Another Bratsk hit

[djsilvus]

I realize this problem is ongoing for several. I have read everything here in an effort at self-help, to no avail. Two days ago my computer rebooted on me. Since then, the same types of problems others have had: AVG cannot update, AVG scans have issues at the outset, I have trouble downloading all of the potential software that others think will solve the problem, etc.

I have done the best I can on the 8 steps. Unfortunately, as with others, I am limited in what I can accomplish.

I was ultimately able to download and run HJS from download.com. My log is attached.

I was able to download (but not update) Avira. It found only 2 warnings (files that could not be opened).

I have been able to download and run CCleaner to the point of "cleanliness" on it. I have also run Xclean_micro (found nothing).

Apparently MBAM will fix the problem (at least according to others), but I cannot figure a way to get it to run. I can download it and install it (eventually -- it takes forever to install), but I cannot get it to run. I have tried to run it w/o the update first. I can locate it on my Task Manager after I try to get it to run -- it will sit there forever unless I end the process.

SAS will not install once I get it downloaded.

Through my work above, I think I've been able to get rid of the 2 bratsk files I could find, but clearly my problems have not been resolved.

Help would be greatly appreciated. Thank you in advance.

 

[mflynn]

Hi djsilvus

Yes I have been trying to get control enough to run MBAM and SAS.

Below is a way to get in to clean boot. We reverse it when we are through.

I have posted this to one other person but no report back yet,

Once you are in clean boot rename mbam.exe to mwbam.exe.

Once it runs if it will not update then run it anyway without update. Post log and run again until it comes up clean or finds something it can not clean.

Same for SAS! Rename it sas.exe


I copied this from Microsoft since you may not be able to get to the page.

Manually starting XP with a clean boot (advanced user only)

To manually start Windows XP with a clean boot, follow these steps:

Step 1: Start the System Configuration Utility1. Click Start, click Run, type msconfig, and then click OK.

2. The System Configuration Utility dialog box is displayed.

Step 2: Configure selective startup options1. In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.

2. Click to clear the Process SYSTEM.INI File check box.

3. Click to clear the Process WIN.INI File check box.

4. Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.

5. Click the Services tab.

6. Click to select the Hide All Microsoft Services check box.

7. Click Disable All, and then click OK.

8. When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

1. If you are prompted, log on to Windows.

2. When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

Notes: You have used the System Configuration Utility to make changes to the way Windows starts.
• The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.
• Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.
----------------------------------------------------------------------------------------------------------------------------------

STOP HERE I will tell you if we need this step!(Mike)!

Step 4: Optional step to disable features

If the clean boot fixed the error, you do not have to perform this step.

Important If your problem is not fixed and you do have to follow this step, it permanently removes all restore points from your computer. The System Restore feature uses restore points to restore your computer to an earlier state. If you remove the restore points, you can no longer restore Windows to an earlier state.

This step temporarily disables Microsoft features such as Plug and Play, networking, event logging, and error reporting. 1. Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.
2. Click the General tab, click to clear the Load System Services check box, and then click OK.
3. When you are prompted, click Restart to restart the computer.

If these steps helped you start your computer in a clean-boot state, you are finished. If these steps did not help, go to the “Next Steps” section. If you have to return your computer to a normal startup state, go to “Steps to configure Windows to use a Normal startup state”.

Back to the top
Steps to configure Windows to use a Normal startup state
After you used the clean boot to resolve your problem, you can follow these steps to configure Windows XP to start normally.1. Click Start, and then click Run.
2. Type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.
3. Click the General tab, click Normal Startup - load all device drivers and services, and then click OK.
4. When you are prompted, click Restart to restart the computer.

Mike

 

[djsilvus]

Mike, precisely which file do I need to rename for MBAM -- mbam.exe? There are several .exe files in the folder and I want to make sure I'm tight on the plan before I start down this path.

 

[mflynn]

Yes that is the one!

Go!

Mike

 

[Blind Dragon]

Before doing all that why not try booting to safe mode and running MBAM - to boot to safe mode, tap F8 before windows loads then select safe mode at the next menu

Also you can update MBAM on another computer then install it from usb then boot to safe mode, and run the scan

 

[djsilvus]

I have tried various combinations of normal/safe/safe with networking to download and install MBAM. The closest I seemed to get was with a download in safe w/network coupled with an install in safe w/network, then deleting the shortcut (after someone said that the shortcut seemed to be the source of his difficulties), then renaming mbam.exe. That combo enabled me to actually start MBAM, but then it aborted with an error message.

I'll try download in safe w/network, install in safe w/o network w/o the shortcut, rename mbam.exe, and run in safe w/o network.

 

[Blind Dragon]

It appears renaming mbam.exe to somethingelse.exe will work as it did for the other thread.

The other thing I would be interested to see is how housecall handles this infection - and if you can even access the online scanner - if you want to try it... I will let Mike get back to helping you, but just wanted to throw a few ideas out there that may not have been tried

Trend Micro Housecall Free Online Scanner

• 
  It`s one of the very few online scanners that will actually disinfect viruses etc.
• First Open Internet Explorer
• Go to Trend Micro's Housecall website which can be found HERE
• Click on the link that says "Scan now. It's Free"
• A new tab will open where you will have to tick a box to agree to the terms of service.
• Click "Launch House Call"
• Follow any additional on screen instructions
• Select any infections then Fix Checked after the scan

 

[djsilvus]

No can-do on the Housecall.

 

[AsonJ27]

Renaming the .exe files for MBAM and SAS worked for me. I'm scanning now in normal mode and then will do the same in safe mode and again in normal to make damn sure this thing is gone.

Good luck!

 

[mflynn]

Hello Blind Dragon

I am a team player your help is appreciated here.

I have been struggling with this all day and now it is coming together.

I too am interested in how Trend handles it.

But I have requested the all logs from MWBAM and SAS from Jason in another thread.

What is cleaned will give us some more insight. I think it should give enough insight to get a handle on this thing for us.

Thanks,
Mike

 

[djsilvus]

I've tried pretty much every combination to get MBAM to run without resorting to the clean boot. Has anyone done the clean boot and achieved success? AsonJ27, is that what you did to ultimately get MBAM to run?

 

[mflynn]

OK djsilvus

So much going on today. For at least 2 others we found all we had to do was rename mbam.exe to something else like mwbam.exe and SuperAntiSpyare to sas.exe

Then run from the folder after renaming.

Try this get back!

Post logs

Mike

 

[Blind Dragon]

That definitely is the way to deal with this one Mike,

I help on other boards as well, and confirm at least 2 more that have been fixed by simply renaming the .exe for MBAM.

Nicely done

 

[mflynn]

Thanks BD

Mike

 

[djsilvus]

I tried renaming MBAM several times before I even started posting.

What I have been doing is downloading the setup program onto my desktop; renaming it to simply "setup" (I tried to install once without renaming the setup program and was unsuccessful); and extracting MBAM as normal without a Start Up folder, desktop short cut, or quick start icon. Once I have it extracted, I do not run it from the splash window and do not have it check for updates. I go into my Programs folder > Malwarebytes folder and change the name of "mbam.exe" to something else (I've used "runthis.exe", "something.exe", "runit.exe", and "blah.exe"). I then attempt to open that newly-named program. I get the hourglass for my cursor for about 5-10 seconds, the cursor then returns to "normal", then nothing out of the newly renamed mbam.exe. After 30-40 seconds of nothing, I will check Task Manager and can see mbam.exe (or whatever I have renamed it) sitting there as a process taking up memory but doing nothing on the CPU. This last part has been consistent whether I rename the program or not (the only difference being the name on the list).

I have uninstalled MBAM (again).

If someone could post precisely what he/she did to get it to work -- down to the mode used when downloading, installing, and running as well as the precise location where the setup program is downloaded, the MBAM folder is created, renaming, etc. -- I will happily give it another shot.

Thank you guys so much for your help.

 

[mflynn]

OK I am not sure how you are doing this bu do as below.

It has worked for everyone else. If it don't work for you then you issue is different fro theirs.

All you need to do is rename SuperAntiSpyware to say SAS.exe and mbam.exe to mwbam.exe.

So My Computer to \Program Files\SuperAntiSpyware find and rename as above and run from there by dbl clicking SAS.exe.

Then do the same for MalwareBytes.

After loading but before clicking Scan do the below config changes

SuperAntispyware config

UPDATE!

Then

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Leave the others as they are.

In MalwareBytes after update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and post their logs then a new HJT log HJT always last.

After attaching logs from above run both programs again to confirm they find nothing else and attach new logs for this run!

Mike

 

[djsilvus]

Mike, before I start trying this (again), I have some questions:

1. Should I download the software (MBAM and SAS) while in normal mode, safe w/ networking mode, or does it matter?

2. Should I attempt to actually install the software (MBAM and SAS) while in normal, safe w/ networking, safe, or "diagnostic" mode?

3. Should I rename the .exe files immediately upon installation?

4. Should I run the newly-named .exe programs in normal, safe, safe w/ networking, or "diagnostic" mode?

5. Should I run MBAM or SAS first?

6. Will I be able to update SAS and MBAM before initially running them given the hijacking of my IE?

 

[mflynn]

Hello

1. Should I download the software (MBAM and SAS) while in normal mode, safe w/ networking mode, or does it matter? ANY WAY THAT WORKS NORMAL PREFERED

2. Should I attempt to actually install the software (MBAM and SAS) while in normal, safe w/ networking, safe, or "diagnostic" mode? NORMAL

3. Should I rename the .exe files immediately upon installation? YES and run them from there as soon as renamed.

4. Should I run the newly-named .exe programs in normal, safe, safe w/ networking, or "diagnostic" mode? NORMAL

5. Should I run MBAM or SAS first? MBAM but renamed.

6. Will I be able to update SAS and MBAM before initially running them given the hijacking of my IE? After renaming YES if not the run without updating

Remember to do the Advanced config before scanning in both programs. Run both again and again until the come up clean Posting logs at each run.

Post 1 HJT log LAST afer all above are clean.

Mike

 

[djsilvus]

OK, I have installed & renamed SAS. I am in the process of installing MBAM, but it is taking the install forever as has been the case every other time I have attempted to install MBAM. I get to the final "Finishing Installation" splash screen fairly quickly, but then it just sits there for quite some time. I did not create a shortcut or a startup folder. I created a different folder name for the install ("BAM"), and I can see that folder with the files in my program files. However, setup has not finished running as I am typing this.

How do I update SAS and MBAM without actually opening the programs?

 

[djsilvus]

Finally my install of MBAM completed. I have renamed "mbam.exe" "mwbam.exe".

What is the precise next step? I would tell you to talk to me as though I were 8 years old, but most 8 year olds I know are more comfortable with this stuff than am I.

 

[mflynn]

I don't know what or why you mean by another Folder!

OK first just stop there and run SAS with the advanced configs I posted.

Run it multiple times until clean POST A LOG AFTER EACH RUN!

After you do this likey will not even need to rename mbam to get it to update or run.

Clear all of that uninstall MBAM then reinstall normally then rename as directed.

Mike

 

[djsilvus]

Mike, if it were socially acceptable to find and kiss you, I would do it.

OK, I was able to get SAS to work first, but sans update. I ran it. That log is attached as 13-27-03. I ran it again (w/o updates) and that log is attached as 13-52-53. I then re-booted.

After that, I was able to run (w/o updates) MBAM. That log is attached as 15-41-56. After that, I rebooted.

I was then able to update MBAM. I then ran it. That log is attached as 16-1-42.

I have just updated SAS and am preparing to run it again. I will post that log (and any other log you want/need) shortly.

Thank you again for your help.

 

[mflynn]

Hi DJ

No indication any where,but I hope you are a Lady, if so thanks for the compliment!:approve:

You are doing a fabulous job.

Actually you can abort that SAS Scan as I don't need it, we need to move on to another more specialized program!

After seeing the logs you are preparing and based on the ones you have already posted, I am ready to have you do a special program called ComboFix.

You still have a very bad boy in there!

No need to post a HJT log yet I see enough already.

Mike

 

[djsilvus]

Sorry, Mike, but I'm a dude.

I ran MBAM again after rebooting and updating it. It came back clean.

 

[mflynn]

OK do the below:

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://subs.geekstogo.com/ComboFix.exe
Or here: https://www.techspot.com/downloads/5587-combofix.html

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

This will take some time!!!!!!!! ut not as long as mbam run.

Mike