Help
This topic is locked
Are the steps you reference above just more clean up or is that the re-formatting? Also, do you know where this malware/virus etc comes from or for how long it has been on the computer?
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
daughter's laptop infected
Back to top
#32
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 02 February 2010 - 05:01 PM
Oh... no. The next steps are to finish cleaning up the infection. They are deleting the helpassistant folder, closing the open ports in your router and removing leftover remnants of the infection.
Time frame is difficult! Probably around the time she started noting redirects.
I am really sorry. I can feel your agony through the computer!
Time frame is difficult! Probably around the time she started noting redirects.
I am really sorry. I can feel your agony through the computer!
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#33
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 02 February 2010 - 05:03 PM
Forgot to answer one of you questions. It might have been an attachment in an email, it might have been a visit to an infected website, it might have been from a flash drive.
At the end I will provide you with valuable tips as to how to minimize reinfection.
At the end I will provide you with valuable tips as to how to minimize reinfection.
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#34
- Member
-
- Group: Members
- Posts: 47
- Joined: 31-January 10
Posted 03 February 2010 - 01:06 AM
When I went to control panel user accounts etc there are only 2, my daughter's and a "guest account" and the latter is turned off. I turned it on but it will not right click to open so nothing can be deleted. I turned it back off. I found a "help assistant" folder in c:documents and settings. should I delete that folder and all of its contents? I will not run the remainder of the instructions until cleared by you to do so. I will not run the combo fix until I know what to do with the help assistant file. There is no "help assistant" file under the user accounts. Thank you. Wanted to add, when I cut and paste the info into combo fix am I using the same combo fix we renamed thcbytes or am I to d/load another and new combo fix
This post has been edited by jckbredwards: 03 February 2010 - 01:09 AM
#35
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 03 February 2010 - 08:03 AM
That's good. 
All you need to do now is follow the rest of my instructions.
Use the Combofix (thcbytes) that is on your desktop. My script is designed to nuke the helpassistant folder.
Thanks,
~ t
All you need to do now is follow the rest of my instructions.
Use the Combofix (thcbytes) that is on your desktop. My script is designed to nuke the helpassistant folder.
Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#36
- Member
-
- Group: Members
- Posts: 47
- Joined: 31-January 10
Posted 03 February 2010 - 09:20 AM
Is that Help Assistant folder a duplicate? I noticed it contains her music files and her schoolwork. Will all of that be lost by using the combo fix or does it also exist elsewhere on the computer? I should be able to get to that over lunch or this evening. Thanks
#37
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 03 February 2010 - 12:38 PM
Wait!!!!
Not sure.
Let's take a closer look....
First..........
Next.............
Finally.........
Not sure.
Let's take a closer look....
First..........
- Create a new folder on your Desktop by right-clicking and selecting New > Folder.
- Name the folder SWRegfolder.
Next.............
- Download SWReg by Bobbi Flekman
- Save it to the SWRegfolder on your Desktop.
Finally.........
- Launch Notepad, (Start > Run, type in: notepad)
- Copy/paste all the text inside the code box below to Notepad:
CODE
@echo off
swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >>log.txt
Notepad log.txt
swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >>log.txt
Notepad log.txt
- In Notepad, go to File (upper menu bar), and select: Save as
- Save in: SWRegfolder
- File Name: SWReg.bat
- Save as Type: All files
- Click: Save
- Exit out of Notepad.
- Locate SWReg.bat in the SWRegfolder and double-click on it.
- When done, a log opens in Notepad.
- Please post the contents of the log in your reply.
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#38
- Member
-
- Group: Members
- Posts: 47
- Joined: 31-January 10
Posted 03 February 2010 - 12:45 PM
Will do. But won't be able to do it until this evening as I am at work and daughter is at school (sans laptop). I'll do as directed and post those results.
#39
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 03 February 2010 - 01:08 PM
Nice catch.
I think its a duplicate but let's make sure.
I see 2 folders.
Go ahead and post the reg export when ready and let's take a closer look. This 1st export is going to enumerate the User Profiles in the registry. Next I will export the contents of each of those folders before we delete anything.
Thanks,
~ t
I think its a duplicate but let's make sure.
I see 2 folders.
QUOTE
c:\documents and settings\HelpAssistant
c:\documents and settings\Kelsey1
c:\documents and settings\Kelsey1
Go ahead and post the reg export when ready and let's take a closer look. This 1st export is going to enumerate the User Profiles in the registry. Next I will export the contents of each of those folders before we delete anything.
Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#40
- Member
-
- Group: Members
- Posts: 47
- Joined: 31-January 10
Posted 03 February 2010 - 08:31 PM
Here is the swreg log file:
SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 15 (0xf)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 824793370 (0x3129591a)
ProfileLoadTimeHigh REG_DWORD 30057780 (0x1caa534)
RefCount REG_DWORD 4 (0x4)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 782605870 (0x2ea59e2e)
ProfileLoadTimeHigh REG_DWORD 30057780 (0x1caa534)
RefCount REG_DWORD 2 (0x2)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2eec030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1768033890 (0x969df19e)
ProfileLoadTimeHigh REG_DWORD 30057339 (0x1caa37b)
RefCount REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Kelsey1
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2eed030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1497605870 (0x5943a6ee)
ProfileLoadTimeHigh REG_DWORD 30057780 (0x1caa534)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2ef4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1192900028 (0x471a35bc)
ProfileLoadTimeHigh REG_DWORD 29794657 (0x1c6a161)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 15 (0xf)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 824793370 (0x3129591a)
ProfileLoadTimeHigh REG_DWORD 30057780 (0x1caa534)
RefCount REG_DWORD 4 (0x4)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 782605870 (0x2ea59e2e)
ProfileLoadTimeHigh REG_DWORD 30057780 (0x1caa534)
RefCount REG_DWORD 2 (0x2)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2eec030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1768033890 (0x969df19e)
ProfileLoadTimeHigh REG_DWORD 30057339 (0x1caa37b)
RefCount REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Kelsey1
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2eed030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1497605870 (0x5943a6ee)
ProfileLoadTimeHigh REG_DWORD 30057780 (0x1caa534)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2ef4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1192900028 (0x471a35bc)
ProfileLoadTimeHigh REG_DWORD 29794657 (0x1c6a161)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
#41
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 03 February 2010 - 11:51 PM
Hi,
Although you can't see it the helpassistant account indeed exists.
I want you to look in both of these folders. Is there anything in the helpassistant folder that you would like to spare?
After you have confirmed that the helpassistant folder is good to nuke then I will also provide a registry script to remove the helpassistant user profile account.
Let me know,
Thanks,
~ t
Although you can't see it the helpassistant account indeed exists.
QUOTE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Kelsey1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Kelsey1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
I want you to look in both of these folders. Is there anything in the helpassistant folder that you would like to spare?
QUOTE
c:\documents and settings\HelpAssistant
c:\documents and settings\Kelsey1
c:\documents and settings\Kelsey1
After you have confirmed that the helpassistant folder is good to nuke then I will also provide a registry script to remove the helpassistant user profile account.
Let me know,
Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#42
- Member
-
- Group: Members
- Posts: 47
- Joined: 31-January 10
Posted 04 February 2010 - 12:00 AM
The only folder she sees in the Helpassistant folder to be saved is the subfolder called kelsey1's documents. All others look to be duplicates or unknown data files.
#43
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 04 February 2010 - 12:25 AM
Alright. Let's clean up this mess.
Please right click and create a new folder on the desktop. Name it kelseys1documents. Copy and paste the documents she wishes to save from helpassistant to there.
==========
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Name the file as regedit.reg, making sure save as type is set to " All Files ".
Double click on regedit.reg & allow it to run.
==========
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
==========
Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
Delete the SWReg.txt and then double click the SWReg.bat again.
Post the log
==========
With your next post please provide:
* Regedit log
* Combofix.txt
* Mbr log
* SWReg log
* How is the computer running?
Kind regards,
~t
Please right click and create a new folder on the desktop. Name it kelseys1documents. Copy and paste the documents she wishes to save from helpassistant to there.
==========
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1004]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1004]
Name the file as regedit.reg, making sure save as type is set to " All Files ".
Double click on regedit.reg & allow it to run.
==========
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
File::
c:\windows\system32\llnmp.tmp
d:\cds300\cds300.dll
Folder::
c:\documents and settings\HelpAssistant
C:\d04b699f18c66a6d31
C:\28e24bb6f6d910f070
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"8648:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"=-
"AllowInboundTimestampRequest"=-
"AllowInboundMaskRequest"=-
"AllowInboundRouterRequest"=-
"AllowOutboundDestinationUnreachable"=-
"AllowOutboundSourceQuench"=-
"AllowOutboundParameterProblem"=-
"AllowOutboundTimeExceeded"=-
"AllowRedirect"=-
"AllowOutboundPacketTooBig"=-
Driver::
c3427d61-384b-457c-9844-32d10b85c5f8
c:\windows\system32\llnmp.tmp
d:\cds300\cds300.dll
Folder::
c:\documents and settings\HelpAssistant
C:\d04b699f18c66a6d31
C:\28e24bb6f6d910f070
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"8648:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"=-
"AllowInboundTimestampRequest"=-
"AllowInboundMaskRequest"=-
"AllowInboundRouterRequest"=-
"AllowOutboundDestinationUnreachable"=-
"AllowOutboundSourceQuench"=-
"AllowOutboundParameterProblem"=-
"AllowOutboundTimeExceeded"=-
"AllowRedirect"=-
"AllowOutboundPacketTooBig"=-
Driver::
c3427d61-384b-457c-9844-32d10b85c5f8
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
==========
Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
- Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.CODE@echo off
cd\
mbr.exe -t
start mbr.log - Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
- Open your c:\folder right-click on fixme.bat and select Run as Administrator. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.
Delete the SWReg.txt and then double click the SWReg.bat again.
Post the log
==========
With your next post please provide:
* Regedit log
* Combofix.txt
* Mbr log
* SWReg log
* How is the computer running?
Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
#44
- Member
-
- Group: Members
- Posts: 47
- Joined: 31-January 10
Posted 04 February 2010 - 01:20 AM
Ok, first I did not get a regedit log. I got a dialog box asking me if I wanted to add that line to teh registry and I say yes, but did not see a log file. Where might it be? I have the remaining logs (combo fix txt, mbr txt and swreg txt) attached. Do I need to re run the regedit file. I think I put it on the desktop and double clicked it, answered the question and that was that. Anyway, here are the logs. Thank you. Forgot to add, it seems to be running jsut fine. No redirects, no crashes, Word works fine, faster than before. Do I need to re-run defogger to re-enable cd emulators? Also, should I delete all of the programs (mbr, gmer, combo fix etc) when we are done? Finally, I noticed that the HelpAssistant file still exists in C:Documents and settings.
Attached File(s)
-
ComboFix.txt (13.78K)
Number of downloads: 1 -
mbr.log (438bytes)
Number of downloads: 1 -
swreglog.txt (2.88K)
Number of downloads: 1
This post has been edited by jckbredwards: 04 February 2010 - 01:48 AM
#45
- Bleepin' Teacher
-
- Group: Malware Response Instructor
- Posts: 12,271
- Joined: 09-December 08
- Gender:Male
Posted 04 February 2010 - 10:51 AM
Good morning,
Oops. I didn't direct the script to create a log.
==========
I will guide you when were done.
==========
Let me get a look at those logs. Instructions to follow.
==========
Thanks,
~ t
ComboFix 10-01-31.05 - Kelsey1 02/03/2010 22:48:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.509 [GMT -7:00]
Running from: c:\documents and settings\Kelsey1\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\Kelsey1\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FILE ::
"c:\windows\system32\llnmp.tmp"
"d:\cds300\cds300.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\28e24bb6f6d910f070
c:\28e24bb6f6d910f070\mrt.exe
c:\28e24bb6f6d910f070\mrtstub.exe
C:\d04b699f18c66a6d31
c:\d04b699f18c66a6d31\$shtdwn$.req
c:\d04b699f18c66a6d31\mrt.exe
c:\d04b699f18c66a6d31\mrtstub.exe
c:\windows\system32\llnmp.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_c3427d61-384b-457c-9844-32d10b85c5f8
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.
2010-02-04 05:44 . 2010-02-04 05:44 164 ----a-w- C:\regedit.reg
2010-02-04 05:36 . 2010-02-04 05:36 41 ----a-w- C:\fixme.bat
2010-02-04 05:34 . 2010-02-04 05:34 77312 ----a-w- C:\mbr.exe
2010-02-04 05:02 . 2010-02-04 05:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-03 14:17 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-03 14:17 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-02 20:29 . 2010-02-02 20:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-01 00:39 . 2010-02-01 00:39 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-01 00:33 . 2010-02-01 00:33 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-01 00:19 . 2010-02-01 00:19 -------- d-sh--w- c:\documents and settings\Kelsey1\IECompatCache
2010-02-01 00:17 . 2010-02-01 00:17 -------- d-sh--w- c:\documents and settings\Kelsey1\PrivacIE
2010-01-29 16:16 . 2010-01-29 16:16 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 16:13 . 2010-02-01 00:33 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-01-24 15:31 . 2010-01-24 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-01-24 05:56 . 2010-01-24 05:56 -------- d-----w- c:\program files\Windows Defender
2010-01-24 05:48 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 05:48 . 2010-01-24 05:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 05:48 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 23:45 . 2010-01-14 18:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-23 21:49 . 2010-01-23 21:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-18 23:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-18 23:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-18 23:24 . 2010-01-18 23:24 -------- d-----w- c:\program files\FinePixViewerS
2010-01-18 23:22 . 2010-01-18 23:28 -------- d-----w- c:\documents and settings\Kelsey1\Application Data\FUJIFILM
2010-01-12 23:02 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 20:32 . 2007-03-17 04:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-02 20:32 . 2007-03-17 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 20:32 . 2006-08-19 15:47 -------- d-----w- c:\documents and settings\Kelsey1\Application Data\Spybot - Search & Destroy
2010-02-01 01:33 . 2007-11-21 23:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-31 01:30 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-29 15:57 . 2007-01-01 19:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-24 15:38 . 2006-07-07 00:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-30 02:02 . 2009-12-30 02:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-30 02:01 . 2006-08-20 01:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 02:11 . 2006-07-07 00:40 29311 ----a-w- c:\windows\system32\nvModes.dat
2009-12-21 19:14 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-11-21 23:20 . 2007-08-21 12:28 11125 ----a-w- c:\program files\hijackthis.log
2007-08-21 12:28 . 2007-08-21 12:28 8911 -c--a-w- c:\program files\hijackthis82107.txt
2007-08-21 12:27 . 2007-08-21 12:26 401720 ----a-w- c:\program files\HiJackThis.exe
2008-08-27 01:35 . 2007-08-13 20:18 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Sonic Shared\\Sonic Central\\Main\\Mediahub.exe"=
"c:\\Program Files\\Wave Systems Corp\\Security Wizards\\bin\\Secure 8021x.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 32256]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/6/2006 6:01 PM 29744]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [6/15/2004 12:55 PM 7882]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder
2010-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Kelsey1\Application Data\Mozilla\Firefox\Profiles\m17q9rh7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1226624165&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D21498859&id=64855
FF - plugin: c:\documents and settings\Kelsey1\Application Data\Mozilla\Firefox\Profiles\m17q9rh7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07010901.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 23:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-03 23:06:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 06:06
ComboFix2.txt 2010-02-01 20:49
ComboFix3.txt 2007-11-22 17:10
Pre-Run: 45,804,101,632 bytes free
Post-Run: 45,780,430,848 bytes free
- - End Of File - - 00D35B131C595222C73ACDA2325FF9F0
SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 15 (0xf)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1732237858 (0x98c025de)
ProfileLoadTimeHigh REG_DWORD 30057822 (0x1caa55e)
RefCount REG_DWORD 4 (0x4)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1763019108 (0x96ea769c)
ProfileLoadTimeHigh REG_DWORD 30057822 (0x1caa55e)
RefCount REG_DWORD 2 (0x2)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Kelsey1
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2eed030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1628074642 (0x610a7292)
ProfileLoadTimeHigh REG_DWORD 30057823 (0x1caa55f)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2ef4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1192900028 (0x471a35bc)
ProfileLoadTimeHigh REG_DWORD 29794657 (0x1c6a161)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sdcplh.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
QUOTE
Ok, first I did not get a regedit log
Oops. I didn't direct the script to create a log.
==========
QUOTE
Do I need to re-run defogger to re-enable cd emulators? Also, should I delete all of the programs (mbr, gmer, combo fix etc) when we are done?
I will guide you when were done.
==========
QUOTE
I noticed that the HelpAssistant file still exists in C:Documents and settings
Let me get a look at those logs. Instructions to follow.
==========
Thanks,
~ t
ComboFix 10-01-31.05 - Kelsey1 02/03/2010 22:48:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.509 [GMT -7:00]
Running from: c:\documents and settings\Kelsey1\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\Kelsey1\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FILE ::
"c:\windows\system32\llnmp.tmp"
"d:\cds300\cds300.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\28e24bb6f6d910f070
c:\28e24bb6f6d910f070\mrt.exe
c:\28e24bb6f6d910f070\mrtstub.exe
C:\d04b699f18c66a6d31
c:\d04b699f18c66a6d31\$shtdwn$.req
c:\d04b699f18c66a6d31\mrt.exe
c:\d04b699f18c66a6d31\mrtstub.exe
c:\windows\system32\llnmp.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_c3427d61-384b-457c-9844-32d10b85c5f8
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.
2010-02-04 05:44 . 2010-02-04 05:44 164 ----a-w- C:\regedit.reg
2010-02-04 05:36 . 2010-02-04 05:36 41 ----a-w- C:\fixme.bat
2010-02-04 05:34 . 2010-02-04 05:34 77312 ----a-w- C:\mbr.exe
2010-02-04 05:02 . 2010-02-04 05:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-03 14:17 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-03 14:17 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-02 20:29 . 2010-02-02 20:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-01 00:39 . 2010-02-01 00:39 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-01 00:33 . 2010-02-01 00:33 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-01 00:19 . 2010-02-01 00:19 -------- d-sh--w- c:\documents and settings\Kelsey1\IECompatCache
2010-02-01 00:17 . 2010-02-01 00:17 -------- d-sh--w- c:\documents and settings\Kelsey1\PrivacIE
2010-01-29 16:16 . 2010-01-29 16:16 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 16:13 . 2010-02-01 00:33 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-01-24 15:31 . 2010-01-24 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-01-24 05:56 . 2010-01-24 05:56 -------- d-----w- c:\program files\Windows Defender
2010-01-24 05:48 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 05:48 . 2010-01-24 05:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 05:48 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 23:45 . 2010-01-14 18:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-23 21:49 . 2010-01-23 21:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-18 23:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-18 23:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-18 23:24 . 2010-01-18 23:24 -------- d-----w- c:\program files\FinePixViewerS
2010-01-18 23:22 . 2010-01-18 23:28 -------- d-----w- c:\documents and settings\Kelsey1\Application Data\FUJIFILM
2010-01-12 23:02 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 20:32 . 2007-03-17 04:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-02 20:32 . 2007-03-17 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 20:32 . 2006-08-19 15:47 -------- d-----w- c:\documents and settings\Kelsey1\Application Data\Spybot - Search & Destroy
2010-02-01 01:33 . 2007-11-21 23:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-31 01:30 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-29 15:57 . 2007-01-01 19:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-24 15:38 . 2006-07-07 00:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-30 02:02 . 2009-12-30 02:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-30 02:01 . 2006-08-20 01:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 02:11 . 2006-07-07 00:40 29311 ----a-w- c:\windows\system32\nvModes.dat
2009-12-21 19:14 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-11-21 23:20 . 2007-08-21 12:28 11125 ----a-w- c:\program files\hijackthis.log
2007-08-21 12:28 . 2007-08-21 12:28 8911 -c--a-w- c:\program files\hijackthis82107.txt
2007-08-21 12:27 . 2007-08-21 12:26 401720 ----a-w- c:\program files\HiJackThis.exe
2008-08-27 01:35 . 2007-08-13 20:18 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Sonic Shared\\Sonic Central\\Main\\Mediahub.exe"=
"c:\\Program Files\\Wave Systems Corp\\Security Wizards\\bin\\Secure 8021x.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 32256]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/6/2006 6:01 PM 29744]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [6/15/2004 12:55 PM 7882]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder
2010-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Kelsey1\Application Data\Mozilla\Firefox\Profiles\m17q9rh7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1226624165&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D21498859&id=64855
FF - plugin: c:\documents and settings\Kelsey1\Application Data\Mozilla\Firefox\Profiles\m17q9rh7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07010901.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 23:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-03 23:06:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 06:06
ComboFix2.txt 2010-02-01 20:49
ComboFix3.txt 2007-11-22 17:10
Pre-Run: 45,804,101,632 bytes free
Post-Run: 45,780,430,848 bytes free
- - End Of File - - 00D35B131C595222C73ACDA2325FF9F0
SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 15 (0xf)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1732237858 (0x98c025de)
ProfileLoadTimeHigh REG_DWORD 30057822 (0x1caa55e)
RefCount REG_DWORD 4 (0x4)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1763019108 (0x96ea769c)
ProfileLoadTimeHigh REG_DWORD 30057822 (0x1caa55e)
RefCount REG_DWORD 2 (0x2)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Kelsey1
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2eed030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1628074642 (0x610a7292)
ProfileLoadTimeHigh REG_DWORD 30057823 (0x1caa55f)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2265459671-2948306729-781115041-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 010500000000000515000000d72b08872997bbafa1de8e2ef4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1192900028 (0x471a35bc)
ProfileLoadTimeHigh REG_DWORD 29794657 (0x1c6a161)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sdcplh.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
Proud member - Unified Network of Instructors and Trained Eliminators
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!
http://organdonor.gov/index.html
