Bogus beep.sys

[bnborg]

After trying multiple times to clear an infestation I noticed that beep.sys
in %SystemRoot%\system32\drivers was not signed. I booted my WinPE cd and
copied the right beep.sys that I had expanded from Service Pack 3, from a usb
drive. This cleared the problem.

The problem had several symptoms but the most annoying was a red systray
icon that kept popping up a balloon saying that my computer was infected and
I should register "XP AntiVirus" so that I could clean the virus. This was,
of course, false. I ran MRT three times and also used the Windows Live
online scanner. They said they had fixed the problem but it kept
re-appearing.

Mrt.log had entries such as:
Found virus: TrojanDownloader:Win32/Renos in
file://C:\WINNT\system32\brastk.exe
and
For cleaning TrojanDownloader:Win32/Renos, the system needs to be restarted.

 

[Engel]

Hello bnborg,

Do a full scan with MalwareBytes and SuperAntiSpyware.

SUPERAntiSpyware
<http://www.superantispyware.com/>
Malwarebytes Antimalware
<http://www.malwarebytes.org/mbam.php>

Your PC is infected with malaware - many antivirus programs do not
effectively stop malaware.
Have you done any scans within safe mode ?
Restart in safe mode and scan with both updated
Windows Defender, your Antivirus,
and Malwarebytes Anti-Malware, and
SUPERAntiSpyware 4.1
SUPERAntiSpyware, together with Malwarebytes Anti-Malware, are free malaware
scanning application's
SUPERAntiSpyware (Free)
<http://www.superantispyware.com/>
Malwarebytes Anti-Malware (Free) <http://www.malwarebytes.org/mbam.php>
-=-

Beyond that - if you are paranoid over it all - run
<http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction>
-=-
<http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview>
-=-
Good luck

Ǝиçεl
-=-

PS. Report a possible spyware problem to Microsoft
<http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx>

 

[bnborg]

Thanks, Engel
I fixed it by scanning with mrt.exe in Safe Mode and replacing beep.sys
using a WinPE command prompt. Mrt removed all the infected files except
beep.sys.

Windows Defender refused to install until beep.sys was restored.

I sent in a copy to Microsoft Security Support.

 

[Bill Sanderson]

Thanks for sending that sample in.

This critter (rather, the folks behind it) has had a good deal of media
exposure lately.

http://msinfluentials.com/blogs/jesper/archive/2008/11/07/xp-antivirus-in-the-news.aspx

anything we can do to help rein these folks in is a Good Thing!