in my Documents,
That I think are FP’S. Other than the original FIGARO.SYS it found.
I did quarantine the 4 files i think are FP’s, for the moment until I do other
scans and research etc.
So I searched using the basic start menu search function,
which I have set to search all files and folders hidden and system etc etc,
for the 3 files I have noted.
Figaro.sys (Not found in system)
brastk.exe (Not found in system)
wini101982.exe (Not found in system)

I opened back up MSCONFIG and I still see 1 Entry of,
“brastk”, “C:\WINDOWS\system32\brastk.exe”.
There were 2, I want to remove this from the MSCONFIG, HOW ?

I also did a search of the registry for “brastk”,
and The first one it found is located in the
CURRENT_USER\Software\microsoft\Windows\ShellNoRoam\MUICache,
and it is the, C:\WINDOWS\system32\brastk.exe,
And I think I want to delete this entry yes ?
SO FAR this is where I am.
Any help Would be GREATLY appreciated.

I was thinking about doing a system restore (I have never done this)
But I want to if it will delete any files I have downloaded or made since the last
Creation of a restore point ?
or only programs installed since then ?
which I don’t have any programs I have installed since then so…
I don’t even know if this is a necessary step.

Oh as a side note (maybe)
When I was searching for the files I also went to the system32 folder manually
and looked didn’t find anything BUT, I noticed something I have not noticed
before which are a bunch of 64.5 Kb, NLS files, apparently all created at the same time about a year ago and start with the letter
“c_” and some number. So I say these are nothing. just funny I didn’t notice
those before, I try to pay attention :slight_smile: But I am broke quite often :slight_smile:
7 children :smiley:
Okay Sorry, back to, So what do i do next ?

Try the usual free adware/spyware scanners.

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

You can upload any suspected FP’s to VirusTotal for analysis. You’ll need to export them from the Chest and temporarily disable avast! while you upload them.

When you have finished, scan for out-of-date and insecure software using Secunia Online Software Inspector (OSI) and update any vulnerable software: this will help to prevent future infections.

I would use Virustotal and Jotti, but the files are to big.
One I think is a definite FP is my PortableApp The Gimp, but
It sees versions 2.4.4 and 2.4.5 as Win32:Fabot[trj]
But does not care about, 2.4.7, 2.6.1, 2.6.2, or 2.2.17.
They are about 17MB or more.

You could upload the file to avsat! via FTP for analysis. See here:

http://forum.avast.com/index.php?topic=39100.msg327873#msg327873

I googled both these filenames and found out what they are

Figaro.sys is a rootkit according to Prevx.

brastk.exe is AntivirusXP2009.

Hey my friend, so what about those ?. what are your thoughts ?
Do WE think that by Avast catching the root kit, and by me telling it to delete
I caught it before it does anything ?
Install AVG Root kit ?
Other ? I don’t really know what it is, but I DO know root kit isn’t anything to mess around with.

And with a older slow computer which of the SPYWARE
programs mentioned above are the most recommended. ?
besides SpyBoy S&D, I use that.
Adaware I used to use but we know where that has gone, and it’s issues.
I use CNET alot and do ALOT of reading before I use ANY program,
and I don’t use many.

Well to start with did you try the programs suggested by FreewheelinFrank ?

SuperAntiSpyware seems to be doing a good job at the moment on antivirus2009, you should run the program from safe mode to be more effective.

Well Hi there DavidR.
Well, I am trying to stay away from installing several different programs,
I know I should atleast have 2.
I read alot about SuperAntispyware and A-Squared, over at CNET downloads.
But doesn’t seem like I want those,
I normally scan with online scanners like,
Trendmicro Housecall.
Windows Safety scanner.
Bit defender.
Maybe Panda or Kaspersky once in a while.
Plus Windows Defender and Spybot S&D 1.6.

Well I too believe in not installing tons of programs, you can get too much of a good thing and you spend your life keeping them up to date. So I tend to stick with the current best of breed so to speak and IMHO that is SAS and MBAM.

I have the paid version of SAS which provides resident anti-spyware protection, though there are free anti-spyware programs that provide resident protection (as far as detection and removal they aren’t as god as either of the above), they are a-squared (you mentioned) and Spyware Terminator (don’t install any toolbar or AV element). Of those two I would suggest that Spyware Terminator is the better of the two.

Lets not loose sight of the fact we are suggesting programs to rid you of your problem and not permanent once you have cleaned up then make your selection as to what to keep.

What is the right way to send a 3MB file in for evaluation for being a FP ?

Here’s a question.
You have heard of Av Comparatives ?

http://www.av-comparatives.org/seiten/ergebnisse_2008_08.php

http://www.av-comparatives.org/

http://www.av-comparatives.org/index.html?http://www.av-comparatives.org/seiten/comparatives.html

Is there a Spyware or Adware Comparatives anyone is aware of ?.

Other than readding reviews at CNET, or whatever.

The same way as a normal file upload to virustotal for confirmation (upload limit is 10MB) if confirmed an FP send to avast you may need to increase the following, (right click the avast icon) Program Settings, Chest, Maximum file size to send, etc. ensure that the size is large enough to cater for the file.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.