Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brastk.exe, big problem


  • Please log in to reply
24 replies to this topic

#1 needmoney90

needmoney90

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 24 October 2008 - 12:48 AM

Today I was on my computer doing homework, when suddenly a red X appeared in my system tray. It said that I had a virus on my computer, and that I should install a program that it was leading me too. This was an obvious attempt to install a virus (it literally had spelling errors and all) so I attempted to close it. In the system tray, a second picture came up. It was a yellow triangle with an exclamation in it, and was saying someone was "trying to break into my computer", and to install its software. This, again, was obviously not microsoft created, so I closed the bubble out. At this point, I attempted to open task manager, and everything went to hell. My computer said that task manager was disabled by an administrator, and I couldnt open it. This was where everything went wrong. All my programs started shutting down, with the red X bubble in the tray spamming popup bubbles. My desktop background changed into a blue background with words on it, saying this:



Warning: Spyware threat has been detected on your PC.


--------------------------------------------------------------------------------





Your computer has several fatal errors due to spyware activity.



It is strongly recommended to install an antispyware software to close all security vulnerabilities.

Antispyware software helps protect your PC against spyware and other security threats.





UPDATE YOUR ANTISPYWARE PROTECTION


My computer grew more and more laggy, until it shut down on its own, and restarted. When it restarted, the normal screen where it shows icons for which user to log in as was gone, replaced by the older "username" "password" boxes, with user filled in. I attempted to log in as administrator, but a dialog box informed me that administrator was restricted to my access level. I have had no problems logging into administrator before, so I am 99% sure this was an effect of this virus. I logged onto my normal account, and tried task manager again. Again, restricted. Regedit? Restricted. My computer froze, and I restarted it. This happened twice. Then, I pulled out the internet cable. This seemed to work, but my computer still had the virus and inordinate popups and restrictions. Because task manager was disabled, I had no idea what was causing these problems, so I opened cheatengine.exe (a commonly used program for attaching to and editing the values of any process on your process list) and viewed what processes were running. Two stood out that I had never seen before, Brastk.exe, and Facegame.exe. Cheat engine can not end processes, so I used a flashdrive and downloaded the program Process Explorer on google, then brought it over to the infected one. It showed all the processes, and I closed the ones I had never seen before out. The spam has stopped for now, but I dont know for how long. I reconnected to the internet when I was sure the virus was not in my RAM, and I am writing this message now. Is there anyone who has had this issue before and knows how to fix it? Thanks in advance.

Using windows XP service pack two

Edited by needmoney90, 24 October 2008 - 12:50 AM.


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2008 - 06:24 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 needmoney90

needmoney90
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 24 October 2008 - 06:18 PM

Thanks so much!

Malwarebytes' Anti-Malware 1.30
Database version: 1316
Windows 5.1.2600 Service Pack 2

10/24/2008 4:17:21 PM
mbam-log-2008-10-24 (16-17-21).txt

Scan type: Quick Scan
Objects scanned: 70362
Time elapsed: 19 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 53
Registry Values Infected: 11
Registry Data Items Infected: 4
Folders Infected: 8
Files Infected: 66

Memory Processes Infected:
C:\Documents and Settings\User\Local Settings\Temp\csrssc.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ksaf83hfd.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pnphon.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{10026069-7a5f-4531-811e-c8df20643bee} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5e58dfe1-d27c-4cf0-bfef-539a63c0bece} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{db3db4d7-b8f4-4097-80a6-a2e93d08c92d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a2f253ad-1f23-4d87-a64b-d6987f38d981} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2f253ad-1f23-4d87-a64b-d6987f38d981} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\poals (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{031cbf6a-c70e-4177-a0d4-c5268ee311fb} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\Features\e39225eafc4cee640bbf4b91db1d78ab (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\Products\e39225eafc4cee640bbf4b91db1d78ab (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\0bb69e0c8f7404d4b92477b0f0bd1845 (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\0bb69e0c8f7404d4b92477b0f0bd1845 (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ae52293e-c4cf-46ee-b0fb-b419bdd187ba} (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a0442dfa-1f7e-4dce-b75c-a90993d6e7fc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{268706f0-841c-446a-b757-8c1ef84527dc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32fd16dc-537c-4186-9bd6-c718a308342b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{27861bda-a645-491d-8599-dcab5969dc34} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4cf05127-d66d-4125-b2d9-15909b83842a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{475a8380-dc57-448b-8d9f-5600df0a8476} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnskdfmf9eldfd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facegame (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\errorkiller\ (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\errorkiller\ (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\windows\installer\{ae52293e-c4cf-46ee-b0fb-b419bdd187ba}\ (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksjf93orkekfniw73nfdd (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\Installer\{AE52293E-C4CF-46EE-B0FB-B419BDD187BA} (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\User\Application Data\Facegame (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Registry Backups (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ksaf83hfd.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temp\csrssc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\ifsndu.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\21c1974e.sys (Rootkit.Agent) -> Delete on reboot.
C:\d3.exe (Virus.Virut) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\nst5.tmp\Dialer.dll (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\06W7AZ1N\dnkyllmznn[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\06W7AZ1N\asuper[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\06W7AZ1N\152[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\06W7AZ1N\zwguhhivma[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7DSW08TT\hjtqqerebc[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7DSW08TT\asuper1[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\BNKH2OLF\slivwwxx[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\BNKH2OLF\asuper3[1].htm (Virus.Virut) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\E7I4P5IX\dmjxkkylmz[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\E7I4P5IX\nxurrfsgt[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\E7I4P5IX\asuper2[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{AE52293E-C4CF-46EE-B0FB-B419BDD187BA}\Icon.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\cim.nfo (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\DataBase.ref (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\ErrorKiller-v2.6-patch_CiM.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\ErrorKiller.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\ErrorKiller.url (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\file_id.diz (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\NFOReader.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\RegCleaner.dll (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\REVENGE.nfo (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\TCL.dll (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\zlib.dll (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Facegame\Facegame.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller\ErrorKiller on the Web.lnk (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller\ErrorKiller.lnk (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Log\2008 Oct 23 - 03_38_45 PM_859.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Log\2008 Oct 23 - 07_04_39 PM_140.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Log\2008 Oct 23 - 07_07_50 PM_937.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Log\2008 Oct 23 - 07_11_17 PM_671.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\ErrorKiller\Registry Backups\2008-05-08_19-56-25.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\getsn32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\k.txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smwin32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10821.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Favorites\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Favorites\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\mmmatt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#4 needmoney90

needmoney90
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 24 October 2008 - 06:31 PM

So, after restarting my computer, my desktop background is a blank black square with a weird icon in the top left corner, and regedit is still broken. Task manager is availiable, so that is a plus. It says "windows cannot access the specified device/ path or file. You may not have the appropriate permissions to access the item."
Also, everything else seems to be in working order. Thanks so much for your help!

#5 Noypi_to_its

Noypi_to_its

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 25 October 2008 - 12:09 AM

this should let you use regedit again... type this in your cmd prompt :

REG add HKLM/Software/Microsoft/Windows/CurrentVersion/Policies/System /v DisableRegistryTools /t REG_DWORD /d 0 /f
REG add HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/System /v DisableRegistryTools /t REG_DWORD /d 0 /f

as for the resetting permissions, you could probably try using Dial-a-fix

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2008 - 04:05 AM

Hi needmoney90,

Scan with MBAM again (full scan!), and post the new logfile in your next reply. :flowers:

After doing that, do this please:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

------------------------------------
@Noypi_to_its: We aren't so far yet :thumbsup:

#7 needmoney90

needmoney90
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 26 October 2008 - 04:38 PM

Okay, I attempted to do the fix for regedit, but it says that my access is denied. When I attempted to download the dial-a-fix, it wouldnt run (access denied...again...) It seems that I cannot open any executable file at all. IEtab and internet explorer all display the same picture and glitch when opening any image or file, a blank box with a square in the corner, displaying a square; circle; and triangle. Is there a reason for this? I cannot do the Kapersky scanner until that is fixed. I am currently running malbytes fullscan, I will post the log when finished.

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio

Posted 26 October 2008 - 05:46 PM

WARNING:
(The information provided above, requires a registry edit) (The recommended program, will make changes to the registry.)
Improper changes to the registry could render your computer inoperable.
Remember to backup the registry, before making any changes.
Instructions, on how to do that, can be found here:
How to back up, edit, and restore the registry
(I highly recommend, you make a copy of this article, before proceeding.)
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 needmoney90

needmoney90
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 26 October 2008 - 07:04 PM

Scan type: Full Scan (C:\|)
Objects scanned: 270652
Time elapsed: 2 hour(s), 30 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Disk Checker\IDEINFO.VXD (Adware.Winad) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{219E75BD-22E0-466F-844C-1F3077C3F8CE}\RP500\A0444398.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{219E75BD-22E0-466F-844C-1F3077C3F8CE}\RP500\A0446442.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{219E75BD-22E0-466F-844C-1F3077C3F8CE}\RP501\A0447312.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\PandoraFox\Pandora's Jar.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

#10 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 26 October 2008 - 07:17 PM

mbam seems to have cleared up some of the leftovers. I would also download and run superantispyware...... http://www.superantispyware.com You are almost certainly severely infected. I would recommend posting a hijackthis log in the appropiate forum, NOT this topic.

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2008 - 01:30 AM

Why a HijackThislog? The topic starten seems to be clean again. I do not see any infections left. :thumbsup:

Need money90, do yu still have problems?

#12 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 PM

Posted 27 October 2008 - 02:07 PM

Why a HijackThislog? The topic starten seems to be clean again. I do not see any infections left. :thumbsup:

Need money90, do yu still have problems?

better safe than sorry. mbam doesn't pick up everything.

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2008 - 02:10 PM

Why a HijackThislog? The topic starten seems to be clean again. I do not see any infections left. :flowers:

Need money90, do yu still have problems?

better safe than sorry. mbam doesn't pick up everything.


This infection is easily removable by MBAM, it's not the first time for me to handle with this infection. I know what I'm doing here. Else, I won't do it. :thumbsup:
The Kaspersky-logfile shows that there aren't any infections left, that's why I let the user scan with Kaspersky.

Still my question: Needmoney90, do yu still have problems?

Edited by superbird, 27 October 2008 - 02:10 PM.


#14 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 27 October 2008 - 02:22 PM

sorry, didn't see the kaspersky. still though, it would be smart to scan with one last scanner. I realize that you are the expert so i won't interfere.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 27 October 2008 - 02:25 PM

xblindx when the need to run HJT arrives superbird is quite caable of relaying that info. As it is HJT is backed up several days and it looks to me as they are working this problem very well. Please refrain from requesting they post the HJT log, Thanks.p

Edited by boopme, 27 October 2008 - 02:25 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users