TechSpot

Another Brastk victim

By AsonJ27
Nov 12, 2008
Topic Status:
Not open for further replies.
  1. I came down with the dreaded "Your computer has been infected!" virus on the 10th of this month (2 days ago). My symptoms have been almost identical to Skein's as described in another thread including:

    - Browser "locked out" of multiple security related sites and discussion forums
    - Cannot install/use Malwarebytes, Spybot S&D, SuperSpyware, etc
    - COULD install and use HijackThis, CCleaner, SmitFraudFix, and End It All
    - Completed all of the 8 steps I was able to

    After multiple steps and scans and registry edits I have seemingly rid myself of Brastk, Karna, and the annoying warning window, however, it seems that they have somehow damaged or at least altered my registry as I am still not able to load and run any sort of virus protection software (I'm running Norton) nor can I access any of the security related sites.

    I have run scans with AdAware SE but have turned up nothing more than some cookies. Also, ran all scans and available fixes in normal, safe, and safe with networking modes.

    HJT Scans look clean except for a multitude of ccSvcHst.exe (5) & svchost.exe (6) processes. Also, I have not been able to fix the following with HJT:

    - R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    - R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


    I'm currently running in normal mode with Windows XP Pro SP3

    Logs are attached.

    View attachment 37617
    View attachment 37624
     
  2. skein4

    skein4 TS Rookie Posts: 39

    AsonJ-

    Welcome to the party. It's not a very fun party, but at least the conversation is nice. I saw your posting on my thread. Also, caveat: I am a newbie, just following directions. But I hope my lessons can help you.

    The thing that started helping me was using Xclean and Autoruns. You can find the links in my thread from Mike. That got me to the point where I could download MBW (from download.com) in Safe Networking Mode. It helped for some reason to download it twice so the second one was called MBAB(2). Maybe that tricked it?

    At any rate, take everything I say with a grain of salt and listen precisely to the experts. They will guide you home.
     
  3. skein4

    skein4 TS Rookie Posts: 39

    Also, when you run the MBAB install, do it in Diagnostic Mode, and follow the intructions from Mike for configuration. Re-name it something like "Run It". I also took the shortcut off, and loaded it directly from the program file folder (which I also renamed just to be safe). That worked for me, anyway. It got me to the point where I can load SAS, which will be the next step for me tonight. Best of luck.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    Hello AsonJ27

    OK as I said before if you have been following Skein's thread then you know what we need.

    Run SAS with the config mods I gave him, repeat until clean or it finds something it can not clean.

    Then the same for MWBAM.

    But before running the above get me all logs
    In MWBAM click logs attach in the order oldest to newest!

    In SAS click Preferences-Statistics/logs oldest to newest.

    Mike
     
  5. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Running through the steps now. I'll reply back with the results.

    Thanks!

    - Jason

    _________________________________________________________________________________________________________________________________

    Edit:

    I'm running Spybot now. Figured out i could open up explorer and right-click on the c:\ drive and select the "scan with spybot" option. I'll run this in normal mode and then safe mode and then normal mode again. Hopefully then I'll be able to run MBW in both modes. X-Clean turned up nothing in normal mode but I'll run it again too in safe mode when I switch over.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    OK Great Jason

    Our Goal get MWBAM and SAS running and run again until clean or finds something it can not clean attach log for each run.

    Mike
     
  7. mflynn

    mflynn TS Rookie Posts: 2,793

  8. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Well SpyBot scan turned up nothing in normal and safe modes. Same goes for X-Clean.

    I still can't run MWBAM, SAS, or any other virus software.

    Also, my desktop is becomming somewhat un responsive. I have to click the "show desktop" icon in my quick launch toolbar bar to make it current in oder to access my shortcuts.


    Here is my current HJT log:

    View attachment 37627



    _______________________________________________________________________________________________________________________________


    Edit: I can't access either of your links. I'm still ebing blocked.
     
  9. mflynn

    mflynn TS Rookie Posts: 2,793

    OK

    I copied this from Microsoft since you may not be able to get to the page.


    Manually starting XP with a clean boot (advanced user only)

    To manually start Windows XP with a clean boot, follow these steps:

    Step 1: Start the System Configuration Utility1. Click Start, click Run, type msconfig, and then click OK.

    2. The System Configuration Utility dialog box is displayed.

    Step 2: Configure selective startup options1. In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.

    2. Click to clear the Process SYSTEM.INI File check box.

    3. Click to clear the Process WIN.INI File check box.

    4. Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.

    5. Click the Services tab.

    6. Click to select the Hide All Microsoft Services check box.

    7. Click Disable All, and then click OK.

    8. When you are prompted, click Restart to restart the computer.

    Step 3: Log on to Windows

    1. If you are prompted, log on to Windows.

    2. When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

    Notes: You have used the System Configuration Utility to make changes to the way Windows starts.
    • The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.
    • Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.
    ----------------------------------------------------------------------------------------------------------------------------------

    STOP HERE I will tell you if we need this step!(Mike)!

    Step 4: Optional step to disable features

    If the clean boot fixed the error, you do not have to perform this step.

    Important If your problem is not fixed and you do have to follow this step, it permanently removes all restore points from your computer. The System Restore feature uses restore points to restore your computer to an earlier state. If you remove the restore points, you can no longer restore Windows to an earlier state.

    This step temporarily disables Microsoft features such as Plug and Play, networking, event logging, and error reporting. 1. Click Start, click Run, type msconfig, and then click OK.
    The System Configuration Utility dialog box is displayed.
    2. Click the General tab, click to clear the Load System Services check box, and then click OK.
    3. When you are prompted, click Restart to restart the computer.

    If these steps helped you start your computer in a clean-boot state, you are finished. If these steps did not help, go to the “Next Steps” section. If you have to return your computer to a normal startup state, go to “Steps to configure Windows to use a Normal startup state”.

    Back to the top
    Steps to configure Windows to use a Normal startup state
    After you used the clean boot to resolve your problem, you can follow these steps to configure Windows XP to start normally.1. Click Start, and then click Run.
    2. Type msconfig, and then click OK.
    The System Configuration Utility dialog box is displayed.
    3. Click the General tab, click Normal Startup - load all device drivers and services, and then click OK.
    4. When you are prompted, click Restart to restart the computer.

    Mike
     
  10. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Tried all the scans I was able to run in "Clean Boot"

    Spybot turned up nothing, X-Clean turned up nothing, re-ran SmitFraud, and HJT.

    I was able to download and install SAS and re-install MWBAM but neither will run, even from the right click menu in explorer.

    Here are the logs:

    View attachment 37630
    View attachment 37631



    I'm ready to try the next boot option.
     
  11. mflynn

    mflynn TS Rookie Posts: 2,793

    Jason browse to the Program Files\MalwareBytes' Anti-Malware folder, rename mbam.exe to mwbam.exe and execute it from there.

    Same for SuperAntiSpy rename sas.exe

    Let me know.

    Mike

    EDIT: Jason if this don't work do a System Restore back to before this. You may find no restore points and if you do find some they may not restore.

    If it restores and allows you to run then immediately begin the MWBAM and SAS. Don't assume A System Restore fixed it all.

    Start-Programs-Accessories-System Tools-System Restore
     
     
  12. rf6647

    rf6647 TS Maniac Posts: 931

    Sometime down the road (assuming lack of progress), I would like to put some context behind the rapport findings:
    Rapport: DhcpNameServer=192.168.1.254

    start > run > cmd > ipconfig /all

    The results may clarify if this points at the rou ter (gateway) or is it pointing to itself or other. I realize that the findings in the rapport log may be telling us that the results of command are being hijacked.

    To date, I have only come across 1 brand of rou ter using '254' as the gateway. The user may already be familiar with this ip for the rou ter.
     
  13. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Mike,

    Holy cow, you're a lifesaver. The renaming worked on MWBAM and the program is scanning. I'll try the same with SAS once the other is done then repost all of the logs I can.


    rf6647,

    I believe the IP your seeing the the local address for my Cayman router. My infected computer is a company PC running on a pier-to-pier network.

    I would post the ipconfig info but I'm not sure if I feel safe posting IP addresses on a public forum though...
     
  14. mflynn

    mflynn TS Rookie Posts: 2,793

    Well Jason you do good work.

    Send the log on each run we need to see what MWBAW found, and this should point us to even more understanding of this issue.

    Therefore make it easier on future infections on others. Do your Civic duty!

    When you get a chance in MWBAM go to logs and post them all back one at a time so we can see all that was cleaned.:grinthumb

    Mike

    EDIT: In SAS click Preferences then Statistics/Logs Post all these logs also. Remember you are contributing! Hats off to you!
     
  15. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    MBAM scan complete in normal mode, now running SAS

    Looks like my browser is back to full capability and Norton will now run! MBAM found about 6 or 7 infected files.

    Here is the log:

    View attachment 37638
    View attachment 37639



    This process has definitely been a testing one. By default I have become the "IT" guy for our small engineering firm and has assumed responsibility for all computer related problems. In a way this has been a great learning experience and I'll definitely be more prepared for the next one. Luckily, this infection happened to my computer which gave me time to troubleshoot while I was working on other things inbetween. Your help has been fantastic.

    This thread, combined with Skein's would be a great one to "Sticky" as a method to fix this infection.


    - Jason
     
  16. mflynn

    mflynn TS Rookie Posts: 2,793

    Now ya cooking!

    You are so cool you're freezing!

    I know these scans take 30 some minutes but I would do MWBAM & SAS until they find nothing!

    But your call!

    Mike
     
  17. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Definitely. I'm running every scan I can in normal mode then will switch to safe mode and then back to normal just to make damn sure.

    How does my HJT log look, anything suspicious?
     
  18. mflynn

    mflynn TS Rookie Posts: 2,793

    Get rid of this with HJT.

    Other than that clean.

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    And post a final HJT as a last thing when clean.

    Mike
     
  19. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Thanks Mike

    SAS scan complete. Found some cookies.

    View attachment 37641


    Now I'm jumping over to Safe mode and rescanning. I'll check in with you in the morning.

    Thanks again for all of your help!

    - Jason
     
  20. mflynn

    mflynn TS Rookie Posts: 2,793

    OK great job and what you have done is help us get a handle on this thing and it will not be as hard on others.

    I recommend you update SpyBot and run Immunization!

    Get SpywareBlaster.

    Get ThreatFire now in ver 4.
    Designed to run with any Virus scanner. But works totally different than regular virus scanners. Where regular Virus scanners are based on Definitions ThreatFire is based on looking for virus/malware Activity.

    Also look at Hostman.

    Google the above mentioned.

    Mike
     
  21. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Thanks Mike. I'll definitely look into those programs. Looks like there are more and more comming down with the infection. This thing is spreading like wildfire.

    I'm running my other safemode scans right now and will post the logs when I'm finished.
     
  22. mflynn

    mflynn TS Rookie Posts: 2,793

    10-4!

    Mike
     
  23. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

  24. mflynn

    mflynn TS Rookie Posts: 2,793

    OK Man

    I think you have but recheck

    Back to normal mode.

    Because it found and cleaned items then you need to run MalwareBytes until it comes up clean.

    Same for SAS.

    Run HJT last post all logs.

    Mike
     
  25. AsonJ27

    AsonJ27 TS Rookie Topic Starter Posts: 19

    Ran all scans again in normal mode until they came up clean.

    Here are the logs.

    View attachment 37747
    View attachment 37748

    SAS found nothing in any of the last three scans.

    Everything has been running normal, except for a couple warnings yesterday from Norton that mentioned that IEDefender was caught and fixed.

    Could I still have a peice of something that's trying to download this?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.