After trying multiple times to clear an infestation I noticed that beep.sys
in %SystemRoot%\system32\drivers was not signed. I booted my WinPE cd and
copied the right beep.sys that I had expanded from Service Pack 3, from a usb
drive. This cleared the problem.

The problem had several symptoms but the most annoying was a red systray
icon that kept popping up a balloon saying that my computer was infected and
I should register "XP AntiVirus" so that I could clean the virus. This was,
of course, false. I ran MRT three times and also used the Windows Live
online scanner. They said they had fixed the problem but it kept
re-appearing.

Mrt.log had entries such as:
Found virus: TrojanDownloader:Win32/Renos in
file://C:\WINNT\system32\brastk.exe
and
For cleaning TrojanDownloader:Win32/Renos, the system needs to be restarted.

Hello bnborg,

Do a full scan with MalwareBytes and SuperAntiSpyware.

SUPERAntiSpyware
<http://www.superantispyware.com/>
Malwarebytes Antimalware
<http://www.malwarebytes.org/mbam.php>

Your PC is infected with malaware - many antivirus programs do not
effectively stop malaware.
Have you done any scans within safe mode ?
Restart in safe mode and scan with both updated
Windows Defender, your Antivirus,
and Malwarebytes Anti-Malware, and
SUPERAntiSpyware 4.1
SUPERAntiSpyware, together with Malwarebytes Anti-Malware, are free malaware
scanning application's
SUPERAntiSpyware (Free)
<http://www.superantispyware.com/>
Malwarebytes Anti-Malware (Free) <http://www.malwarebytes.org/mbam.php>
-=-

Beyond that - if you are paranoid over it all - run
<http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction>
-=-
<http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview>
-=-
Good luck

Ǝиçεl
-=-

PS. Report a possible spyware problem to Microsoft
<http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx>



"bnborg" wrote:

> After trying multiple times to clear an infestation I noticed that beep.sys
> in %SystemRoot%\system32\drivers was not signed. I booted my WinPE cd and
> copied the right beep.sys that I had expanded from Service Pack 3, from a usb
> drive. This cleared the problem.
>
> The problem had several symptoms but the most annoying was a red systray
> icon that kept popping up a balloon saying that my computer was infected and
> I should register "XP AntiVirus" so that I could clean the virus. This was,
> of course, false. I ran MRT three times and also used the Windows Live
> online scanner. They said they had fixed the problem but it kept
> re-appearing.
>
> Mrt.log had entries such as:
> Found virus: TrojanDownloader:Win32/Renos in
> file://C:\WINNT\system32\brastk.exe
> and
> For cleaning TrojanDownloader:Win32/Renos, the system needs to be restarted.
>

Thanks, Engel
I fixed it by scanning with mrt.exe in Safe Mode and replacing beep.sys
using a WinPE command prompt. Mrt removed all the infected files except
beep.sys.

Windows Defender refused to install until beep.sys was restored.

I sent in a copy to Microsoft Security Support.

"Engel" wrote:

> Hello bnborg,
>
> Do a full scan with MalwareBytes and SuperAntiSpyware.
>
> SUPERAntiSpyware
> <http://www.superantispyware.com/>
> Malwarebytes Antimalware
> <http://www.malwarebytes.org/mbam.php>
>
> Your PC is infected with malaware - many antivirus programs do not
> effectively stop malaware.
> Have you done any scans within safe mode ?
> Restart in safe mode and scan with both updated
> Windows Defender, your Antivirus,
> and Malwarebytes Anti-Malware, and
> SUPERAntiSpyware 4.1
> SUPERAntiSpyware, together with Malwarebytes Anti-Malware, are free malaware
> scanning application's
> SUPERAntiSpyware (Free)
> <http://www.superantispyware.com/>
> Malwarebytes Anti-Malware (Free) <http://www.malwarebytes.org/mbam.php>
> -=-
>
> Beyond that - if you are paranoid over it all - run
> <http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction>
> -=-
> <http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview>
> -=-
> Good luck
>
> Ǝиçεl
> -=-
>
> PS. Report a possible spyware problem to Microsoft
> <http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx>
>
>
>
> "bnborg" wrote:
>
> > After trying multiple times to clear an infestation I noticed that beep.sys
> > in %SystemRoot%\system32\drivers was not signed. I booted my WinPE cd and
> > copied the right beep.sys that I had expanded from Service Pack 3, from a usb
> > drive. This cleared the problem.
> >
> > The problem had several symptoms but the most annoying was a red systray
> > icon that kept popping up a balloon saying that my computer was infected and
> > I should register "XP AntiVirus" so that I could clean the virus. This was,
> > of course, false. I ran MRT three times and also used the Windows Live
> > online scanner. They said they had fixed the problem but it kept
> > re-appearing.
> >
> > Mrt.log had entries such as:
> > Found virus: TrojanDownloader:Win32/Renos in
> > file://C:\WINNT\system32\brastk.exe
> > and
> > For cleaning TrojanDownloader:Win32/Renos, the system needs to be restarted.
> >

Thanks for sending that sample in.

This critter (rather, the folks behind it) has had a good deal of media
exposure lately.

http://msinfluentials.com/blogs/jesp...-the-news.aspx

anything we can do to help rein these folks in is a Good Thing!

"bnborg" <(E-Mail Removed)> wrote in message
news:4919DCBC-FAE8-42DC-9B33-(E-Mail Removed)...
> Thanks, Engel
> I fixed it by scanning with mrt.exe in Safe Mode and replacing beep.sys
> using a WinPE command prompt. Mrt removed all the infected files except
> beep.sys.
>
> Windows Defender refused to install until beep.sys was restored.
>
> I sent in a copy to Microsoft Security Support.
>
> "Engel" wrote:
>
>> Hello bnborg,
>>
>> Do a full scan with MalwareBytes and SuperAntiSpyware.
>>
>> SUPERAntiSpyware
>> <http://www.superantispyware.com/>
>> Malwarebytes Antimalware
>> <http://www.malwarebytes.org/mbam.php>
>>
>> Your PC is infected with malaware - many antivirus programs do not
>> effectively stop malaware.
>> Have you done any scans within safe mode ?
>> Restart in safe mode and scan with both updated
>> Windows Defender, your Antivirus,
>> and Malwarebytes Anti-Malware, and
>> SUPERAntiSpyware 4.1
>> SUPERAntiSpyware, together with Malwarebytes Anti-Malware, are free
>> malaware
>> scanning application's
>> SUPERAntiSpyware (Free)
>> <http://www.superantispyware.com/>
>> Malwarebytes Anti-Malware (Free) <http://www.malwarebytes.org/mbam.php>
>> -=-
>>
>> Beyond that - if you are paranoid over it all - run
>> <http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction>
>> -=-
>> <http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview>
>> -=-
>> Good luck
>>
>> Ǝиçεl
>> -=-
>>
>> PS. Report a possible spyware problem to Microsoft
>> <http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx>
>>
>>
>>
>> "bnborg" wrote:
>>
>> > After trying multiple times to clear an infestation I noticed that
>> > beep.sys
>> > in %SystemRoot%\system32\drivers was not signed. I booted my WinPE cd
>> > and
>> > copied the right beep.sys that I had expanded from Service Pack 3, from
>> > a usb
>> > drive. This cleared the problem.
>> >
>> > The problem had several symptoms but the most annoying was a red
>> > systray
>> > icon that kept popping up a balloon saying that my computer was
>> > infected and
>> > I should register "XP AntiVirus" so that I could clean the virus. This
>> > was,
>> > of course, false. I ran MRT three times and also used the Windows Live
>> > online scanner. They said they had fixed the problem but it kept
>> > re-appearing.
>> >
>> > Mrt.log had entries such as:
>> > Found virus: TrojanDownloader:Win32/Renos in
>> > file://C:\WINNT\system32\brastk.exe
>> > and
>> > For cleaning TrojanDownloader:Win32/Renos, the system needs to be
>> > restarted.
>> >