Lots of malware all at once

Discussion in 'Malware Help (A Specialist Will Reply)' started by ldfrostbite, Oct 20, 2008.

  1. ldfrostbite

    ldfrostbite Private E-2

    I had been using Norton Internet Security for my laptop, but it expired a few weeks ago, so I decided to try out AVG Free instead. Yesterday afternoon I opened Firefox and immediately got a pop-up of a warning from Windows Firewall that it was blocking "svchost.exe" and asked if I wanted to continue blocking it. I clicked yes and the computer immediately shut down. When I turned it back on, I had a red X in a circle on my task menu telling me I had been infected. When I closed the warning bubble, it opened XP Antispyware 2009, which I rightfully figured was some sort of malware. I tried scanning it with AVG, but the malware somehow corrupted the scan, giving me an error message in AVG and indefinitely showing that it's scanning 0 files. The same with Ad-Aware.

    I have tried downloading the other tools as described in the Read and Run Me First thread, but I also appear to have a go.google.com malware, so all of my internet activity is rerouted to these fake sites (even running Firefox in Safe Mode).

    I have attempted to download them to a different computer and transfer them via flash drive, but I cannot update any definitions because the malware is redirecting everything from their update servers, and I still cannot run any scans without having them hang or run indefinitely without actually scanning any files, even in safe mode. I was able to run CCleaner, but that did not solve any of the problems.

    I was able to manually remove traces of XP Antispyware 2009 as far as I know, and the red X and Microsoft-looking shield in the taskbar are now gone. However, I still have traces of brastk, karna, and beep, and during an unsuccessful scan using SuperAntiSpyware (it froze about 6 minutes in) it showed an "SVCHOST-FAKE" which I'm assuming is the problem Windows Firewall alerted me with to begin with.

    I will gladly go through the Read and Run Me First, if someone could direct me how to do so without being able to access the internet or run scans on the infected computer.


    Thanks in advance for any assistance.
     
    ldfrostbite, Oct 20, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We gave you links for downloading manual updates for SAS and MBAM and Spybot has always had manual updates available on the main download pages from Majorgeeks in the Anti-Spyware folder

    CCleaner is not a malware scanner so it will not remove any malware. You need to try all steps in the READ & RUN ME. Did you actually try every step? Did you try running MBAM even without updating? Did you try to run MGtools so you can get us the log from it?

    Physically unplug your cable to the internet while trying to run scans.
     
    chaslang, Oct 20, 2008
    #2
  3. ldfrostbite

    ldfrostbite Private E-2

    Thanks for the reply. I tried every step as far as ComboFix before the computer froze and refused to start up at all after that. I did have the laptop disconnected from the internet, and the wireless connection disabled. I was finally able to start up the computer after repeated attempts (in normal mode), and actually run the scans. Malwarebytes however did not work, I kept getting a runtime error even after uninstalling and reinstalling it on the other computer and transferring it on the flash drive to the infected one. The three remaining logs are attached.

    I noticed after running the scans that AVG seems to be gone from the laptop, so should I attempt to reinstall it now or wait until the problems are fixed?
     

    Attached Files:

    ldfrostbite, Oct 21, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First you have to remove some left overs from Symantec. We will reinstall AVG later in this procedure. Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now you can you should reinstall AVG.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 22, 2008
    #4
  5. ldfrostbite

    ldfrostbite Private E-2

    Thanks for all your help, it's running much better now and there is no evidence that the problems are still there. One thing though, ComboFix stalled while preparing the log, so I don't know whether to run it again or not.
     
    ldfrostbite, Oct 22, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Attach the new MGlogs.zip file and we will go from there. I may have to ask you to run ComboFix from Safe Boot mode......we shall see.
     
    chaslang, Oct 22, 2008
    #6
  7. ldfrostbite

    ldfrostbite Private E-2

    The MGlogs.zip file is attached.
     

    Attached Files:

    ldfrostbite, Oct 22, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below
     
    chaslang, Oct 23, 2008
    #8
  9. ldfrostbite

    ldfrostbite Private E-2

    Thanks a lot, everything is running smoothly now.
     
    ldfrostbite, Oct 23, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf Safely!
     
    chaslang, Oct 25, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds