I successfully tracked down and remove the Brave Sentry file folder, and all of the necessarry files. I am now working on cleaning the registry out and getting rid of the .dll files.

The Dcom Prcess Server has become active, and continues to fail.

Does anyone have a fix for the Dcom besides changing the settings to disabled?

Josh

http://www.spywarewarrior.com/pics/bs-2.jpg

One can imagine the jam a nOOb would feel himself or herself in, confronted by this aggressive pest. This is abject abuse of skills against the uninitiated and helpless, the equivalent of a crude robbery-by-force.

I just had an experience of my own with Brave Sentry. I noticed a “meatball” in my system tray a couple of days ago while working online and assumed it had been generated by an update of my Grisoft AVG. I began scanning with various tools and found real Trojans and worms:

ByteVerify [Java worm] (Spyware Nuker XT)
Proxy.ENI
Downloader2.QUS (AVG)
Spy Sheriff
Counter Spy
Child Safe / WinGuardian [monitor/logger]

The Spy Sheriff detection (and possibly WinGuardian as well) , by a freeware scanner based on an older release of SpySweeper that is distributed by Earthlink through their homepage (the removal tools are available to Earthlink subscribers), was really Brave Sentry. The near-identity of these malware apps is discussed by spywarewarrior.com, whose link I followed here to NetSato.

After chasing the various infected/infecting files around with AVG and Spyware Nuker XT for a couple of days, I thought I had finally stamped out the Trojan infection. A partial listing of files I removed:

BlackBox.class
VerifierBug.class
Beyond.class
Proxy.ENI (see also below)

These were discovered by Spyware Nuker XT and Spy Sweeper (Earthlink’s ELspyaudit.exe) together with Task Man and closely-spaced AVG scans of the WINDOWS/SYSTEM files.

In addition, here is a copy of my AVG log of the malware files found by its scans:

Trojan horse Downloader.Generic2.DQC C:\WINDOWS\SYSTEM\vxgamet3.exe 9/10/06 8:19:47 PM
vxgamet3.exe 11.22 KB

Trojan horse Downloader.Generic.QUS C:\WINDOWS\SYSTEM\vxgamet4.exe 9/10/06 8:19:47 PM vxgamet4.exe 1.59 KB

Trojan horse Downloader.Generic.QUS C:\WINDOWS\TEMP\1.dlb 9/10/06 8:19:47 PM 1.dlb 2.46 KB

Trojan horse Downloader.Generic2.MWW C:\WINDOWS\TEMP\5.dlb 9/10/06 8:19:48 PM 5.dlb 4.17 KB

Trojan horse Proxy.ENI C:\WINDOWS\TEMP\vx6.game 9/10/06 8:19:48 PM vx6.game 14.73 KB

Trojan horse Downloader.Generic2.DQC C:\WINDOWS\TEMP\vxt3.game 9/10/06 8:19:48 PM vxt3.game 11.22 KB

Trojan horse Downloader.Generic.QUS C:\WINDOWS\TEMP\vxt4.game 9/10/06 8:19:48 PM vxt4.game 1.59 KB

Trojan horse Downloader.Generic.QUS C:\WINDOWS\TEMP\1.dlb 9/10/06 3:21:38 PM 1.dlb 2.46 KB

Trojan horse Downloader.Generic2.MWW C:\WINDOWS\TEMP\5.dlb 9/10/06 3:21:38 PM 5.dlb 4.17 KB

Trojan horse Downloader.Generic2.LGI C:\WINDOWS\TEMP\vx3.game 9/10/06 8:19:48 PM vx3.game 2 KB

Trojan horse Generic.YZR C:\WINDOWS\TEMP\vx4.game 9/10/06 8:19:48 PM vx4.game 14 KB

Virus found SpySheriff C:\WINDOWS\DESKTOP.HTML 9/11/06 11:52:49 AM DESKTOP.HTML 1.95 KB

Trojan horse Downloader.Generic.QUS C:\WINDOWS\SYSTEM\DLH9JKDQ1.EXE 9/10/06 7:00:11 PM DLH9JKDQ1.EXE 2.46 KB

Trojan horse Downloader.Generic2.MWW C:\WINDOWS\SYSTEM\DLH9JKDQ5.EXE 9/10/06 7:00:52 PM DLH9JKDQ5.EXE 4.17 KB

Trojan horse Downloader.Generic2.LGI C:\WINDOWS\SYSTEM\VXGAME3.EXE 9/10/06 7:04:28 PM VXGAME3.EXE 2 KB

Trojan horse Generic.YZR C:\WINDOWS\SYSTEM\VXGAME4.EXE 9/10/06 7:05:23 PM VXGAME4.EXE 14 KB

Trojan horse Proxy.ENI C:\WINDOWS\SYSTEM\VXGAME6.EXE 9/10/06 7:06:23 PM VXGAME6.EXE 14.73 KB

After a system secure shutdown with Evidence Eliminator (deletion of all TEMP files, cookies, and recycling-bin contents, followed by overwriting of the deleted material and all free space on the hard drive), I booted up to discover the meatball was back. Curious — and apprehending that I hadn’t gotten the installation .EXE file — I double-clicked on the meatball. Brave Sentry immediately began to unpack from whatever (probably encrypted as well as hidden) zipfile it had been lurking in and began to install. I called Task Manager right away and stopped the installation. I noticed that two suspect processes I’d seen and killed the previous day were back:

xpupdate (nice ute to have, considering I’m running Win98)
dlh9jkdq1.exe

I killed them and then systematically began deleting the Brave Sentry folders and files (avoiding the Uninstal.exe utility) from the Program Files/ and Windows/Start Menu directories.

Since that point, the malware processes associated with Brave Sentry and its companion Trojans have not yet reappeared, so far, but I expect to see them again at the next restart, if I don’t locate a removal tool for the hidden file which is dropping fresh copies of everything on reboot. This task is what led me, chasing links, to the NetSato weblog.

I am in the dark about the source of the infection. There are two possibilities: one is spammers looking for ways to distribute remote-administration Trojans with their spew, which I handle daily with OE 5.5, and the other is a drive-by, stealth download acquired while visiting Epinions.com two days ago with IE 5.5 and reading product-review wiki entries there.

I, too, would like to receive communications with more information about this pest and where I could find a removal tool that will allow me to avoid reformatting or deploying backup copies of configuration files.

Anyway, I sent an email to interpol with their supposed address in the Netherlands.

Argh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Think about it another way, if Bravesentry was really any good, why would it stoop to such aggressive “hijacking” tactics to get itself installed.

Then Blackmailing or not?