TechSpot

Brutal Malware - help

By skein4
Nov 11, 2008
  1. Hello,

    I'm new to posting and have read through this post which is similar to mine:

    [link removed] listed under "Your computer is infected" but a little different"

    I had the little red x and downloading spyware popup, but was able to run AVG and HJT to remove the obvious stuff, notably karna.dat and brastk.exe.

    But I still can't access many security web pages and can't run most of your recommended programs. I can download spybot, malwarebyte and sas, but it will not run them, and i cannot download combofix from any of your posted links.

    I can run CC cleaner and have several times so that it now comes up clean.

    Also, when I start up, Viewmgr.exe immediately crashes. Dunno if it is related.

    Please help, I've been up all night chasing this thing down and there are still many issues as noted above.

    Thanks,

    I also have about a dozen svchost.exe's running in task manager

    Here is my latest HJT log.

    I also tried the Kasperky site as mentioned and it is also blocked. You guys are about the only thing I can access right now.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Hello skein4

    Go here:

    The TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Do all skip no step (do not install another virus scanner as you already have one).

    Most importantly update MalwareBytes and SuperAntiSptware!

    Before you scan with SuperAntiSpyWare do the below:

    SuperAntispyware config

    After installed double-click the icon on your desktop to run it.

    It asks to update the program definitions, click Yes.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.

    In MalwareBytes after update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and post their logs then a new HKT log.

    Do this correctly and we will make a short job of this!

    Mike
     
  3. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    The problem I have is that I can't even ACCESS malbyteware or sas, or many web pages that access them. I am blocked by whatever is on my system. I have tried various safe modes and msconfig setups, and have only gotten HJT, CC, and AVG to work. I've tried to follow the 8 steps, and other forums that are similar, but there doesn't seem to be a way to run or download any of these programs.

    Thank you for the quick reply!
     
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    OK you need to give these details.

    Other than Normal Boot only Safe Mode Networking can access the Internet.

    Are you positive you tried the downloads in Safe Mode Networking?

    And do you have Alternative Browsers FireFox and/or Opera if so try these?

    Do Safe Mode Networking this way.

    Get to desktop run taskmger by hitting Ctrl-Alt-Del

    Click the Process Tab rt click and end iexplore (if it is there) then explorer.

    When you end explorer the desktop will go away so then in taskmgr Click File then "New Task run"
    type
    explorer
    Click OK!

    The desktop loads!

    Now try the downloads.

    If this don't work get me a list of all running processes write them down onn paper or what ever you have to do to get me this list.

    All above to be run in Safe Mode Networking.

    Mike
     
  5. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    Many thanks, Mike. I will try that. I had been in safe mode, no networking (though I already downloaded MBW and SAS). SAS is now loaded, but it crashed every time it opens, and MBW's install just freezes. It shows up in task manager, just sitting there doing nothing.

    I'm off to do your steps now...
     
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    I assume this last post was in normal mode?

    If so and all will update and run then no need to get me the process list.

    Mike
     
  7. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    no dice. i followed your instructions, and the programs (MBW and SAS) still crash or stop when loading. same goes for the Combo... and Smitfraud programs mentioned in another entry. I tried them earlier.

    attached is the latest HJT log.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    Boot Safe Mode Networking.

    This is a very small download and program hopefully it will d/l and run.

    Get this: http://www.castlecops.com/zx/sjpritch25/RatsCheddar.zip

    Unzip it run, check to enable everything and Apply OK!.

    IF it works try both programs again.

    Now get me the process list from Taskmgr, while in Safe Mode Networking (just the Image name column).

    Mike
     
  9. rf6647

    rf6647 TS Maniac Posts: 931

    Try this link to obtain the tools
    http://www.download.com/windows-software/

    LikeVine is a minor distraction. MBAM is needed to go deep on this.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi rf6647:)

    Good idea. But I think he finally got them and installed them but the start and fail.

    He has a real bad boy in charge, and the sooner we can get thou these 2 programs the better! !

    Thanks
    Mike
     
  11. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    again, no dice on the castlecops link. also bleepingcomputer and the microsoft downloads pages are blocked.

    download.com works, as does your site. but once i download everything (except for combofix, which i cannot even download), the programs will not work.

    is there some process i can stop to get MBW to load?

    beginner question: if i am in safe mod with networking, how do i access the internet? it will not come up...
     
     
  12. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    are there other programs or links that might help? i don't want to download every spyware program for obvious reasons, but this is getting desperate.

    thanks again, you guys rock.
     
  13. mflynn

    mflynn TS Rookie Posts: 2,793

    I have told you twice to get me the process's from taskmgr (Image name column). While in Safe Mode Networking!!!!!!!!

    How else am I going to know what is running on your computer.

    Get me this list and I may see the culprit and tell you what to end!!!

    Also DO YOU HAVE Firefox or Opera to try for downloading.

    Mike

    NO! There are to many Rogues out there.

    Do only what we tell you we will take other step and alternate download sites and programs after you do my last post if that doesn't show us something.

    Stay with us and we will fix this!

    Mike
     
  14. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    From safe mode with networking, Processes:

    explorer.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    lsass.exe
    services.exe
    winlogin.exe
    csrss.exe
    smss.exe
    taskmgr.exe
    system
    system idle process

    I am using firefox, though i did try explorer at some point a while back to double check, and it behaved the same way.
     
  15. mflynn

    mflynn TS Rookie Posts: 2,793

    This will show what each svchost is running.

    Start-Run
    type
    cmd
    Hit enter or click OK! CMD prompt opens!

    Drag mouse with left button down across text box below get it all then paste to the open CMD prompt and hit enter twice.

    Code:
    %SystemRoot%\system32\cmd.exe /c %windir%\system32\tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
    %SystemRoot%\system32\cmd.exe /c %windir%\system32\sc query type= service >"%USERPROFILE%"\Desktop\ScQuery.txt
    exit
    exit
    close cmd prompt if it dont close on it own

    Now there are 2 new icons on the desktop Tasklist.txt and ScQuery.txt
    Post back contents of both!

    Mike
     
  16. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    i should do this in safe networking mode?

    again, stupid question, but should i be accessing the internet from safe networking mode? i can't figure out how to, and have to restart in normal to access this web page. apologies if this is incorrect.
     
  17. mflynn

    mflynn TS Rookie Posts: 2,793

    No then.

    You never told me you had no access in Safe mode.

    Go with normal if that works.

    I am about ready to advise you to do a System restore but DO NOT do it yet untill I advise or we may have worse mess.

    Mike
     
  18. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    Mike-

    Ok, figured out the networking problem (it was not configured for automatic search). Am now in safe networking mode.

    attached are tasklist and scquery.
     

    Attached Files:

  19. momok

    momok TS Rookie Posts: 2,272

    Clearly, these are problems in HJT. Why aren't these fixed yet??
    Skein: please run HJT and fix these entries immediately and let us know if you still have problems after that:

    O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll
    O4 - Startup: LikeVine.lnk = C:\Program Files\likevine\LikeVine.exe

    Also, navigate to likeC:\Program Files\LikeVine\ and delete the entire LikeVine folder.
     
  20. skein4

    skein4 TS Rookie Topic Starter Posts: 39

    Done. See attached HJT log.
     

    Attached Files:

  21. momok

    momok TS Rookie Posts: 2,272

    I need a HJT log from normal mode. Also, how are the redirections?
    And are you able to run MBAM or SAS at all in normal or safe mode?
     
  22. mflynn

    mflynn TS Rookie Posts: 2,793

    The Like Vine is harmless and more of a nuisance would never cause a issue like this.

    Skein it is time to try a system restore, pick a date before this issue.

    Start-programs-accessories- System tools-System Restore.

    If all works after this get us the MWBAM and SAS logs as requested earlier.

    Mike

    Hi momok glad to meet you!
     
  23. momok

    momok TS Rookie Posts: 2,272

    Please do not use System Restore!

    Mflynn: please let the user complete our instructions. I regularly instruct users here on malware cleaning and I've not seen any malware cleaning advise a system restore. It is just not the right way to do things.

    There are several other tools apart from HijackThis, like Combofix for example, that can be used to diagnose his problems. This is clearly a malware problem as he experiences redirects.

    If there is a problem with any certain entry in HJT, fix it.
     
  24. mflynn

    mflynn TS Rookie Posts: 2,793

    momok if you will notice he has tried to execute and they abort or crash.

    HJT is the only thing that he seems able to run.

    I would surely love for him to be able to run them and post the logs! That is all I have been trying to get done!

    It is time for a System restore!

    Mike
     
  25. momok

    momok TS Rookie Posts: 2,272

    That was with MBAM and SAS. At least wait and let him exhaust the options. He has not even gotten back after my previous instructions on HJT.

    Also, we have not recommended a Combofix link. Other than Combofix there are other tools that we can use. Even the hosts file has not been checked, so a system restore should not be a viable option yet.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.