Brastk (Brastk.exe) Remover

Information A malicious backdoor trojan that runs in the background and allows remote access to the compromised system.

File

• <System>\brastk.exe
• <System>\delself.bat
• <System>\dllcache\beep.sys
• <System>\dllcache\figaro.sys

Registry

• Created Registry Values:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
  • 1208 = 0x00000000
  • 2500 = 0x00000003
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
  • 1208 = 0x00000000
  • 2500 = 0x00000003
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
  • 1208 = 0x00000000
  • 2500 = 0x00000003
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
  • 1208 = 0x00000000
  • 2500 = 0x00000003
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
  • 1208 = 0x00000000
  • 2500 = 0x00000003
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • brastk = "%System%\brastk.exe"
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  • Enable Browser Extensions = "yes"
  • Search Bar = "http://www.google.com/ie"
• [HKEY_CURRENT_USER\Software\Microsoft\Security Center]
  • AntiVirusDisableNotify = 0x00000001
  • FirewallDisableNotify = 0x00000001
  • UpdatesDisableNotify = 0x00000001
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • brastk = "%System%\brastk.exe"

• Registry Values modified:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
  • Default_Search_URL = "http://www.google.com/ie"
  • Search Page = "http://www.google.com"
  • Start Page = "http://www.google.com"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
  • SearchAssistant = "http://www.google.com"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
  • 1201 = 0x00000000
  • 1804 = 0x00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
  • 1201 = 0x00000000
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
  • 1201 = 0x00000000
  • 1804 = 0x00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
  • 1201 = 0x00000000
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
  • 1200 = 0x00000000
  • 1201 = 0x00000000
  • 1608 = 0x00000000
  • 1804 = 0x00000001
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  • Start Page = "http://www.google.com"
  • Search Page = "http://www.google.com"

ATTENTION Once the virus installed on your computer, it will connect to http://do-scan-progress.com/?wmid=1058&l=33&it=2&s=1 and tries to download a file named wini10581.exe , puts it in the Windows directory and installs an application called XP AntiSpyware 2008 (or 2009) or XP AntiVirus 2008 or 2009.