Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Libssh CVE-2018-10933 Scanners & Exploits Released - Apply Updates Now

Featured Deal: Get 95% Off the Certified Information Systems Security Professional Training Course

Photo

Malware and HelpAssistant

Started by peefyloo , Jan 24 2010 05:20 AM

  • Please log in to reply
5 replies to this topic

#1 peefyloo

peefyloo

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:07:05 PM

Posted 24 January 2010 - 05:20 AM

I had a massive problem a couple days ago. I got the Netsky malware. I deleted some files and ended up modifying the winlogon where I wasnt able to log in to windows, as soon as i logged in, it would log me out. I used ERD5.0 to get back to a restore point. I have scanned my pc with Kaspersky and Vipre/Sunbelt CounterSpy (i only use it for on-demand scanning). Removed everything I could. Sometimes I get a blue screen that says "hard error" and i have to restart. The system is very slow. BTW... I run XP SP3.

I also have a folder called HelpAssistant in my documents and settings folder. Should I just delete it? I went to My Computer -> Manage and went into Users and disabled it... but after reboot I check it again and its allowed.

I couldn't get ComboFix to run. It created a folder in C:\, but didn't do anything else.

I ran mbr.exe which then told me to use the -f command...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x895bafa8
NDIS: SiS 900 PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x89580330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x09519240
malicious code @ sector 0x09519243 !
PE file found in sector at 0x09519259 !
Use "Recovery Console" command "fixmbr" to clear infection !


Then MBAM...

Malwarebytes' Anti-Malware 1.44
Database version: 3618
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/23/2010 12:34:45 PM
mbam-log-2010-01-23 (12-34-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 266956
Time elapsed: 4 hour(s), 10 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 47

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) Good: (Explorer.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\VNbL.dll (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\CM29MN3D\eU230d9c2eH76140f61V03007f35002Rd9f71314102T3d419adbQ000002fc901800F0020000aJ0d000601l0409K8f8dbc5f3180[1] (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Kyle\Local Settings\temp\VNbL.dll (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\CM29MN3D\eU230d9c2eH76140f61V03007f35002Rd9f71314102T3d419adbQ000002fc901800F0020000aJ0d000601l0409K8f8dbc5f3180[1] (Trojan.Dropper) -> No action taken.
C:\32788R22FWJFW\Combo-Fix.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0099677.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100676.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100705.exe (Rogue.DesktopDefender) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100712.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP789\A0100726.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0101961.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0101964.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0101972.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0102202.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0102258.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP804\A0102277.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110096.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110083.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110087.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110326.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110414.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP807\A0110435.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111032.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111035.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111044.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111272.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111330.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0111351.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112022.dll (Trojan.Pakes) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112025.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112033.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112261.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112319.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0112341.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0113143.dll (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP808\A0113207.exe (Malware.Tool) -> No action taken.
C:\System Volume Information\_restore{A2B5E9CF-92AF-4FB7-B044-4774DC88DDCA}\RP809\A0113451.dll (LSP.Hijacker) -> No action taken.
C:\WINDOWS\system32\YMSG13.dll (Trojan.Pakes) -> No action taken.
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> No action taken.


Not sure what else to do

Edited by peefyloo, 24 January 2010 - 09:22 AM.

BC AdBot (Login to Remove)

 

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:05 PM

Posted 24 January 2010 - 04:27 PM

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless instructed to do so by a Malware Removal Expert. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

With tht said, open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.

Make sure mbr.exe is placed in the root directory, usually C:\ <- (Important!).
Then go to Posted Image > Run..., and in the Open dialog box, type: cmd
press Ok.
The command prompt needs to be at the root directory (C:\>_). To do that, type: cd \
press Enter.
At the command prompt C:\>_, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 3618. Last I checked it was 3627.

If you cannot update through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 peefyloo

peefyloo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:07:05 PM

Posted 24 January 2010 - 11:59 PM

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3631
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/24/2010 10:55:50 PM
mbam-log-2010-01-24 (22-55-44).txt

Scan type: Quick Scan
Objects scanned: 167967
Time elapsed: 24 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) Good: (Explorer.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\YMSG13.dll (Trojan.Pakes) -> No action taken.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\VNbL.dll (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Kyle\Local Settings\temp\VNbL.dll (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\CM29MN3D\eU230d9c2eH76140f61V03007f35002Rd9f71314102T3d419adbQ000002fc901800F0020000aJ0d000601l0409K8f8dbc5f3180[1] (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\CM29MN3D\eU230d9c2eH76140f61V03007f35002Rd9f71314102T3d419adbQ000002fc901800F0020000aJ0d000601l0409K8f8dbc5f3180[1] (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) -> No action taken.


MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x895bafa8
NDIS: SiS 900 PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x89580330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x09519240
malicious code @ sector 0x09519243 !
PE file found in sector at 0x09519259 !
Use "Recovery Console" command "fixmbr" to clear infection !


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:05 PM

Posted 25 January 2010 - 09:18 AM

Did you post the correct log? It should have been similar to this:

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x88214ea0
NDIS: Intel® PRO/1000 CT Network Connection -> SendCompleteHandler -> 0x88251190
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !
original MBR restored successfully !

If you did post correctly, then it appears you will need to do the following.

You can fix the Master Boot Record with the Windows XP Recovery Console.
  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • Watch for "Press any key to boot from CD" and then press any key to force the computer to boot from the Windows CD. If you do not press a key, the computer will continue to boot up normally. If that happens, try to boot to the Windows XP CD again.
  • When the "Welcome to Setup" screen appears, press R to enter the Recovery Console.
  • The Recovery Console will load and ask which Windows installation would you like to log onto.
  • In most cases, you will enter 1 (which will be the only choice). Note: If you press Enter without typing a number, Recovery Console will quit and restart your computer.
  • If prompted, type in your Administrator password and press Enter. If there is no password, leave it blank and just press enter.
  • At the Recovery Console command prompt, type: fixmbr and then verify that you want to proceed.
  • When finished, remove the XP CD, type exit and press enter to restart the computer.
Vista users can refer to How to fix MBR in Windows XP and Vista <-includes screenshots for both Vista and XP

If you want to install the Recovery Console directly onto your computer so that it is readily available in the future in case you need it again, refer to the How to install and use the Windows XP Recovery Console tutorial.

If you don't have your XP CD you can download an ISO of the Recovery Console files from one of these locations:Burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please refer to How to write a CD/DVD image or ISO and Creating A Windows XP Recovery Console CD Image.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 peefyloo

peefyloo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:07:05 PM

Posted 25 January 2010 - 02:40 PM

wil the recovery console do anything bad to my pc? will i lose any info?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:05 PM

Posted 25 January 2010 - 02:46 PM

You shouldn't as long as you follow the instructions.

What is the Recovery Console
How to install and use the Windows XP Recovery Console
How to install and use the Recovery Console in Windows XP
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·