Another Brastk victim

Hello AsonJ27

OK as I said before if you have been following Skein's thread then you know what we need.

Run SAS with the config mods I gave him, repeat until clean or it finds something it can not clean.

Then the same for MWBAM.

But before running the above get me all logs
In MWBAM click logs attach in the order oldest to newest!

In SAS click Preferences-Statistics/logs oldest to newest.

Mike

Running through the steps now. I'll reply back with the results.

Thanks!

- Jason

_________________________________________________________________________________________________________________________________

Edit:

I'm running Spybot now. Figured out i could open up explorer and right-click on the c:\ drive and select the "scan with spybot" option. I'll run this in normal mode and then safe mode and then normal mode again. Hopefully then I'll be able to run MBW in both modes. X-Clean turned up nothing in normal mode but I'll run it again too in safe mode when I switch over.

OK Great Jason

Our Goal get MWBAM and SAS running and run again until clean or finds something it can not clean attach log for each run.

Mike

Hi jason

I post this as new post as I thought you might miss it if I edited the last post.

Download and run if you can both
http://www.techsupportforum.com/sectools/Deckard/daft.exe

http://www.castlecops.com/zx/sjpritch25/RatsCheddar.zip

Extract (unzip) to the desktop.

Double-click on RatsCheddar.exe

Select Enable for everything listed, then click Exit.
Restart your computer.

Mike

Well SpyBot scan turned up nothing in normal and safe modes. Same goes for X-Clean.

I still can't run MWBAM, SAS, or any other virus software.

Also, my desktop is becomming somewhat un responsive. I have to click the "show desktop" icon in my quick launch toolbar bar to make it current in oder to access my shortcuts.


Here is my current HJT log:

View attachment 37627



_______________________________________________________________________________________________________________________________


Edit: I can't access either of your links. I'm still ebing blocked.

OK

I copied this from Microsoft since you may not be able to get to the page.


Manually starting XP with a clean boot (advanced user only)

To manually start Windows XP with a clean boot, follow these steps:

Step 1: Start the System Configuration Utility1. Click Start, click Run, type msconfig, and then click OK.

2. The System Configuration Utility dialog box is displayed.

Step 2: Configure selective startup options1. In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.

2. Click to clear the Process SYSTEM.INI File check box.

3. Click to clear the Process WIN.INI File check box.

4. Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.

5. Click the Services tab.

6. Click to select the Hide All Microsoft Services check box.

7. Click Disable All, and then click OK.

8. When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

1. If you are prompted, log on to Windows.

2. When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

Notes: You have used the System Configuration Utility to make changes to the way Windows starts.
• The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.
• Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.
----------------------------------------------------------------------------------------------------------------------------------

STOP HERE I will tell you if we need this step!(Mike)!

Step 4: Optional step to disable features

If the clean boot fixed the error, you do not have to perform this step.

Important If your problem is not fixed and you do have to follow this step, it permanently removes all restore points from your computer. The System Restore feature uses restore points to restore your computer to an earlier state. If you remove the restore points, you can no longer restore Windows to an earlier state.

This step temporarily disables Microsoft features such as Plug and Play, networking, event logging, and error reporting. 1. Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.
2. Click the General tab, click to clear the Load System Services check box, and then click OK.
3. When you are prompted, click Restart to restart the computer.

If these steps helped you start your computer in a clean-boot state, you are finished. If these steps did not help, go to the “Next Steps” section. If you have to return your computer to a normal startup state, go to “Steps to configure Windows to use a Normal startup state”.

Back to the top
Steps to configure Windows to use a Normal startup state
After you used the clean boot to resolve your problem, you can follow these steps to configure Windows XP to start normally.1. Click Start, and then click Run.
2. Type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.
3. Click the General tab, click Normal Startup - load all device drivers and services, and then click OK.
4. When you are prompted, click Restart to restart the computer.

Mike

Tried all the scans I was able to run in "Clean Boot"

Spybot turned up nothing, X-Clean turned up nothing, re-ran SmitFraud, and HJT.

I was able to download and install SAS and re-install MWBAM but neither will run, even from the right click menu in explorer.

Here are the logs:

View attachment 37630
View attachment 37631



I'm ready to try the next boot option.

Jason browse to the Program Files\MalwareBytes' Anti-Malware folder, rename mbam.exe to mwbam.exe and execute it from there.

Same for SuperAntiSpy rename sas.exe

Let me know.

Mike

EDIT: Jason if this don't work do a System Restore back to before this. You may find no restore points and if you do find some they may not restore.

If it restores and allows you to run then immediately begin the MWBAM and SAS. Don't assume A System Restore fixed it all.

Start-Programs-Accessories-System Tools-System Restore

Sometime down the road (assuming lack of progress), I would like to put some context behind the rapport findings:
Rapport: DhcpNameServer=192.168.1.254

start > run > cmd > ipconfig /all

The results may clarify if this points at the rou ter (gateway) or is it pointing to itself or other. I realize that the findings in the rapport log may be telling us that the results of command are being hijacked.

To date, I have only come across 1 brand of rou ter using '254' as the gateway. The user may already be familiar with this ip for the rou ter.

Mike,

Holy cow, you're a lifesaver. The renaming worked on MWBAM and the program is scanning. I'll try the same with SAS once the other is done then repost all of the logs I can.


rf6647,

I believe the IP your seeing the the local address for my Cayman router. My infected computer is a company PC running on a pier-to-pier network.

I would post the ipconfig info but I'm not sure if I feel safe posting IP addresses on a public forum though...

Well Jason you do good work.

Send the log on each run we need to see what MWBAW found, and this should point us to even more understanding of this issue.

Therefore make it easier on future infections on others. Do your Civic duty!

When you get a chance in MWBAM go to logs and post them all back one at a time so we can see all that was cleaned.:grinthumb

Mike

EDIT: In SAS click Preferences then Statistics/Logs Post all these logs also. Remember you are contributing! Hats off to you!

MBAM scan complete in normal mode, now running SAS

Looks like my browser is back to full capability and Norton will now run! MBAM found about 6 or 7 infected files.

Here is the log:

View attachment 37638
View attachment 37639



This process has definitely been a testing one. By default I have become the "IT" guy for our small engineering firm and has assumed responsibility for all computer related problems. In a way this has been a great learning experience and I'll definitely be more prepared for the next one. Luckily, this infection happened to my computer which gave me time to troubleshoot while I was working on other things inbetween. Your help has been fantastic.

This thread, combined with Skein's would be a great one to "Sticky" as a method to fix this infection.


- Jason

Now ya cooking!

You are so cool you're freezing!

I know these scans take 30 some minutes but I would do MWBAM & SAS until they find nothing!

But your call!

Mike

Definitely. I'm running every scan I can in normal mode then will switch to safe mode and then back to normal just to make damn sure.

How does my HJT log look, anything suspicious?

Get rid of this with HJT.

Other than that clean.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

And post a final HJT as a last thing when clean.

Mike

Thanks Mike

SAS scan complete. Found some cookies.

View attachment 37641


Now I'm jumping over to Safe mode and rescanning. I'll check in with you in the morning.

Thanks again for all of your help!

- Jason

OK great job and what you have done is help us get a handle on this thing and it will not be as hard on others.

I recommend you update SpyBot and run Immunization!

Get SpywareBlaster.

Get ThreatFire now in ver 4.
Designed to run with any Virus scanner. But works totally different than regular virus scanners. Where regular Virus scanners are based on Definitions ThreatFire is based on looking for virus/malware Activity.

Also look at Hostman.

Google the above mentioned.

Mike

Thanks Mike. I'll definitely look into those programs. Looks like there are more and more comming down with the infection. This thing is spreading like wildfire.

I'm running my other safemode scans right now and will post the logs when I'm finished.

10-4!

Mike

Here are the MBAM logs from my safemode scan.

View attachment 37671
View attachment 37672

Now I'm going to reboot into safemode and run SAS and post logs.

OK Man

I think you have but recheck

Back to normal mode.

Because it found and cleaned items then you need to run MalwareBytes until it comes up clean.

Same for SAS.

Run HJT last post all logs.

Mike

Ran all scans again in normal mode until they came up clean.

Here are the logs.

View attachment 37747
View attachment 37748

SAS found nothing in any of the last three scans.

Everything has been running normal, except for a couple warnings yesterday from Norton that mentioned that IEDefender was caught and fixed.

Could I still have a peice of something that's trying to download this?