I wrote this up a few months ago when my machine was infected with BraveSentry.. since then I’ve been able to get my machine back to normal without having to reinstall windows, but it did require me to reinstall SP2 to get my network settings completely back to normal and restore NAT. I intended to document everything needed to restore my machine but unfortunately I didn’t write everything down, so I present this incomplete post as-is in case it is useful to someone.
Last night while I was out of the house, my server machine was infected with BraveSentry and a host of trojans. I returned home and noticed my internet was dow, so I checked the server. It was sending out 100s of spam emails, saturating the connection to the point nothing else could be used.
Since the machine was practically unusable, I rebooted. On loading, by background had gone black and an malware warning appeard in the lower right. A program I had never heard of, let alone installed, BraveSentry, was scanning my computer, telling me I had tons of viruses and I needed to buy the product to get rid of them. Yeah right.
Immediately I open the taskbar to kill BraveSentry and check to see if any other programs are running. The Task Manager has been disabled by your adminstrator. WTF. I go online to try to look up help on how clean my computer, and as soon as I log on my computer becomes a zombie spammer again. Reboot.
I was eventally able to clean out my system by checking all of the various places used to start programs on loading, such as HKCU\System\Software\Microsoft\Windows\CurrentVersion\Run and all similar paths. There was also malware in my system.ini file.
One piece of malware actually seemed to add itself the instant i removed it.. for that one I ended up removing it and then quickly turning off the computer. probably not the best idea in the world but it worked.
Once I deleted all the malware, somehow my internet coonection was also removed. I set up a new connection and went online. My first stop was one of those online virus scan sites. But every time i tried to go one, I was redirected to my local server’s 404 page, meaning the sites had been redirected thru my hosts file. Checking the hosts file, it had been completely replaced with a new file. All anti virus sites were blocked, and certain bank sites were redirected.
Editing the hosts file, I was finally able to run a virus scan, where a number of trojans and other malware were found. I also ran an extensive scan from ewido in safe mode, finding even more problems.