Bratsk follow-up Advice

Status
Not open for further replies.
A

Ashburn

Posts: 11   +0
Hello, I had some problems with the Bratsk virus. I have followed the 8 steps and I wanted someone to have a look and advise on more steps I need to take. I was having all kinds of problems updated my spyware detection software, I couldn't even run programs like Hijack This or Ad Aware.

Here are logs, I also included a ComboFix log.

Thank you in advance.
 

Attachments

  • SUPERAntiSpyware Scan Log - 11-19-2008 - 11-02-35.log
    629 bytes · Views: 5
  • combofix_log.txt
    12.2 KB · Views: 5
I ran another MalwareBytes scan and here is the log. Whenever I run this scan my internet connection disconnects and reconnects towards the end. My Windows Firewall also shuts off, which I am assuming is not a good sign.
 
Hi Ashburn

The HJT log is clean of any sign of Malware.

But all thee of the others have cleaned items in their logs.

I run each again until they come up clean or find something they can not fix, where we may need to call a different tool.

You are likely clean but I would be sure!

Mike
 
I ran a new Avira scan and found some more problems. I can't seem to be able to upload the log file on to this site though. Here are the problems, sorry for the paste:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP216\A0033204.dll

[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[NOTE] The file was moved to '495489f3.qua'!

C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP216\A0033206.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '495489ff.qua'!

C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP216\A0033207.dll
[DETECTION] Is the TR/Drop.Softomat.AN Trojan
[NOTE] The file was moved to '49548a09.qua'!

C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP216\A0033208.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49548a0f.qua'!

C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP216\A0033209.dll
[DETECTION] Is the TR/Drop.Softomat.AN Trojan
[NOTE] The file was moved to '49548a14.qua'!

C:\WORKSSETUP\REDIST\IE6\TEMPFILE.CAB
[0] Archive type: CAB (Microsoft)
--> msoe.hlp
[WARNING] No further files can be extracted from this archive. The archive will be closed
 
The run mbam file is not executable after running your program. Is it because I renamed my mbam file to mwbam during my first install. Do I need to change it back?
 
Yes! Rename it back to mbam.exe!

And we need to run Fixit.cmd from inside the Fixes Folder once more to correct that.

Post the bfu log and others from the desktop.

Did you have any problem downloading the attachment renaming or running?

Once you can update and execute run "runmbam" post the log then "sas"

Mike
 
OK, I ran all scans and they came back clean. I posted the logs. I'm not sure what you mean by bfu log on desktop, that did not extract when I ran the cmd file.
 
Hi Ashburn

Run Combofix again and post log. It found and deleted and unknown item we need to see it clean.

We don't need to skimp here and based on the above which should not be there after all the scans.

You did want me to be thorough didn't you?

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach Report.txt file to your next post.

Mike
 
Alright, I re-ran ComboFix and ran the SDFix program. That TDSS trojan won't seem to go away. Anyway, here are the logs. Thanks.
 
Hi Ashburn

Just as I thought SDFix found and fixed another baddie. Run SDFix again let me confirm it came up clean!

Combo fix was clean.

Send me the new SDFix log then run MBAM again in case Combofix and SDFix exposed more to it.

Mike
 
Here are the logs. My Avira Guard just picked up and denied access to Eicar-Test-Signature, not sure if that is related to the other problems I am having.
 
No that is what Eicar-Test-Signature is for to test Virus scanners. Yours passed!

Looks like you are now clean of Malware so give me a status report of look and feel of your computer.

What is left.

Malware and Virus are different both MBAM SAS cross the line and get some Viruses and most Virus scanners cross over and get some Malware.

So do this when you go to work or bed because it takes a while:

Kaspersky AVP tool http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html

This is in my opinion the very best there is. This is a Virus Cleaner it does not run in memory like a conventional Virus scanner. It does not update you re download it the next time you need it.

After you post me the status I asked for above and have run the AVP tool I will make a final closing post to cleanup the tools and make some suggestion on how to stay clean.

Mike
 
OK, I ran Kaspersky and it found and deleted 3 files. Otherwise, my computer is running about as smoothly as it did prior to the infestation. Any advice on cleanup tools and virus protection is greatly appreciated. Here are the deletions:

deleted: adware not-a-virus:AdWare.Win32.Altnet.d File: C:\Program Files\Kazaa\kazaa.exe//Execryptor/TopSearch.dll

deleted: adware not-a-virus:AdWare.Win32.Altnet.d File: C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP221\A0034741.exe//Execryptor/TopSearch.dll

deleted: adware not-a-virus:AdWare.Win32.Altnet.d File: c:\system volume information\_restore{5808f9b6-96b5-4803-a039-47eb1e010cb7}\rp221\a0034741.exe//Execryptor
 
Fantastic you did a great job!:cool:

I am busy with work but will try to post a close out and final comments later today.

Mike
 
Thread closing

Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Then

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------

The issue found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then

Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
----------------------------------------------------------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.
Double-click OTCleanIt.exe.
Click CleanUp
Yes to the "Begin cleanup Process?"
If prompted to Reboot click Yes.
OTScanit will delete when finished, if not delete it by yourself.

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.
----------------------------------------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us.

Additionally run CCleaner and ATF-Cleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
----------------------------------------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.

Hostman http://www.abelhadigital.com/2008/07...-released.html

Mike
 
Thanks again. Everything seems to be working fine now. I appreciate the preventative tips, those should help me out a great deal.
 
Status
Not open for further replies.

Similar threads

S
Inactive Ransomware virus
Replies
5
Views
2K
Broni
Broni
G
Only POSTing when graphics card lifts up motherboard on mobo box
Replies
16
Views
2K
Aranarth
A
S
Solved Windows Task Manager crashes after opening
2
Replies
32
Views
10K
Broni
Broni

Latest posts

Back