Hey Chaslang

Well unfortunately it looks like my daughter has picked up some spyware again. Been a long time. I havent done the do me first yet but I will and post logs. Just a few questions. I am pretty sure it is a file called brastk.exe. Tried changing it's name and it renamed itself back. I have also tried to run spybot and AVG 7.5 and neither will open. Also tried to run defrag and it wouldnt start. I am down to 15% open disk, that culd have something to do with defrag. Will try to get this started this weekend. Just wondered if u had any comments b4 I start.

I do use Firefox, spywareblaster, AVG 7.5, Spybot. I even tried to go to safe mode to run spybot and AVG but they wouldnt open there either.

 

After looking at the readme I see that I am supposed to unplug from the internet while doing some of the procedure, this is a laptop. How do u suggest I do that?

 

Thx yes, it is wireless. I should have been more specific.

 

I got thru most of the steps. I at first could not run super anti spyware, spybot, or avg. After running malwarebytes it cleaned up the brastk.exe problems and I was able to run those. I can now also run defrag, all I did was analyze.... did not run it. I did analyze just to see if it would work after getting rid of the problem. I also did Java just before running MGtools. I Have not run combofix, I was confused on the recovery console and was afraid it would always boot up to a choice once it was installed.(I do have a XP disk) This is my daughters laptop and and didnt want to add any steps for her booting up. Hopefully we can just skip the combofix. I found no other problems when running SAS or spybot. I see that SAS boots up at start up now. Is that necessary and is it a good thing. When MGtools was running I saw alot of "could not find this file" or something like that. I have not toggled off system restore yet. Also I just realized I did not scan D: drive with SAS, it is a RECOVERY drive that comes with gateway Laptop and I have never used it. I dont think any of the other programs would let me choose that.

BTW I have windows XP. I thought I would never be back here after having Firefox, spyware blaster, spybot, and avg on my computer. I havent updated in about a month so maybe that was the problem.

I am not sure why I cant find the logs for SAS or malwarebytes. I have there folders open and do not see either of them. I did a search on all files and folders for SASlog.txt and it does not find it. I have extensions open and show all files as originaly instructed. I will look some more and see if I can find them.

Tho there seems to be no problems now I am posting so u can take alook anyway

Thx again for your help.

 

Have checked again and cant find SAS log or malwarebytes. I looked in their respective folders. Am I doing spmething wrong, I know I ran both of them and they showed me their results. Malware I think was a log type file that opened and i just closed it but am not sure. SAS found nothing.

 

Also just ran Avg 7.5 with updated virus defs and it said it found 1 Virus32/Themida. Looks like it deleted it, didnt ask me what to do. Results just said 0 moved to vault, 0 cleaned, and 1 deleted.

 

Also BTW I never disconnected from the internet since u said prolly OK to do it connected.

 

I read thru the instructions again and see that I can look at the MBAM log off a tab, so I copied it and put in a text file. Here it is.

 

I am so sorry to do this in such a piece meal fashion, once again after reading your instructions I have found the log thru their interface. There was 2 of them, dont know why only ran it once, have included both on one text file.

 

OK I ran it. Here is the file. Did not install recovery console. I did everything in normal setup but it is a pain. When it boots up there is something that starts called oemreset. It opens the device manager box and then continues to test different devices such as showing a little video. I believe it is testing sound or video things. Was this way from the time I got it. Must also be testing sound devices. I was afrad if combofix rebooted it would screw it up since you are supposed to close all boxes and not run any programs. The device manager box opened but it didnt run the videos till after combo was done. I noticed combofix deleted D:/autorun.inf. The D drive is strictly a recovery drive on gateway computers. Hope that didnt screw it up.

 

Had a C folder with nothing in it but no D folder

 

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


O20 - AppInit_DLLs: karna.dat


Did everything but the following:
Windows messanger: Do I choose the uninstall option?

There was no karna.dat line


The infection seems to be gone.

 

Thank you once again for all your help Chaslang. You guys are the GREATEST. I will finish with your recommendations. Just a few last questions.

To remove combofix I can just copy and paste into the RUN box the line exactly as you have it, quotes and all? (Just double checking the instructions... sorry)
"%userprofile%\Desktop\combofix" /u

While installing the new spybot it asked me if I wanted to back up the registry and I said yes. Does that create any malware problems for the future if I needed to use it?

I am kind of surprised combo fix doesn't allow me to put that D:/autorun.inf file back. It deleted it instead of quarantining it. As I mentioned there was no C:\QooBox\Quarantine\D. What happens if it deleted a file it shouldn't?

Can I turn off SAS to open when windows starts? Since there is no realtime protection with the free version I see no reason for it to be on the task bar or show its banner everytime windows starts.

Could both of these lines be fixed with HJT and not hurt anything?
O4 - Global Startup: Oemreset.lnk = C:\WINDOWS\OPTIONS\OemReset.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

 

Chas I just thought of one more thing. My daughter has a flash type drive, one of those little things you put in a USB slot. I know she has put some files on it since she got the infection. She usually just copies photos and her college papers on it. Is there anything I should do about that. Sorry that I forgot to put this in my last post since you have already answered it and youwould have been done with me.

 

Am having a strange problem after fix. When the flash drive(little memory stick) or a cd rom is put in drive no box comes up showing what is on them. For example stick a blank CD into copy onto but the window doesnt come up asking what I want t o do.

 

I wonder if that had anything to do with that autorun.inf file.

 

Ran your patch, it took it, the CDrom drive and the flash drive are now working. How in the hell do you know all this stuff.... it always amazes me. Thanks again and once again I hope it is a long, long time before I have to come back here.