Yesterday my ’sandbox’ Windows XP computer got hijacked by a seemingly rare anti-spyware software called Bravesentry. (A sandbox PC is one that I use to ‘play’ with. I use it to test configurations and software, but it contains nothing important). I say rare because a quick Google search on “Bravesentry” remarkably found only 2 entries regarding this malicous software that enters your PC without consent and attempts to scare people into buying their product.
I am certainly no PC security expert, but I thought that before restoring my sandbox computer to a backup image, I would try my best to document how Bravesentry has gained control over the computer. I don’t know exactly how Bravesentry got into my PC (but I have some theories), and I don’t know exactly how or if it may harm you - I’ll leave that up to the security experts to solve. But it is my hope that my notes here might help someone investigate Bravesentry in greater detail.
Executive Summary: Bravesentry is a malicious anti-spyware software that entered my computer via Trojan horse applications manifested in the files “t.inx” and/or “kernels8.exe”. My theory is that i.inx was passed to my computer by visiting a rouge website designed to exploit a pre service pack 2 Windows XP computer. Once inside, my software firewall detected t.inx was requesting access to the Internet which I promptly attempted to block. Apparently to no avail, “kernels8.exe” somehow slipped in to the computer which I also tried to block via my software firewall. After running a full virus scan (which found nothing), I rebooted the computer to be greeted by Bravesentry upon start up notifying me that my computer is infected by spyware and that it will proceed to scan my computer. Needless to say, Bravesentry was uninvited, and also not easy to uninstall. Rather than trying to “fix” this computer, I decided to document the problem as best as I could, and to simply wipe out the hard drive and rebuild the computer.
Click here to see more details and screenshots from my Bravesentry infected PC? –>
Subscribe to my feed
BraveSentry is new and that’s why you didn’t find much info about it on search results. It’s very similar to other rogue anti-spyware programs that are installed by exploits. Some of the others are SpySheriff, SpyAxe and SpyFlacon. I expect in a week or so there will be a lot more search engine hits for it as more people are hijacked.
I blogged about BraveSentey here:
http://blogs.zdnet.com/Spyware/?p=789
Left by suzi on March 11th, 2006
[...] More info from Suzi: NetSato blog posted about an infection by BraveSentry: Yesterday my ’sandbox’ Windows XP computer got hijacked by a seemingly rare anti-spyware software called Bravesentry. (A sandbox PC is one that I use to ‘play’ with. I use it to test configurations and software, but it contains nothing important). I say rare because a quick Google search on “Bravesentry” remarkably found only 2 entries regarding this malicous software that enters your PC without consent and attempts to scare people into buying their product. [...]
Left by LilBambi’s Blog :: Musings from a little deer? » Blog Archive » New rogue anti-spyware and SpySheriff clone | Spyware Confidential | ZDNet.com on March 14th, 2006
Bravesentry installed iself on an old laptop that was running service pack 1. I have just updated to service pack 4. spyware doctor keeps finding a trojan.fakealert. hopefully someone will come up with a way to remove this garbage.
Left by Ant on March 20th, 2006
I am happy to say that I have never been infected with this program. I really appreciate your report on Brave Sentry, enough so that I have linked to it from my blog for my readers to see. I hope everyone will avoid this one. Thank you again.
Left by Carl on March 22nd, 2006
[...] The first program is named Brave Sentry. Brave Sentry is identified as a “rogue antispyware program.” It pushes all the right buttons when suggesting you install it but manages to take over portions of your computer. Rouge Anti-Spyware Software called Bravesentry [...]
Left by Secure That Computer! » Fake Antispyware Alert on March 22nd, 2006
Arrrgh! Sad to report we had an incident of this in our corporate environment. We were able to determine the chain of custody as follows: benign website>banner ad with xpl.wmf>brave sentry>jupillites. Ulitmately, six sessions of the jupillites trojan were initiated and pinging an external IP.
We did not experience a problem on the LAN, however the ping packet exceeded our i’net MTU so the load balancing routers on our were devastated. The massive fragmentation and retires disrupted our service in spite of the fact that the i’net pipe was only at 53%
Fortunately, we were able to detect and remove the affected machine in short order, but short of the LAN traffic monitor, all appearances were an internet outage at the carrier level. We run two layers of antivirus and both were unable to detect, let alone remove, this trojan. In fact, the nightly LAN sweep actually triggered trojans and was then unable to detect them. My hat’s off to the folks that wrote this malware.
Left by Arrrgh! on March 27th, 2006
Yeah i just got owned by this malware and its associated viruses last night when I wasn’t even home! I’m not even sure how I was infected though I hadn’t updated windows for a few months so it could have been a variety of exploits i’m sure.
The only way I noticed I was infected is because my computer has become a zombie spam machine and my anti-virus email checker was going insane trying to check all of the emails being sent from my system.
It disabled the XPSP2 firewall and shared networking. It blocked access to the taskmanager. It modified my hosts file to block all anti-virus websites. It even redirected certain bank websites to a different ip!
The only way I was able to regain control of my machine was to run System Internals’ Process Explorer and kill the malicious programs, delete them, remove their entries in the registry and system.ini and reboot. then delete more programs since some of them weren’t able to be deleted at first. finally i ran a virus check and there was still at least one trojan that it had to clean. I don’t know what i would have done if I didn’t have Process Explorer already downloaded because i was unable to get on the net cause my connection would be come saturated due to outgoing emails as soon as I would connect.
Moral of the story: update often and keep a set of Windows tools handy, perferably on a CD-ROM or something
Left by frantik on April 9th, 2006
My work PC was recently infected with this after visiting a bulletin board site which apparently has been hacked to cause trojans to be automatically downloaded to the user’s PC.
This is the only time that those entries can be found, on visiting a website which causes a banner advert to be launched making the exploit files be downloaded.
Left by Patrick Dunford on June 10th, 2006
Well here it is, it has made its way all the way to the Willamette valley in oregon, we picked up at least elements of this virus, it has downed one of our computers in the office, no idea how it got in, I am picking up a file called t.inx which is trying to load itself, I think as a fake internet explorer. It has pretty thoroughly hacked our inet explorer to make it useless and we cant reformat these computers too much stuff on them. I will try to install the new ie7 and hope that busts it, I have found that most spyware isnt adapted for the changes in 7 yet, (did I say that out loud :
Left by D&D Satellite on June 15th, 2006
Perfect pages… tnx
Left by atworth on July 1st, 2006
I unfortunately got nailed by Brave Sentry the other day, by mis-typing a web site I wanted to visit. Instead, Brave Sentry installed itself in my Windows XP laptop, while I was staying at a hotel and using their free DSL. When I tried to uninstall the program, I got a message saying that Brave Sentry was only a trial version, and could only be used to run a spyware scan, or to upgrade to the full version (cost money to do). I didn’t want to do either, but those were my choices. I went to control panel and tried to uninstall, and got a message saying that the “Administrat0r” had disabled my ability to uninstall Brave Sentry. Pretty devious program.
As soon as I realized my computer was infected, I disconnected the LAN cable to get off the internet. I never did run the Brave Sentry scan, which I am sure would have only made things worse. I had a 50 day old version of Ad-Aware (freeware version) loaded on the computer. It worked like a charm, and totally removed Brave Sentry and whatever other programs that seemed to come with it.
Windows did alert me immediately to the infection, but it took Ad-aware to get rid of it.
Left by Neil on July 2nd, 2006
Please help! We bought into this and purchased this garbage…does anyone have advice as to how to contact this ‘BraveSentry’ company? We tried the 800 number that they gave us upon completion of the purchse, but when you call it, you get a “This message inbox is full” message. AGGH! Thanks.
Left by teresa on July 5th, 2006
This is a killer for the home user. Colorado location here, and unsure how this came in as well. Last Friday we were greeted to this new icon in the systray and it was running the scan. Later found also that it had accessed our mail accounts and was spamming porn-content mail messages through our local mail server. Maybe unrelated (probably not) but I also came down with System32 fatal errors at the same time and could only boot to safe mode. I maxed out my tech savvy by copying all desired files to my portable drive and formatted C drive back to factory install CD that came with the machine. Now have 2 nights of re-installing drivers and service packs to go, but this was our first true “virus” and it was fatal. Beware!
Left by Cord on July 6th, 2006
[...] The first program is named Brave Sentry. Brave Sentry is identified as a “rogue antispyware program.” It pushes all the right buttons when suggesting you install it but manages to take over portions of your computer. Rouge Anti-Spyware Software called Bravesentry [...]
Left by Fake Antispyware Alert » Tips and Tricks to help you Master Your Computer on July 8th, 2006
My PC has been taken over by BraveSentry. I could not kill the process , and upon restart it takes over again. Any one successful in getting rid of this through system setup at boot? I have no utilities on cdrom.
Thanks in advance for any help!!!!
Left by Esther on July 12th, 2006
I found several long and tedious procedures for eliminating Brave Sentry and spent about six hours Friday to no avail. Some of the symptoms, in addition to a pesky pop-up that tries to entice the user into visiting their website:
Task manager was disabled.
McAfee antivirus was gone.
Windows Defender and Spybot would crash when they tried to analyze files in the Brave Sentry folder.
Brave Sentry folder files were locked
I finally succeeded (I think) by:
Booting to safe mode
Doing System Restore to a checkpoint prior to the infection
Updating to XP SP2 and applying all critical update
Installing and running antivirus
Running Windows Defender with latest signature file
Left by Strorg on July 17th, 2006
well,it looks like we have been fooled into installing this software.the good news is that avast anti virus(available from software downloads) does remove it.i hope this helps everyone else
oh well live and learn
Left by kevin on July 26th, 2006
Thank you for all of the details about Brave Sentry. I was able to successfully remove the 2.0 variant of this infection from one of our customers computers thanks to your information. There were a lot of sites that claimed to want to help, but yours didn’t make me download any additional software. Thanks again!
Left by Removed Brave Sentry! on August 10th, 2006
I’m from Australia, and just got this horrible BraveSentry thing an hour or two ago. I thought at first it was some random anti-virus thing my friend might have installed (I don’t know what half the stuff on my computer is), so I clicked scan and allowed it to do whatever it does when it “scans” your computer. So now I’ve got that irritating wallpaper thing stuck on my computer, and I’m almost stumped on how to get rid of it. I’ve tried Symantec AntiVirus, and it did absolutely nothing. I’m currently trying a full system scan with Ad-Aware SE and hoping that it’ll get rid of it.
Left by Lil on August 20th, 2006
Well I have just got this on my main computer. Not being overly computer literate, I really have no idea where it came from or how to get rid of it. I am in New Zealand. My computer is completely locked up except for bravesentry. Cannot access anything at all. Cannot even get into safe mode. It has sure done a job on my computer. Any help would be great…
Left by LIFESTYLZ on August 22nd, 2006
There is NO NEED to format your hard drive and reinstall Windows if you get SYSTEM32 and similar error messages when the computer starts (preventing Windows from starting).
Take your WinXP installation CD, boot from it, select the “R” (restore) option after it loads the initial driver components,
then in the DOS-lookalike interface that appears type in the command “FIXBOOT” (or type in HELP to see the list of commands to be sure), after this the boot record is restored and Windows starts normally. THEN IMMEDIATELY REMOVE BraveSentry.
Left by Mister CoolEST on August 26th, 2006
hi all i just wondered if anyone had come across a virus called Win32#kiLla, its a really nasty little piece of work,
it restarts your pc everytime you boot up and forces ms-dos but then crashes and eats your booleg.txt and does this everytime you restart, it just goes to ms-dos and crashes.
the only way i could restore my pc was to go into safe mode search it(it hides in startup programs) and disable its ms-dos tail(it wont let you delete the bloody thing), and then reboot and do a step by step confirmation to create a new bootleg.txt, and even now everytime i startup it comes on with a window thing called DAGIECFG and says invalid parameters in the title bar. And another thing every virus scan ive done finds nothing and i wondered if its because its not an actual file its a shortcut and looks like it links loads of stuff together, anyway now my ramblings are over all i want to say is BE CAREFUL this little piece of crap is nasty and if anyone can figure out a way to get rid of it please email me at crash2k@hotmail.com. Thanks
Left by LutherValDonWarr on September 21st, 2006
I was infected with brave sentry/spy sheriff, both of them, early this morning. Sept. 30, it wiped out my desktop and disabled my restore dates. It also had this annoying little red circle with a white x on my system tray that kept popping up every 40 seconds telling me that I was infected and to ‘click here’ to fix the problem. I had to run the latest version of AdAware twice, the second time before actual boot up, and that helped a lot. But that annoying little popup kept returning. AARRRGGHH!! I found online, that if I used ctrl+alt+del, then click on process and found an item named xupdate.exe, I should end this process and reboot. I did, and my normal desktop returned and all is fine now, but it took 4 hours of research. I sure hope this helps others, because this trojan is a demon.
Left by Paul on September 30th, 2006
just got infected by t.inx it hasnt become brave sentry yet but wont allow deletion and has locked me out of task manager and seems to have taken over administration rights to my pc any idea how to get rid of it b4 it does too much damage
Left by Michael on October 22nd, 2006
I had it with a customer of mine around oktober last year, yesterday it was installed by visiting a page on the internet. Symptons are like this:
1. Gives a pop-up that a file couldn’t be executed (xxxxx.exe)
2. Hdd begins to rattle like crazy (install of the bravesentry), Task Manager is disabled by Administrator and Ctrl+Alt+Delete doesn’t work either. And also writes something in the NTUSER.DAT
3. All A/V pages blocked throught the “hosts” file on your PC.
4. You probably get a system crash when trying to go to internet, to look for A/V or Anti-Spyware tools (blue screen)
5. PC restarts the Windows logon service is infected during boot and you get a blue screen.
6. The programm is reliable of an internet connection I noticed, it receives it’s command external I think.
Boot-up in Safe Mode + Network support will give u an blue screen.
Boot-up in Safe Mode without network will give a mouse who’s loading.
I partially fixed the problem with a bootable non-install Windows XP CD. From here I could remove some things but not all so it seems.
I could log-on again in the end by creating a new user account, but the internet connection was lost, couldn’t make it connect again.
So reinstalled it. Installed A/V and A/S software and i’m happy again.
This is the worst case I have ever seen from spyware infection on my own PC.
This is also an call for help to bring this company or whatever this thing is down from interrupting us friendly Windows users.
Left by Niels Hanssen on March 8th, 2007
Hi,
Got infected with BraveSentry. My case seems to be a little different from the others. I cut off BS (Bravesentry) acess to my computer before BS could download completely. Maybe that’s why I don’t have some of the symptoms listed above. I DO have the red circle with a white x. I’m unable to try the antidotes mentioned above because I get the message: Windows must now restart because DCOM server process launcher service terminated unexpectantly. My computer then shuts down leaving me no time to do anything. HELP.
Left by idiotno1 on March 9th, 2007
i also got hit with it yesterday……. what a pain! had to give it to service and reinstall everything
a pain to get rid of!!!!!!!!!!!!
Left by panki patel on May 9th, 2007
My computer contracted the virus 5/8/07, 11pm ish. I think I caught it right away or fairly soon as I went to turn the computer off. AVG was pissed and trying to “heal” files, and BS (brave sentry) was up. The computer had been on and connected to the internet for a period of 24-48 hours. No file sharing, email, or webpages open, just never turned it off. In the last 24 hours the only visit to any website was microsoft to download 3 critical updates 6 hours previously. I have all of the free versions of AVG antivirus, Ad-aware, and Spybot and all are run and updated regularly. Never any problems in the 8 years prior. My year old laptop and a home computer were both connected via ethernet through the same router. The home computer was completely unaffected.
Immediately I disconnected from the internet and tried to run all of my anti-crap-ware etc, trying just to ignore BS. While I waited I noticed that my security system was telling me I was unprotected, and found my firewall had been turned off, cetainly not by me, I turned it back on. My computer seemed overloaded and I got the blue screen of death. So, after restart, to delete the BS I clicked the “continue evaluating” or something to that extent, to get it out of the way, then went to add/remove programs and uninstalled it, then I deleted the little icon it had on the start menu. (this is just what seemed to work for me, I know nothing) Also, for the 2nd time, I had to turn my firewall back on. I kept trying to run all 3 anti-crap-ware at the same time and got the blue screen of death a few times, never really able to finish anything. I then did them one at a time, some took a few times, especially the ad-aware. AVG got rid of a lot of trojans, all but like 5. It said it could get the other 5 if I restarted and let it run at start up. That finally got rid of the stupid flashing red circle white X on the toolbar. Ad-aware requested the same. Spybot also found things to get rid of. There seemed plenty for everybody.
While I was waiting for my crap-ware to rid me of this nuisance, I re-connected to the internet and let my computer send the error reports to microsoft. It recognized the viruses. I was unable to collect the information in time to identify them, and the tools they have you download to check and rid you of them would only get to step like 8 of 11 and then freeze. The error messages sent me to onecare.live.com, diagnosing and fixing were free, or so it said, I didn’t get anywhere with it. Anyway, after all 3 ran their course my computer seemed fairly normal. I defragmented and re-deleted all of my temporary internet files, not sure if that does anything. I still can’t change the desktop background (it’s not in safe mode) no matter how I try, but that seemed it.
I went 2 or 3 days without connecting to the internet. In that time I turned my computer on an hour or so each day and ran all of my crap-ware. I got nothing, everything worked fine.
Then I turned my computer on, connected to the internet, 30 seconds max, hotel wireless, and had a runtime error, explorer closed, and then I couldn’t reconnect. I don’t know for sure if it was me, the hotel internet wasn’t all that reliable. My friends also had difficulty connecting. However afterwards, I recieved a few threats from AVG that it took upon itself to “heal”. Nothing else from the other crap-ware. I reset all of my internet settings.
I finally connected back to the internet at home and downloaded a new AVG update with no other visits to the internet. It came up with a crapload of trojans, like 9, this time they were in different files, but no BS. I also downloaded a bunch of updates and bulletins from microsoft. I ran my crapware and microsoft’s malicious software removal tool and got nothing. I’m just happy everything seems to be working right now, but I doubt I have it licked.
I’m not the most computer savvy person but I HATE the fact that I seldom visit the hard core german porn sites, rarely have time to sign up for all of those limitless credit cards, and can no longer find pants to fit my bigger penis, and I update like mad and some little punk has to bore and infest me with thier little kiddy games. I do not have the time or money for this. I have things to do.
Since I don’t really know how this happened and I don’t know how to prevent it, I am going to fight reinstalling XP and system restoring to the bitter end. I don’t want to have to redo my entire hardrive however often this is going to happen.
I hate you you evil computer nerd sitting there unloved, fat, ugly, a sorry good for nothing acne ridden social misfit loser probably still living with the folks with not enough real life experience or intelligence to even try to make it in the real world. I despise you.
This is long because I’m a girl, it’s my nature. Since all of this was fairly recent I just wanted to throw in my 200 cents. Do with it what you will… maybe go to sleep.
Left by bri on May 11th, 2007
Great post. I’ll be on the look out for that. At least it wasn’t popping up pictures of Hawaiian porn stars while you were at work or something. Though, that wouldn’t be too bad would it?
Left by Mabus Foo on May 29th, 2007
Hey I had something similar to this. I had an alert that looked like Microsoft saying I was infected and I went to the page and it wanted me to buy virus software.I didn’t click on anything at that page but it had already taken over adminstration of my computer before the virus warning came up. It was a win32- jyo trojan. I removed the trojan but with no control panel I have no idea how I will ever be able to remove or add programs or any of the tasks an adminstrator usually can do. I can’t find a way to restore my control panel! It seems like I now only have a limited account. Has anyone had this and can anyone help? I would appreciate it!
Left by Deb on September 13th, 2007
Thanks for this post. I’ll be more careful after hearing your experience.
Left by James on September 27th, 2007
Thank yoy for info!
Left by hide ip on December 19th, 2007
I got infected a couple of days ago by Brave Sentry. It does not allow you to install any new update or unload or do a system restore…
I was only able to get into my computer on Safe mode.; until a technician from Microsoft told me to start my computer on regular mode.
But don’t do that same mistake because after that the system and hard drive got completely damaged.
Now that my computer is out of use I wonder how I could get infected with that “BraveSentry” spyware when the only thing I was doing was to browse the web?
Left by Amparo on December 26th, 2007