antivirus help

dr_dan

Please help, as apparently in the last few minutes i've become computer retarded.

So, I was browsing some innocuous websites like digg and fark and suddenly got a message apear in the bottom right hand side of the screen saying something like your computer might be infected, click here to download antispyware software. Not a message box, but one of those speach bubble things coming from an icon next to the clock of a white cross on a red circle.

So i clicked on it and it downloaded something called antivirus pro 2009, which told me i had 29 infections or something. Now avg, what i was using before has dissappeared and wont load back up. Also it wont let me uninstall antivirus pro 2009. What do i do?

E.Coyote

The antivirus pro is spyware. Someone else will have to provide the advice for removing it, I just re-installed windows. O.o

Seattle Thread

Malwarebytes is known for being able to remove older versions of MS Antivirus. Barring that, there's a removal guide here.

dr_dan

Makershot wrote: »

Malwarebytes is known for being able to remove older versions of MS Antivirus. Barring that, there's a removal guide here.

Yeah i tried those. I downloaded malwarebytes, tried running it but nothing happened at all, even after i lleft it running for 10 minutes. It shows in the process bar but never does anything. So after i tried the manual removal antivirus pro seems to have gone but the trojan that prompted me to download it is still there. I tried installing avg again but it just crashes halfway through installing, so uh, more help please?

deke55555

If you don't have anything vital on the computer, it may be easier just to reformat. In my experience, fake antivirus crap can bring with it other fun prizes like botnet clients.

Which reminds me of the time one of our employees got our email blacklisted with everyone on the entire internet. But that's another story...

dr_dan

deke55555 wrote: »

If you don't have anything vital on the computer, it may be easier just to reformat. In my experience, fake antivirus crap can bring with it other fun prizes like botnet clients.

Which reminds me of the time one of our employees got our email blacklisted with everyone on the entire internet. But that's another story...

At the moment I do have quite a few things on there i need to keep, some work related stuff too. Is there any way to get around this without reformatting?

rfalias

dr_dan wrote: »

deke55555 wrote: »

If you don't have anything vital on the computer, it may be easier just to reformat. In my experience, fake antivirus crap can bring with it other fun prizes like botnet clients.

Which reminds me of the time one of our employees got our email blacklisted with everyone on the entire internet. But that's another story...

At the moment I do have quite a few things on there i need to keep, some work related stuff too. Is there any way to get around this without reformatting?

Yes. Your best bet is to get a slew of spyware removal (it is spyware). Boot into safe mode and start scanning. Get hijackthis and post the log. My friend had that fake AV stuff. Usually you can remove it manually in safemode. It does not constantly restart it self so it can even be terminated in normal windows and deleted from the drive and registry. I cant recall the exact exe name but it may differ depending on the fake AV.

But the most common one should be easy to track and remove.

Xagarath

Have you tried restarting into safe mode and doing things from there? Using the system restore function? (although some viruses do infect that- nontheless, you can find it under Start/Accessories/system tools)

For future reference, never ever click on a popup or box like that.

dr_dan

rfalias wrote: »

dr_dan wrote: »

deke55555 wrote: »

If you don't have anything vital on the computer, it may be easier just to reformat. In my experience, fake antivirus crap can bring with it other fun prizes like botnet clients.

Which reminds me of the time one of our employees got our email blacklisted with everyone on the entire internet. But that's another story...

At the moment I do have quite a few things on there i need to keep, some work related stuff too. Is there any way to get around this without reformatting?

Yes. Your best bet is to get a slew of spyware removal (it is spyware). Boot into safe mode and start scanning. Get hijackthis and post the log. My friend had that fake AV stuff. Usually you can remove it manually in safemode. It does not constantly restart it self so it can even be terminated in normal windows and deleted from the drive and registry. I cant recall the exact exe name but it may differ depending on the fake AV.

But the most common one should be easy to track and remove.

I've downloaded a couple of anti spyware things but the trouble is, i cant install them before i restart in safe mode because they just wont open. As in i coudble click on them, the process starts but nothing happens after that. Am im ok to just restart in safe mode, install them and then start the removal process? and is there anything special i need to know when running them in safe mode?

rfalias

Yes, it is fine to install them in safe mode. Nothing special, it will just be a low low resolution windows is all, no internet, though.

Crashtard

This might sound like a stupid question, but with Malware Bytes did you actually tell it to start scanning? When you run the program it won't scan automatically. If you did and it still wasn't doing anything then you have something somewhat serious. Definitely try booting in safe mode like the other said and running a number of programs. I'm also sure that you're now aware than anytime you're browsing a website and it says you have a virus and that you should download something to fix it, it's a virus

embrik

Okay, I've just finished removing this one from a computer. It took me about 2.5 hours, including AV scan times. I did almost all the work under Safe mode w/ command prompt, but this is a bitch to remove. I used all of the following tools:
Unlocker
HijackThis (which I had to rename before I could run - the virus will prevent certain fix apps from running)
Symantec AV Corp 10(w/ latest definitions from today)
SDFix (Fix tool for fixing browser hijacks, etc that HijackThis can't remove)

I also manually deleted several files/folders in C:\Windows, C:\Windows\System32, C:\Program Files
Several folders had ? in the file name, which requires you to use a move command to rename them before they can be deleted. You can't see this ? in Explorer, only in the command prompt.

I fix these problems regularly, so I'm used to looking for what should and shouldn't be on a PC. This is the third time I've had to deal with this virus, and each time, the machine had a slightly different infection of the same virus. The second computer was one I couldn't fully clean, so I re-imaged it. If you don't know what you're doing and/or don't have access to someone who does, you might be best off backing up your stuff and reformatting.

dr_dan

Crashtard wrote: »

This might sound like a stupid question, but with Malware Bytes did you actually tell it to start scanning? When you run the program it won't scan automatically. If you did and it still wasn't doing anything then you have something somewhat serious. Definitely try booting in safe mode like the other said and running a number of programs. I'm also sure that you're now aware than anytime you're browsing a website and it says you have a virus and that you should download something to fix it, it's a virus

Like i said i tried to open malware bytes and nothing happened. It didnt open anything apart from a process appeared in the process bar but didnt do anything so i couldnt tell it to start scanning.

I tried booting in safe mode and it still wouldnt open malwarebytes, wouldnt open hijackthis either so i'm at a loss. Also like i said i know at least a bit about computers so i did have avg antivirus running already but the spyware somehow managed to shut it down.

edit: ah, embrik has some good ideas, i'll try them tomorrow as i'm not near the affected computer anymore.

Crashtard

Yikes. From what Embrik says, unless you're super attached to your computer, boot into safemode and get whatever documents you have to have and reboot.

This sort of thing is why I have a 500GB backup drive that I backup to every few days.

embrik

Crashtard wrote: »

Yikes. From what Embrik says, unless you're super attached to your computer, boot into safemode and get whatever documents you have to have and reboot.

This sort of thing is why I have a 500GB backup drive that I backup to every few days.

You can back up whatever booted normally if you like. The virus isn't particularly destructive or liable to spread, it's just painful to remove, and it nags the user every 5-10 seconds with messages, so it's painful to try and live with.

dr_dan

So i just managed to get hijackthis running by changing the name (it wouldnt run at all otherwise, the damn virus must block it) and i managed to get the log. Anyone care to take a stab at looking at it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:13, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\brastk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1080130
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: karna.dat
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5180 bytes

rfalias

C:\WINDOWS\brastk.exe
O4 - HKLM\..\Run: [brastk] brastk.exe

Those are the culprits behind that stupid fake AV thing.

Go to safemode and delete them both, you may have to use ctrl-alt-del to terminate that process, then delete it, and the registry key.

Also, do this.
Click Start -> Run -> Type 'msconfig'
Click the 'startup' tab
Make sure that bratsk.exe is not in there, if it is uncheck it.

embrik

You also NEED to remove
O20 - AppInit_DLLs: karna.dat

or it will come back. There's a copy of both brastk.exe and karna.dat in both c:\windows and c:\windows\system32. Delete the files from both locations while in safemode. You're lucky, I don't see any irritating BHOs or anything in the log. However, make sure that after you remove everything and reboot normally, you run HijackThis again and make sure it's still gone. Also, make sure you can run Hijack this without renaming it. If you can't, there's still a virus on the system.

dr_dan

embrik wrote: »

You also NEED to remove
O20 - AppInit_DLLs: karna.dat

or it will come back. There's a copy of both brastk.exe and karna.dat in both c:\windows and c:\windows\system32. Delete the files from both locations while in safemode. You're lucky, I don't see any irritating BHOs or anything in the log. However, make sure that after you remove everything and reboot normally, you run HijackThis again and make sure it's still gone. Also, make sure you can run Hijack this without renaming it. If you can't, there's still a virus on the system.

Alright going good so far, i'm in safe mode and have deleted everything mentioned apart from karna.dat in the system32 folder which i cant because it says the file is currently in use. Is there anything i can do about this?

edit - also do i have to delete all mention of brastk and karna from the registry? Sorry for all the questions, its the first time i've done most of this!

embrik

dr_dan wrote: »

embrik wrote: »

You also NEED to remove
O20 - AppInit_DLLs: karna.dat

or it will come back. There's a copy of both brastk.exe and karna.dat in both c:\windows and c:\windows\system32. Delete the files from both locations while in safemode. You're lucky, I don't see any irritating BHOs or anything in the log. However, make sure that after you remove everything and reboot normally, you run HijackThis again and make sure it's still gone. Also, make sure you can run Hijack this without renaming it. If you can't, there's still a virus on the system.

Alright going good so far, i'm in safe mode and have deleted everything mentioned apart from karna.dat in the system32 folder which i cant because it says the file is currently in use. Is there anything i can do about this?

edit - also do i have to delete all mention of brastk and karna from the registry? Sorry for all the questions, its the first time i've done most of this!

Yes, you need to remove all references, or it might come back. For the file you can't remove, grab Unlocker. Install it, then you can use it to delete the file.

dr_dan

argh! its still not gone. Managed to delete all the files that were mentioned so the antivirus notification thing doesnt show up anymore but i must still have a few browser hijacks as I cant visit avg.com or any other antivirus site. I also cant load any pages searched from google. I've tried loading SDfix but the virus must be blocking that too as it just wont load SDfix up, even after i rename it. Any ideas?

Seattle Thread

Try using System Restore to bring your compy back to the state it was in before it was infected. Ideally, this'll be a day or two before you started seeing the balloon popup. Unless MS Antivirus nests itself inside your System Restore files, as some viruses are wont to do, it'll get rid of it.

The downside is that anything you have downloaded/saved/created since then will be gone, too. But it's worth trying before using the final solution: backup what you can of your documents and reformat.

Aurin

If System restore is on, try it. Whether it works or not, shut it off afterwards. Viruses and spyware like to back themselves up in system restore, so that on each boot they are reloaded on the computer.

Also, if you still can't get to the internet properly, download the fixing tools on a removable hard drive or burn them to a CD. This spyware set loves to screw up your internet settings. The easiest thing is just to format, unfortunately.

dr_dan

Aurin wrote: »

If System restore is on, try it. Whether it works or not, shut it off afterwards. Viruses and spyware like to back themselves up in system restore, so that on each boot they are reloaded on the computer.

Also, if you still can't get to the internet properly, download the fixing tools on a removable hard drive or burn them to a CD. This spyware set loves to screw up your internet settings. The easiest thing is just to format, unfortunately.

System restore is on but doesnt seem to work either. I loaded into safe mode, started the system restore wizard but after i got to the step saying click next to restore the system i clicked next and...nothing. I tried clicking it a few times then left it for a while but it just doesnt seem to work either.

I've tried running quite a few anti spyware, malware etc programs, the problem usually is that they wont run at all (avg) wont install properly (malwarebytes) or are not able to fix the problem (SDfix). Do you know of any that i could use?

embrik

Can you not run SDfix in safe mode? That's where you need to start it. It will run, do a bunch of stuff, then ask to reboot. Then you let it reboot into normal mode, and it will finish up.

Aurin

I'd try shutting off system restore and seeing if any of the programs you have now can remove the spyware in safe mode. Manually deleting things works as well, if you can find the files. Open up task manager, end all the processes that you don't recognize, then try running your programs again. That's about the only way you can get around something that is screwing with your antivirus/spyware removal tools while they install.

Unless you make a disk to run the program from, or use a Reatogo disk to boot the computer.