Brutal Malware - help

i re-signed in as administrator in safe-networking, but same problems. i did run the explorere restore, though that didn't seem to help either. if i type in bleepingcomputer-dot-com it takes me to some other site.

i have MBW downloaded, it just won't install. SAS and Spybot came close (since i turned off the check for updates), but they also crash when opening.

If i remember correctly, there is an option when installing malwarebytes that asks if it should check for updates. Do not do that the first time, just let it install. Run it once and then you can update and run again - that is what worked for me.

unfortunately, i can't even get to that point. it just does nothing. it actually appears on task manager as a process, but it never appears to do anything.

I have tried to re-create the conditions that permitted another thread to install MBAM. Wdawg stated that RIES suggested by tw0rld seemed to do the trick. I infer that this was done in normal mode.

I believe that sergeant259 used cmd > msconfig > diagnostic startup to obtain conditions for installing MBAM. Obviously a re-start is needed for that condition.

ComboFix is a smaller program. This may be easier to accomplish.

Here is another rope to grasp
SDFix. Similar to ComboFix.

I am not sure that creating a new user comes without the infection.

The SDFix link is blocked also.

I will try the cmd/msconfig/diagnostic...can you put me to that link? Thanks,

I did find a way to get Spy Bot to run: right clicking over My Computer. I'll post what happens with that.

start menu > Run > msconfig > diagnostic mode

Click 'start' on the Task Bar

Click 'Run' on the menu

Type 'msconfig'

Select 'diagnostic startup'

I have trouble with clarity. My 'express' notation' often confuses.

Hi skein

NOTE: RF6647 and I were posting at same time. Do his completly before mine.

Download Autoruns http://download.sysinternals.com/Files/Autoruns.zip

Hopefully it will download and run. If so run it wait for the Floppy Icon to become bold that makes the log, get log attach back.

Also try this one:

D/L Xclean_Micro

http://www.xblock.com/download/xclean_micro.exe

No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Please make a note of what it found ias it has no log.

If it does run in normal mode and does removals, then reboot to regular Safe mode and run again.

Back to normal mode if thing are working get all the logs posted.

Mike

mike and RF6647:

Baby steps! I was able to load MBW in msconfig/diagnostic, but it still won't run, just sits there quietly in the processes as mbam.exe.

I WAS able to download both of Mike's programs. Attached are 2 logs, one in safe mode, one done afterwards in normal.

In safe mode, the xclean program found "Kuaiso Toolbar" with 16 HKeys. I didn't write all the numbers down since I would be here all night. They seemed to be split between Local_Machine and Classes_Root, FWIW.

OOPS! the saved autoruns files are bigger than allowed for uploading, about 3.5MB each. Is there another way to post them?

Things are at least moving...that's a first so far....

3 megs!!!!!

I like you skein but not enough to read 3 megs.

It likly is a dud or has a virus attached.

Now it is time to run XClean again and agin until it comes up clean, or finds something it will not clean,

Go to it.

Try Malwarebytes and SAS after it comes up clean as clean as it will.

And if they still will not update run them like they are. Make sure if the SAS main screen comes up to do the configuration I posted earlier.

Also try the Rats Cheddar again. Look back in the posts for instructions for both

Mike

EDIT: Missed the part about SpyBot, what is the latest, same thing if it runs wear it out and run it until it comes up clean!

Mike, I will take the 2nd seat on this now that you're available.

FYI - ZoneAlarm blocks my access to 'xblock.com' with 'spyware site ' reasoncode.

ok. i ran xclean again and it comes up clean.

i also uninstalled AVG since it was getting touchy. i loaded Avira with no problems and ran it. log is attached. only 2 warnings...dunno if they are problems.

After Avira I did CCleaner, and then went to MBW and SAS, but they behaved the same. MBW still sits there quietly. SAS crashes and burns.

autorun logs are still around 3 megs.

Spybot kinda ran...it was really blinky and seemed to get through all the files (after about 30 minutes), then minimized and froze. So, I have no idea if that helped or not. I'll try it again.

Ugh...am I helping at all? You guys have been awesome, I wish I knew more to give you better info.

Nothing really bad!

OK now that XClean comes up clean go to add/remove programs and uninstall MWBAM and SAS.

Then delete the Combo fix and SDFix folders.

Reboot and reinstall SAS and MBAM only, again!

Do the config mods I gave for SAS and run them without updating. Run the Quick sans on both.

Only If they don't run again the do the below in the order.

Try MWBAM and SAS after any one of these work.

Perhaps one or all will run maybe none. But try. It will be like a breaking Dam when the right one kills or cleans the right malware.

http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html
http://majorgeeks.com/Dr.Web_CureIT_d4783.html
http://majorgeeks.com/Prevx_CSI_-_FREE_Malware_Scanner_d5785.html
http://majorgeeks.com/Norman_Malware_Cleaner__d5450.html

Mike

Hi rf6647

Your help is welcome rf6647 I am a team player and I can use all the help I can get on this one.

Jump in anytime.

Hmmm! I have used XCleaner_Micro for years. It is from XBlock producer of the highly rated XCleaner Anti Trogan software. They have an excellent reputation and highly reguarded in the industry.

It seems to mainly go after the worse or most prevalent.

It deserves more recognition than it gets. I used to use it as a pre clean before SpyBot AdAware and MalwareBytes .

But a few months ago on one of my clients really whacked machines I ran it after all 3 of the above and it actually found what all the others had missed.

I was even more inpressed then!

Good to talk to you.

Mike

Mike-

Thanks again...more progress! I'm at work now, so I can't post the logs, but I will tonight (in about 8 hours or so). I'd appreciate if you could take a look later.

Update: I was able to download, install and run MBW. Downloaded in safe networking mode, installed in diagnostic mode, and re-named "run this". I ran it twice in safe networking mode and it caught viruses both times. I was then able to download and install SAS. It looks like it will work in normal mode, so I will run both again after work in normal. Hopefully, I can then follow the 8 steps from start to finish. I'll post the logs after that. I'm not out danger yet, but this is real progress.

I can't thank you guys enough, you are doing saints' work. What is the best way to repay? Recommendations, dontations, etc?

Great news! But post all the logs FIRST!

In MWBAM click logs attach in the order oldest to newest!

In SAS click Preferences-Statistics/logs oldest to newest.

After that run both again until the ycome up clean or find something it can not clean. Post logs each run!

When doing the 8 steps do all but these 2 as you have already done these.

Mike

EDIT: we are not out of the water yet, your thanks is all I need!
Did some of the links I sent download and install? Which onesI may need this info for others.

I've been following this tread and have tried almost everything just as Skein did and my sysmptoms have been almost identical, since I picked up the virus 2 days ago.

I don't want to jack Skein's thread so should I start my own?

Yes start your own. Post your issues.

Do follow instructions in his post.

But post alll log in the new thread.

As soon as you create the new post. I have more info on this issue and will post it.

Mike

EDIT: give details of the current state.

Mike-

XClean and Autoruns links worked, and seemed to put me ahead enough to finally get MBW to download. Since I'm still at the SAS stage, I haven't yet tried the Magorgeeks links. I'll post the logs in order of running them later tonight. It is definitely still infected, but I can at least run MBW and SAS for the first time.

AsonJ, welcome to the party! Its not really fun and there is no spiked punch, but at least the conversation is good. : )

The Xclean was the first thing that helped me, then MBW downloaded in safe mode, run in diagnostic and renamed. If that works, things get a whole lot better. More to come...

Hi Skein

No need to do the othe links yet. Just do the MWBAM repeately post each log unti;; it comes up clean or with something it ca not clean.

Same for SAS!

Mike

Thanks for the welcome. This thread has been the most comprehensive I've found. and seems to be well on its way to solving both of our problems. I'll be following both this thread and my own to find the solution.

Attached are the 2 logs from running MBW. 07-35-02 is the older one, 07-55-48 is the newer one. Both were run in safe mode with networking.

I'm now going to run SAS in normal mode, and will post the log when it is complete.

Just curious skein, how long did each scan take?