Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Automatically Kill All System Task Including Av


  • Please log in to reply
5 replies to this topic

#1 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:08:53 AM

Posted 13 May 2007 - 12:02 AM

I need help with this huge problem.All I can do until now is to reformat where that is a hassle for me. The computer is infected with Brontok and Ravmone at the same time. I know it blocks and kills msconfig and regedit, but worst yet it kills all AV or even dos programs. So I dont have to say anything about HJT because it will be resulting in the same manner. The virus does few things with pendrives as well

a)creates new exe masked by a folder icon in every subfolder
b)of course infects it with ravmon and brontok
c)disable to be plug-off from the USB port

I've tried portable AV, dos programs,even tried VBS code to break the regedit disability.Nothing seems to be working right now? Anyone can give me an idea on how to get rid of the virus? :thumbsup:
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:02:53 PM

Posted 13 May 2007 - 02:15 AM

You have a nasty infection onboard,but formatting is the very last resort.

step 1
Please follow these instructions : Brontok removal instructions

step 2
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

step 3
Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

step 4
After that, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

If no avail,please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.


you should consider all your data on this infected pc to be compromised. From a non infected pc please change all your passwords for forums, email and internet banking

Edited by fozzie, 13 May 2007 - 02:18 AM.


#3 syunichi

syunichi
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:08:53 AM

Posted 13 May 2007 - 02:31 AM

Thx for the quick reply. I tried all those listed and still, with lil amount of luck it doesnt block but KILL the app before I can click on any buttons on the interface.HijackThis still receives the same beating and it annoys me. I want to run a registery check on what runs during boot but msconfig was KILL before I can try to swicth to the startup tab. And before I forgot, during boot, 2 dos window pops up loading some application.I tried to go for F8 (safe mode) but still it boots at startup as if it was in normal mode.Now I think I should find another PC to get my HDD to slave mode and be cleansed.But again, it is so unfortunate I cant figure out because the solution maybe can help more out there. Thx again HJT team :thumbsup:
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

#4 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:02:53 PM

Posted 13 May 2007 - 02:58 AM

Rename HiJackThis to Analyse.exe and try again

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:53 AM

Posted 13 May 2007 - 07:53 AM

Please download the Brontok Worm Removal Tool by sUBs and save it to your Desktop.
  • Disconnect the computer from the Internet and close all other programs.
  • Double-click CleanX-II.exe and follow the prompts.
  • The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
  • Once the scan is complete it will provide a text log of the results. If the log shows any files remaining in the bottom portion under "POST RUN ANALYSIS" run the entire scan a second time.
  • The log file will be saved to your Desktop with the name CleanX-II.txt.
Then post the CleanX-II log file along with a hijackthis log as instructed by fozzie.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 syunichi

syunichi
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:08:53 AM

Posted 13 May 2007 - 08:53 AM

Thx but I've already cleaned up the system via slave mode.I've tried renaming all my AV on portable,HijackThis even AVG. It still detects them as a threat. But I came across some app it cant kill and that is "msinfo32". It fails to close it so I thought I can look inside to see what application is currently running because on the startup tab, it wont show a thing. I detect the basic 2 app made by Brontok qm10563 and m10563. Made a .bat with command.com line to open cmd.For my amazement it cant KILL command.com but only minimizes it. So using killapp I end qm and m app from the command. But, after making sure all running app behind window is clean, it still KILLs AV and other fixing tools. Yes, even CleanX-II.exe.
In the end using the second last resort because I need to do my assignments, I switch another master HDD in and made mine slave.Works, but I'm not happy with using the last resort thingy. Anyway thanx for the attention, still more bugs coming because I'm a part time tech.So hope to hear more from you guys soon. :thumbsup:
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users