Can't get rid of Spyware

Status
Not open for further replies.

jojoness

Posts: 41   +0
Hey there, last time I was here it was April, and I had a PC-Antispyware problem, and it seems I now have a new one.

I am having a really hard time trying to get HijackThis to open at all, so I can't even post a log for you. And I ran Malwarebytes and can't find the log for that either (And I know where I have to look, but I can't seem to get to the right folder?)

As far as what I'm experiencing, my Spybot S&D was giving me a lot of "Allow this?" suddenly when I was trying to find a new episode of a show I watch, and I kept denying, but they kept popping up. Suddenly my computer kept warning me about how my computer is not protected, etc. It just suddenly shut off on me with a blue screen explaining that if it were the first time I saw that warning, to try and reboot and look for the problem, and then it said "beep.sys" as the problem? I'm not too sure.

Needless to say, it took me a long time to get myself rebooted, because it kept freezing or not loading properly. I got into Safe Mode and performed a scan through Malwarebytes. It found 28 problems, and I deleted/quarantined it all. Then I rebooted normally, and now I have this pop up which I know is not a good sign:

ppp.jpg


So, how can I get HJT to work to show you whats going on? :[

EDIT

I think I have this Brastk problem as I've read a few others, and I do remember spybot trying to have me allow that and I kept saying no, and now none of my anti spyware stuff is working. I am going to attempt to get SAS and will update soon.

so I went into safe mode and deleted the karna and brastk files from inside c\windows and c\windows\system32. I couldn't find an antivirus 2009 file anywhere, so I am going to assume that I didn't get that.

but im stuck now, seeing as HJT and antimalware bytes is not opening, and I cant download SAS! what do I do??

ok, was able to locate the MBAM log! I hope this will reveal something.

tricked my computer into letting me download and open SAS! will post log as soon as I can get it. Hope someone reads this soon :[

so I did a quick scan with SAS, because the full scans were not working for me (the computer kept freezing after an hour, both times that I tried), so attached is the log. I rebooted, but the weird notice is still popping up from my tray.

I hope someone will look at this :[

will anyone look and help, please?
 

Attachments

  • mbam-log-11-17-2008 (14-51-24).txt
    3.5 KB · Views: 6
Did you try renaming hijackthis.exe to crusty.exe like before? Combofix will show everything that hijackthis would anyways, so don't worry if you can't get it to run


Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here

===============================================

75415740545070046c3ec0.gif
Run Smitfraudfix
  • Download Smitfraudfix by S!ri from HERE
  • Double-click SmitfraudFix.exe
  • Select 1 and hit Enter
  • The report can be found at the root of the system drive, usually at C:\rapport.txt

===============================================

avatar62338_1.gif
Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt


Attach Here:
1) Report.txt from SDfix
2) Rapport.txt from Smitfraudfix
3) Combofix.txt
 
BlindDragon,

First off, thank you so much for the quick reply. I know you must be busy, and I appreciate you taking the time to help me once again.

Yes, I had HJT renamed as Crusty.exe from the first time I used it back in April. I hadn't renamed it since, which makes me extremely confused as to why it's not working now.

Unfortunately, it seems this virus is smarter than most, and won't let me download SDFix or ComboFix from the links you posted. I tried to find an alternate link on search engines (Google, Yahoo), but whenever I click a link where it's available, I get redirected to a random site.

As for Smitfraudfix, I was able to download it, but in order to run it I had to change it's name (smitty.exe) to have it work. This is the only log out of the three that I can give you.

EDIT!

I got HJT to finally work! Had to move it outside its folder. Attached is that log.
 
75415740545070046c3ec0.gif
Run Smitfraudfix
  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infected files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Also empty your recycle bin

Try SDFix and Combofix again.
 
Blind, I will do that next. I just wanted to let you know that I got HJT to work and I posted the log in the previous post.
 
Perfect, let me know once you have done the next step. About half the files are infected in there. Also, did you run a temp file cleaner like CCleaner or ATF cleaner? because there are a number of infected temp files that are also being autostarted from the registry. And it will decrease scan times with less temp files.
 
I ran Smitfraudfix like you said if Safe Mode, but when it came for the program to remove temp files, smit disappeared, leaving the Disk Cleanup window up, but after 3-5 minutes, that disappeared as well, then there was just a black screen. I thought perhaps Smit would start up again, as if it were doing something without showing, but nothing happened about 5-10 minutes. I did this twice, and it happened both times.

I am running Disk Cleaner right now on normal mode. Hopefully the temp files will go this way, and I can run Smit again and hope for it to complete.
 
Did it get to the point where it asked you to clean the registry?

Also check to see if there was a log produced?

If not, then run it again. If there is attach the log here

Sometimes you have to reboot, and it will start up again after - look for logs in the root C:\rapport.txt
 
No, I never reached that point.

I cleaned out temp files while on Safe Mode too, to be sure they were gone, and when I ran Smit again, the same thing happened. I'm not too sure whats going on?

But it seems to have left a log, which i will attach here.
 
Ok, let's do the first part the hard way then.

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: C:\WINDOWS\system32\siejf93.dll - {c5af42a3-94f3-42bd-f434-3604832c897d} - C:\WINDOWS\system32\siejf93.dll
    O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
    O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogun.exe
    O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogin.exe
    O4 - HKLM\..\Run: [brastk] brastk.exe
    O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogun.exe
    O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogin.exe
    O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
    O4 - HKCU\..\Run: [12CFG94-z641-2SF-N31P-5M1ER6H6L1] C:\RECYCLER\S-1-5-21-7661557338-4881073579-043968640-8610\winigon.exe
    O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\csrssc.exe
    O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
    O20 - AppInit_DLLs: karna.dat
    O20 - Winlogon Notify: opnoolbr - C:\WINDOWS\
    O20 - Winlogon Notify: vtUnlKDW - C:\WINDOWS\
    O20 - Winlogon Notify: zaimmnid - C:\WINDOWS\SYSTEM32\zaimmnid.dll
    O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
    O22 - SharedTaskScheduler: lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\siejf93.dll
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

==========================

OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    [kill explorer]
    C:\WINDOWS\system32\siejf93.dll
    C:\WINDOWS\System32\rs32net.exe
    C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogun.exe
    C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogin.exe
    C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogun.exe
    C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\winlogin.exe
    C:\WINDOWS\System32\rs32net.exe
    C:\RECYCLER\S-1-5-21-7661557338-4881073579-043968640-8610\winigon.exe
    C:\DOCUME~1\JOJO'S~1\LOCALS~1\Temp\csrssc.exe
    C:\WINDOWS\system32\brastk.exe
    C:\WINDOWS\SYSTEM32\karna.dat
    C:\WINDOWS\SYSTEM32\opnoolbr.exe
    C:\WINDOWS\SYSTEM32\vtUnlKDW.exe
    C:\WINDOWS\opnoolbr.exe
    C:\WINDOWS\vtUnlKDW.exe
    C:\WINDOWS\SYSTEM32\zaimmnid.dll
    C:\WINDOWS\system32\jsne87fidgf.dll
    C:\WINDOWS\system32\siejf93.dll
    purity
    [start explorer]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


*if Otmoveit3 doesn't work let me know and we can try avenger
 
I forgot to mention you can rename combofix.exe but you need to uninstall it first, then rename it when you are downloading it.
 
Alright, did HJT instructions, and as I checked "Fix", I had numerous pop ups telling me the admin was not allowing me to delete the keys, but I'm not sure if it did or not, because it seemed that HJT was able to complete? I'll post up a fresh log if you want me to.

And no, the 2nd program did not work.

I forgot to mention you can rename combofix.exe but you need to uninstall it first, then rename it when you are downloading it.

I don't have Combofix on my computer anymore, I believe we uninstalled that the last time I was here. I'm unable to download most of these because either I will get redirected to a random site, or the site won't load at all. (i.e bleeping computer won't even attempt to load).

I forgot to mention that the pop up in my tray has disappeared, but I still can't click the links you give me.
 
still no go :[ if i click it, i get a blank window open up. if i right click and save link as... then i get this:

cantopen.jpg


Sigh.
 
can you copy and paste this into your browser

[noparse]http://www.forospyware.com/sUBs/ComboFix.exe[/noparse]

If not we will go back to trying scripts

and yes please attach a fresh hijackthis log
 
Address still doesn't work. Since I'm in firefox, I get a blank page. With IE, it says:

Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.


There's still something preventing me from getting these :[

Oh, and fresh HJT!
 
registry editor is still disabled, so we will fix that, and if you don't mind I would like to continue experimenting a little bit to make things easier for everyone in the long run.

=======================================

Making a .reg file
Open notepad and copy and paste the text in the quotebox below in it:

Code:
[b]REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
"NoDispCPL"=-
"DisableRegistryTools"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-
"DisableRegedit"=-
"NoDispCPL"=-
"DisableTaskMgr"=-
[/b]

Name the file as Fix.reg

Change the "Save As" type to "All Files" and save it on the desktop.

It should look like this:
reggif.jpg


Double-click on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

========================================

Download the AVZ Antiviral Toolkit. Extract it from the archive to its own folder.
* Start AVZ and update its databases ("File" => "On-line automatic update ").
Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
Once scanning is finished, please attach the zipped logfile (virusinfo_syscure.zip) to your post.

===========================================================
 
Made the file, tried to open and I got a pop up saying "Registry editing has been disabled by your admin" and I can't get the link open for the other program.

This is a real bummer.

Hey I have an idea, let me know if this would work or not:

Do you think it would work to get these programs if i downloaded them onto a flash drive from my boyfriend's computer? That way, I can rename and run them here.
 
We have a process for dealing with this, I would just like to make it simpler that is why I am trying a few things first.

*Hold down your windows key + R
*Type cmd
*hit enter

at the prompt type

ipconfig /flushdns
HIT ENTER
ipconfig /registerdns
HIT ENTER
netsh int ip reset resetlog.txt
HIT ENTER
netsh winsock reset
HIT ENTER
 
Hey I have an idea, let me know if this would work or not:

Do you think it would work to get these programs if i downloaded them onto a flash drive from my boyfriend's computer? That way, I can rename and run them here.

Yes I do think that would work, and I was going to ask you if you were on the infected computer or had access to another computer
 
It worked! I have combofix and sdfix logs attached. and fresh hjt!

spybot is still showing these keys trying to change, and i keep denying. and one is brastk. i guess its still not gone, exactly, but at least we're getting somewhere, right? :]
 
Ok, one more then we will go for the script. I am just trying to get as much removed as possible to save myself from more work

http://users.telenet.be/marcvn/tools/haxfix.exe

A red "dos window" (dos box) will open with this options:

Select * 1. Make logfile


After running option 1, you will get a new menu with all options:

Select * 2. Run auto fix
------------------------------------------

Afterwards, please run me a fresh combofix log
 
Status
Not open for further replies.
Back