I also have a folder called HelpAssistant in my documents and settings folder. Should I just delete it? I went to My Computer -> Manage and went into Users and disabled it... but after reboot I check it again and its allowed.
I couldn't get ComboFix to run. It created a folder in C:\, but didn't do anything else.
I ran mbr.exe which then told me to use the -f command...
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x895bafa8
NDIS: SiS 900 PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x89580330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x09519240
malicious code @ sector 0x09519243 !
PE file found in sector at 0x09519259 !
Use "Recovery Console" command "fixmbr" to clear infection !
Then MBAM...
Malwarebytes' Anti-Malware 1.44
Database version: 3618
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/23/2010 12:34:45 PM
mbam-log-2010-01-23 (12-34-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 266956
Time elapsed: 4 hour(s), 10 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 47
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) Good: (Explorer.exe) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\VNbL.dll (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\CM29MN3D\eU230d9c2eH76140f61V03007f35002Rd9f71314102T3d419adbQ000002fc901800F0020000aJ0d000601l0409K8f8dbc5f3180[1] (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Kyle\Local Settings\temp\VNbL.dll (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\CM29MN3D\eU230d9c2eH76140f61V03007f35002Rd9f71314102T3d419adbQ000002fc901800F0020000aJ0d000601l0409K8f8dbc5f3180[1] (Trojan.Dropper) -> No action taken.
C:\32788R22FWJFW\Combo-Fix.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0099677.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100676.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100705.exe (Rogue.DesktopDefender) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100712.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100726.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0101961.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0101964.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0101972.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0102202.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0102258.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0102277.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110096.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110083.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110087.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110326.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110414.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110435.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111032.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111035.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111044.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111272.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111330.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111351.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112022.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112025.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112033.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112261.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112319.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112341.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0113143.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0113207.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP809\A0113451.dll (LSP.Hijacker) -> No action taken.
C:\WINDOWS\system32\YMSG13.dll (Trojan.Pakes) -> No action taken.
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> No action taken.
Not sure what else to do
Edited by peefyloo, 24 January 2010 - 09:22 AM.