Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Helios lite log


  • Please log in to reply
7 replies to this topic

#1 cwa

cwa

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 18 November 2009 - 12:51 AM

Hello, Please forgive me if I am posting on a wrong forum or site. I have a clients computer that has been infected by various malware.
It is a MS Windows XP SP3 machine. At first, all of the security apps that were being run were closing after about 30 seconds and then the exe's were being corrupted. It was an error similar to "could not find the path to the file name" or something like that. And I could not delete the files.


I rebooted into safe mode, re-installed malwarebytes, did a scan and removed some malware. I then rebooted and used the file assassin tool to kill the locked files and then I could re-install and run the other security programs. (Spybot, malwarebytes, avast cleaner, windows malicious file detector and windows defender)

I discovered helios http://helios.miel-labs.com/ and ran it as well, most things looked well, except that the hidden registry scan came back with keys that looked like they have been corrupted and made into garbage. Either re-wrote or added like that. A couple of keys seemed to have to do with McAfee. I uninstalled this after not being able to get it to scan and put on AVG 9.0 free.

I have a cvs log from Helios, but was wondering if I could get some help with what I was looking at for sure. I do not have the clients machine with me, so please be patient as I have to call him and set up appointments to run any scans and post logs.


Thank you for the help
cwa

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:42 PM

Posted 19 November 2009 - 08:54 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 PM

Posted 19 November 2009 - 09:17 PM

Hello, yes post the log.

We need to disable Spybot S&D's "TeaTimer" if enabled.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Also a new MBAM (malwarebytes) log

Reinstall MBAM if you install and run a scan in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 cwa

cwa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 20 November 2009 - 09:22 AM

Hi

Thank you for getting back to me, when helios saves a file, it saves as CVS, here is a text version of the file. This is the hidden registry key scan. I will have to get the updated malwarebytes scans as soon as I can.


Here is the Log file, I am concerned with all of the 123$ stuff repeating. It also looks like its wrapping. Each line starts with the line number (1-19).
I googled some of the entry names (McSheild, mfetdik etc) and it looks like it might belong to McAfee. I uninstalled McAfee from the clients machine since
it was not really functioning from what I could tell. I put in AVG 9 free instead. Is the repeating 'garbage' an infection/overwritten keys, some security feature that I don't understand or leftover registry entries that did not get uninstalled?

Thanks in advance for the help.

Charles


1 SYSTEM\ControlSet001\Services\McShield\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
2 SYSTEM\ControlSet001\Services\McTaskManager\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
3 SYSTEM\ControlSet001\Services\mfeapfk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
4 SYSTEM\ControlSet001\Services\mfeavfk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
5 SYSTEM\ControlSet001\Services\mfebopk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
6 SYSTEM\ControlSet001\Services\mfehidk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
7 SYSTEM\ControlSet001\Services\mfetdik\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
8 SYSTEM\ControlSet003\Services\McShield\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
9 SYSTEM\ControlSet003\Services\McTaskManager\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
10 SYSTEM\ControlSet003\Services\mfeapfk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
11 SYSTEM\ControlSet003\Services\mfeavfk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
12 SYSTEM\ControlSet003\Services\mfebopk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
13 SYSTEM\ControlSet003\Services\mfehidk\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
14 SYSTEM\ControlSet003\Services\mfetdik\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./012\$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123$%&'()*+ -./0123 Key Missing
15 SOFTWARE\Microsoft\Cryptography\RNG Seed Data Differs
16 SECURITY\Policy\Secrets\SAC Access Denied
17 SECURITY\Policy\Secrets\SAI Access Denied
18 S-1-5-21-1801674531-1715567821-725345543 Access Denied
19 S-1-5-21-1801674531-1715567821-725345543_Classes Access Denied

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 PM

Posted 20 November 2009 - 12:55 PM

Hi what I get from this is it was a trojan dropper of rootkits.

A code with the rootkit-specific techniques designed to hide the software presence in the system
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

Threat Expert

With a serious type of malware as this. You will need to run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 cwa

cwa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 20 November 2009 - 05:19 PM

Thanks for the information, I called the client, and got an appointment for 2pm tomorrow. I will get the log scans and repost in the other forum.

Thank you for your help.

cwa

#7 cwa

cwa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 22 November 2009 - 09:07 PM

hello,

thanks for the help. The client has decided to move ahead with formatting his computer and starting over again.

Thank you again.

cwa

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 PM

Posted 22 November 2009 - 09:49 PM

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

You're welcome!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users