TechSpot

Virus message popup

By Karterfive
Nov 1, 2008
  1. Hi,

    I'm hoping you can help me although I really don't know where to begin - so many issues are occuring! Ackkkkkk!!!!

    The other day while reading an email, a virus message poped up and my system went wacky and shut down. I turned it back on and found that my Norton's was gone "poof" and that my browser window would not open. I could access my email client and the weather bug so I know I have an internet connection, ...just couldn't get my browser window to load.

    So, thinking I could fix this myself, I reset my settings to restore the Windows browser. I now can access the internet, but I CAN'T follow a link or download ANYTHING. I keep getting a "internet explorer cannot display the webpage" error message. I've been searching through this site and I think I may have "hijacked browser" ...not sure though what that means or how to fix it?

    Okay, also, at this time, I had received a message with instructions on how to update my Norton's. I was able to start that process, ...which means that it said it had to remove the previous version of Norton's before it could install the latest version. It removed the old, but now I can't download the newer version so I have NO virus protection on my computer. I tried to access other sites, such as the AVG 8.0 for a FREE product to try and get my system protected, but once again, I cannot get the page to load, so I'm just unable to download it.

    I tried to do a system restore and it is not working either, ...keeps saying it can't restore, try another date. I did, my apparently that feature just doesn't work anymore. I even tried to create a new date and it won't.

    So, no Norton's, browser won't open new windows, no system restore, ...oh, and other pop up messages as well.

    Sorry this is so long, ...just not sure what to try and fix first.

    I appreciate any help you can provide.

    Thanks!

    BetsC
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You've already gone too far! One interesting thing-weather bug- this is going to be a big of part of your problem. It comes bundled with spyware/adware!

    Please go to the follow page here and begin the malware cleaning step. If necessary, download the programs to a flash drive, then run on your system:
    http://www.techspot.com/vb/post645589-1.html

    Do Not attempt to use restore until the system is clean and we have removed the old restore points. they can become infected with the malware and since they are protected files, the cleaning programs don't reach the restore points.

    Try to get some online AV program to a flash drive and get it on to the system. Do it in Safe Mode if needed. Chances are if you didn't use the Norton Removal Tool, you will have some protection left.

    Once you attach the logs, we can begin helping you.
     
  3. almcneil

    almcneil TS Guru Posts: 1,277

    You've Been Hit by Spyware!

    You've been hit by spyware. I also recommend you ditch Symantec-Norton in favour of AVG 8.

    I recommend running the following 3 anti-spyware utilities (all available in the Download section at this site):

    • AVG 8
    • Ad-Aware 2008
    • Spybot Search & Destroy

    Repost with results.

    Best,
    -- Andy
     
  4. igglybiggly

    igglybiggly TS Rookie Posts: 19

    I too have this infection it's called Brastk!

    The infection is called Spyware2009 and comes with two things. First - in your bottom right toolbar a red circle with white cross. This gives a popup that includes the word "prevent" mis-spelled, thus highlighting it as a virus. Second, it comes with a file called Brastke.exe which will be in two places - one in C:Windows and one in C:WINDOWS/System32. I have found I can delete one via Explore under one user login and then have to go to another user login to kill the other before it gets started. This malware infection is quite clever in that it totally disables any anti-virus software installed (like Norton or AVG), it also will not allow you to run any newly downloaded software and in most cases will not allow you to open any webpages associated with anti-virus software - so you can open Norton motorcycle webpages, but not norton antivirus pages! As you will see, I have discovered the program, but not how to kill whatever is replacing the Bratsk.exe files when the PC is re-booted. The instructions I found elsewhere on the net include using Trend Micro's Hijack This to kill the startup program (as MSconfig is not going to work), but the virus won't allow the Hijack This to start up now I have downloaded it. I suspect it is a registry problem - but then I'm a basic user and I don't even know how to find those and kill the correct registry entries and none of the recommended software will open up - save 1 - Spyhunter 3. Can anyone offer any further help? Preferably something that does not involve downloading and running a program - because the little bugger won't let it happen!
     
  5. almcneil

    almcneil TS Guru Posts: 1,277

    I'd try Task Manager (if it isn't blocked from running by the spyware) and look in the process list for Brastk.exe and kill it. Then see if you can install/run anti-spyware. I gave my recommended 3 anti-spyware utilities in a previous post.

    -- Andy
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  7. igglybiggly

    igglybiggly TS Rookie Posts: 19

    One other thing about Bratsk - It killed my Cid malware problem which we have had for over 12 months now and could not get rid of! Frying pan and fire spring to mind.



    Kimsland - I have just run enditall and there are no skulls - perhaps because I have surpressed the program by deleting the two Bratsk.EXE files in Windows and system32. Specifically, what I need to know is how to find out what puts these two EXE files back in the Windows and system32 files when i re-boot? If I can stop it doing this I can kill it. What i detailed above is enough to take back control of the PC - but it doesn't stop this thing preventing anti-virus software being opened and run. Thnaks for your help.



    I think the thread "Viruses are destroying my computer and I need help" is the same issue. Perhaps this is affecting quite a lot of people worldwide.
     
  8. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    It is obvious that a program is set to run at startup, therefore editing the registry might be the best option. The problem is where to look for the entry;
    Run regedit:
    1. Win logo key + R, then type regedit
    2. When regedit opens browse to the following:
    Look here for any strange entries.

    Also browse to:

    Look for any strange entries.

    Also observing the string value should reveal the location of the file.
    Note:Before you delete anything be sure that it is the offending entry. Posting it for conformation maybe best.
     
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please go to MSCONFIG Diagnostic mode
    Start->Run-> MSCONFIG

    Then restart your computer

    In Diagnostic mode none of your startups will happen.
    This may help to continue repairing your issue

    But once all is done, you will need to go back and run MSCONFIG and return it to Normal mode
     
  10. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    This is a lot simpler. :grinthumb
     
  11. igglybiggly

    igglybiggly TS Rookie Posts: 19

    In reply to tw0rld

    Under: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] nothing appears incorrect.

    Under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] there's (under suspicion):-

    (Default) Reg_SZ (value not set)
    Carpservice Reg_SZ carpserv.exe
    dmtxe.exe Reg_SZ C\Windows\system32\dmtxe.exe
    dmzsy.exe Reg_SZ C\Windows\system32\dmzsy.exe
    Kernalfaultcheck Reg_Expand_SZ %systemroot%\system32\dumprep 0 -k
    Love default global mess Reg_SZ C\Documents and settings\all users\Application Data \ great coal love default \ warn once.exe - wtf???
    Pinnacle Driver Check Reg_SZ C\Windows\System32\PSDrvCheck.exe
    winlogin Reg_SZ

    Everything else looks kosher

    Thanks for your assistance

    Kimsland - re your MSconfig re-boot - I don't feel confident enough to follow your instructions since "In Diagnostic mode none of your startups will happen" - so what will happen and "once all is done, you will need to go back and run MSCONFIG and return it to Normal mode" - will it be obvious how to do this? If I lose the tinternet through following these instructions I lose all the help I am getting from you guys.

    Thanks again
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Once the infection or issue is resolved, you can then return MSCONFIG back to normal

    Or use the Msconfig Cleanup utility (preferred)
     
  13. igglybiggly

    igglybiggly TS Rookie Posts: 19

    Kimsland?

    First things first - does anything look wrong in the list I supplied - anything on the "kill" list? What about the loving coals thing?

    Second - do I run the MSconfig cleanup (which I have just downloaded) instead of doing the MSCONFIG and re-boot your computer?

    Third - you type MSconfig and a window pops up. What then? Do I just go start>turn off computer>restart? or do I change something in the MSconfig window?

    I did say I am a basic user!
     
  14. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Unable to find any info on the entries below. My guess is that they are no good.
    Do not delete anything yet. I would love to get conformation from others.

     
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I will leave you in tw0rld capable support
    His support here is actually helping you more
    I agree the above entries should be removed from startup, and then deleted
     
  16. igglybiggly

    igglybiggly TS Rookie Posts: 19

  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Huh! One of my old forums I was member on for a while
    I find TechSpot much better
    But I do refer to links to other sites as well

    Please continue to follow tw0rld support (above ^^)
     
  18. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Apparently the warn once.exe file went by another name THAT SOFTWARE DEAD ONCE.EXE


    This might explain your inability to run programs. Go ahead and delete those three entries, by browsing to their directories. Also run msconfig and deselect,
    1. dmtxe.exe
    2. dmzsy.exe
    3. warn once.exe
    click apply, then ok.

    After restart use msconfig cleanup to remove those entries mentioned above.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Tanks kimlsland. I've been meaning to do that. Reminder helped.
     
  20. igglybiggly

    igglybiggly TS Rookie Posts: 19

    Here's where I am up to

    In Regedit I deleted the three entries you highlighted (tw0rld) by selecting each, right clicking and deleting.

    I rebooted the pc - Bratsk.exe returned to the two locations in windows and system32.

    I installed and ran MSconfig cleaner. This did nothing but come up with a box saying "there are no disabled startup items in MSConfig". The choices are select all / deselect all / quit. Not much help. Am I missing something?

    I will have to return to this in the morning (UK time).

    Please continue to offer more advice for the simplest of minds and abilities. I am determined to kill this bug.

    Thanks
     
  21. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Sorry If Ididn't explain it properly. You needed to delete the files, not the registry entries.

    Browse to C:\windows\system32
    search for and delete dmtxe.exe & dmzsy.exe


    Browse to
    C\Documents and settings\all users\Application Data \ great coal love default
    search for and delete warn once.exe

    When finished with the above run msconfig and deselect,

    1. dmtxe.exe
    2. dmzsy.exe
    3. warn once.exe
    Click apply, and ok to exit click restart.
    upon restart windows will display a dialog click the check box and click ok.

    After restart use msconfig cleanup to remove those entries mentioned above.
     
  22. igglybiggly

    igglybiggly TS Rookie Posts: 19

    Tw0rld

    I navigated via Explore and could not find the dmtxe.exe & dmzsy.exe files. When I deleted them in regedit they must have gone. I found a folder for the "Great Coal Love" and deleted it.

    I ran msconfig, but the files were not there to de-select (presumably this was on the startup tab).

    I re-started and did msconfigcleanup - there was nothing to select

    I re-booted the pc and hey presto ... Bratsk appeared again in Windows and system 32 !! (I also now know that the one in Windows makes the red circle/white cross appear on the taskbar, because if I delete it quick enough it doesn't come up, but I still have to go to another user to delete the system 32 one).

    I have back-tracked ion the instructions and had another look in the regedit files from the earlier post 680074. There is still nothing suspicious in these files that can be causing this bug to reappear on re-boot. It would help if I could copy and paste them to a list here.

    In [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] only these look suspicious..

    (Default) Reg_SZ (Value not set)
    CTooLBar Reg_SZ prcmon.exe
    CTSyncU.exe Reg_SZ C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


    the rest are associated with known applications i.e. Active Sync, Kill&Clean, Nokia, Popstop and Google taskbar.

    In [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

    Apart from a long list of known stuff there is (under suspicion):-

    (Default) REG_SZ (Value not set)
    Carpservice REG_SZ Carpserv.exe
    csrss REG_SZ
    IconixOEAddOn REG_SZ C:\Program Files\EMail ID\OEAddOn\OEdmn_2.exe
    kernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k
    NeroFilterCheck REG_SZ C:\WINDOWS\System32\NeroCheck.exe
    PinnacleDriverCheck REG_SZ C:\WINDOWS\System32\PSDrvCheck.exe
    SunJavaUpdateSched REG_SZ C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    TkBellExe REG_SZ C:\Program Files\Common Files\Real\Update_OB\Realsched.exe - osboot
    winlogin REG_SZ

    I notice in the windows & system32 folder in explore there are a lot of unusual .exe files with strange series of letter (if that helps). ie "ejekoku" - many appear to be MSDos applications.

    I'm afraid it's back to trying to pin down what is putting Bratsk back in the Windows/system32 files on reboot.

    Thanks for your help.
     
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well "prcmon.exe" is a Trojan
    So that registry entry can be removed
    Then locate prcmon.exe in your Windows folder and remove it
    (note you may need to end the process first through Task Manager, or just restart and then do this)
     
  24. igglybiggly

    igglybiggly TS Rookie Posts: 19

    Hi - yes I've deleted that one. Still got Bratsk though if you have any more ideas?
     
  25. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Unhide hidden files

    My computer > Tools menu > folder options > Click view tab > select show hidden files and folders > click ok and apply to exit.

    Now browse to C:\windows\system32 and see if the dmtxe.exe & dmzsy.exe files are now there.

    Also delete this file Bratsk

    Deleting the registry entry will not delete the file itself.

    if this doesn't work then somethign else is cousing the problem
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...