Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit detected. Issues with Helpassistant folder


  • This topic is locked This topic is locked
53 replies to this topic

#1 steeler6

steeler6

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 25 January 2010 - 09:12 PM

Started to see performance issues (particularly with internet access freezing up, then all functions freezing up, requiring hard-power down). Noticed C: drive had no remaining storage space and thought I had just over-loaded it with home movies, pictures, music etc. I started to transfer files over to F: drive, did not get the increase in storage space on C: that I expected. Found a new user "Helpassistant" that seemed to be duplicating all of my user files and consuming memory. Googled "help assistant issues" and thought I could disable and/or delete the "help assistant user". Tried multiple times but it has continued to come back and consume resources. Research some more and found other people with similar issues pointing to this rootkit. Seems very serious and I'd love to be able to get rid of it, but that is clearly above my pay-grade.

By the way - you've made the process so far "dummy proof" - the instructions to get this far are excellent. Thanks for the help

Here are the requested logs.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Matt & Karen at 20:40:21.06 on Mon 01/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.318 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\system32\dlcicoms.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matt & Karen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SB Audigy 2 Startup Menu] /L:ENG
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [vmmonitor] c:\docume~1\alluse~1\applic~1\dellfa~1\vmmonitor.exe -mode=background -check=memory
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [DLCICATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCItime.dll,_RunDLLEntry@16
mRun: [dlcimon.exe] "c:\program files\dell aio printer 946\dlcimon.exe"
mRun: [FaxCenterServer] "c:\program files\dell fax solutions\fm3032.exe" /s
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\5.0"
mRun: [medicsp2] c:\program files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: amazon.com\www
Trusted Zone: internet
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: msn.com\moneycentral
Trusted Zone: turbotax.com
Trusted Zone: usairways.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158796671640
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://rms2.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-18 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-18 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-18 144704]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2009-2-24 202280]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-18 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-18 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-18 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-18 40552]
S3 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-18 266240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-18 34248]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2006-2-18 155264]

=============== Created Last 30 ================

2010-01-26 01:23:15 0 d-----w- c:\windows\system32\NtmsData
2010-01-24 16:15:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-13 11:42:07 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-28 15:26:24 51064 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-01-19 22:39:58 1212 ----a-w- c:\docume~1\matt&k~1\applic~1\wklnhst.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
1998-05-12 00:01:00 6208 ----a-w- c:\program files\setup4.dll
2008-08-25 23:33:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 20:41:14.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 30 January 2010 - 09:28 AM

Looking for insight/ETA on help with this issue? Have been down for 5 days - should I continue to wait for help or move on?

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 31 January 2010 - 10:30 AM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:37 AM

Posted 01 February 2010 - 07:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 03 February 2010 - 07:20 AM

Thanks - I am here.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:37 AM

Posted 03 February 2010 - 08:31 AM

The MBR rootkit is definitely there. Let's remove the threat with Combofix. This is a powerful tool so please read the following carefully. If you are not sure of something then ask. smile.gif

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif

Posted Image
m0le is a proud member of UNITE

#6 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 03 February 2010 - 07:33 PM

Have tried to download combofix from all 3 sites. Continue to get the same response that my security settings will not allow me to download the program. McAffee Security Center is disabled (I've scrolled down in the MSC menues and all items are turned off). Windows Firewall is disabled. All MS Internet security settings are set to low. I've tried restarting IE, I've tried restartng the computer after changing the security settings, I've run out of ideas. Are there other things I need to turn off so I can download combo fix?


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:37 AM

Posted 03 February 2010 - 08:00 PM

One particular rootkit stops Combofix, TDSS, so let's run the TDSSKiller
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#8 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 03 February 2010 - 08:03 PM

Was able to get Combo-fix by enabling just about everything (scripting etc) in my internet settings. Felt very, very weird to do that, and my computer is giving my all kinds of security warnings... so I hope it was worth it. Here is the log. Thanks again

ComboFix 10-02-03.04 - Matt & Karen 02/03/2010 19:48:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.527 [GMT -5:00]
Running from: c:\documents and settings\Matt & Karen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\Temp

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-02 13:08 . 2010-02-02 13:08 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-02 13:07 . 2010-02-02 13:07 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-02 11:41 . 2010-02-02 11:41 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-02 11:41 . 2010-02-02 11:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-02 11:41 . 2009-07-18 12:39 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-01-26 01:23 . 2010-01-26 01:28 -------- d-----w- c:\windows\system32\NtmsData
2010-01-24 16:10 . 2010-01-24 16:10 152576 ----a-w- c:\documents and settings\Matt & Karen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-24 16:10 . 2010-01-24 16:10 79488 ----a-w- c:\documents and settings\Matt & Karen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-13 11:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 01:58 . 2010-01-28 02:25 147144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 00:26 . 2007-07-28 15:12 -------- d-----w- c:\program files\Dl_cats
2010-02-04 00:25 . 2006-02-19 01:31 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-02-04 00:25 . 2006-02-19 01:31 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-02-03 01:06 . 2009-12-03 01:43 1808 ----a-w- c:\documents and settings\Matt & Karen\Application Data\wklnhst.dat
2010-02-02 11:38 . 2009-07-18 14:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-30 17:37 . 2007-05-17 00:56 66328 ----a-w- c:\documents and settings\Lindsay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-24 16:14 . 2006-02-18 15:29 -------- d-----w- c:\program files\Java
2010-01-23 19:20 . 2006-02-12 21:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-23 19:20 . 2006-02-19 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-01-23 15:08 . 2009-08-18 19:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-20 15:50 . 2009-02-07 22:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 01:04 . 2006-02-13 00:22 -------- d-----w- c:\documents and settings\Matt & Karen\Application Data\MSN6
2009-12-28 15:26 . 2009-12-28 15:26 51064 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-26 19:52 . 2006-10-05 17:30 -------- d-----w- c:\documents and settings\Matt & Karen\Application Data\Apple Computer
2009-12-26 15:46 . 2009-12-26 15:45 -------- d-----w- c:\program files\iTunes
2009-12-26 15:46 . 2009-12-26 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-26 15:45 . 2009-12-26 15:45 -------- d-----w- c:\program files\iPod
2009-12-26 15:45 . 2007-12-08 13:45 -------- d-----w- c:\program files\Common Files\Apple
2009-12-26 15:43 . 2009-12-26 15:42 -------- d-----w- c:\program files\QuickTime
2009-12-21 19:14 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-13 17:40 . 2006-12-27 17:42 -------- d-----w- c:\program files\TurboTax
2009-12-10 11:55 . 2008-04-23 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 01:43 . 2006-02-14 12:26 66328 ----a-w- c:\documents and settings\Matt & Karen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:51 . 2003-07-16 16:17 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
1998-05-12 00:01 . 2006-02-12 22:59 6208 ----a-w- c:\program files\setup4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"DLCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-12-08 435080]
"FaxCenterServer"="c:\program files\Dell Fax Solutions\fm3032.exe" [2006-12-08 312200]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcicoms.exe"=
"c:\\Program Files\\Dell AIO Printer 946\\dlcimon.exe"=
"c:\\Program Files\\Dell AIO Printer 946\\dlciaiox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/18/2009 9:20 AM 210216]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2/24/2009 8:44 AM 202280]
S3 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 2:23 PM 266240]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2/18/2006 7:36 PM 155264]
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-07-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-18 16:22]

2010-01-23 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-18 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: amazon.com\www
Trusted Zone: internet
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: msn.com\moneycentral
Trusted Zone: turbotax.com
Trusted Zone: usairways.com\www
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://rms2.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SB Audigy 2 Startup Menu - (no file)
HKCU-Run-vmmonitor - c:\docume~1\ALLUSE~1\APPLIC~1\DELLFA~1\vmmonitor.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 19:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872A1938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7745f28
\Driver\ACPI -> ACPI.sys @ 0xf7698cb8
\Driver\atapi -> 0x872a1938
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> 0x866d9330
PacketIndicateHandler -> NDIS.sys @ 0xf7543a21
SendHandler -> NDIS.sys @ 0xf752187b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0FFFEB05
malicious code @ sector 0x0FFFEB08 !
PE file found in sector at 0x0FFFEB1E !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4220)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-03 19:59:56
ComboFix-quarantined-files.txt 2010-02-04 00:59

Pre-Run: 17,382,096,896 bytes free
Post-Run: 17,781,628,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - FE5C33620D8BF1C960E2F0D81243A1FA


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:37 AM

Posted 04 February 2010 - 06:43 PM

Please rerun Gmer and post the log. The Combofix log is contradicting whether the rootkit has been removed. dry.gif
Posted Image
m0le is a proud member of UNITE

#10 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 04 February 2010 - 06:53 PM

Have tried to run Gmer twice (all active security programs are off). It scans for about 45 minutes (runs through a lot of files) and then I get the Windows "blue screen of death" before it completes the scan - and I have to power-down the computer. Tried starting up in "safe mode" and each time "safe mode" locks up at the initial black screen after scrolling through a few "sys 32" files.

Edited by steeler6, 05 February 2010 - 07:12 AM.


#11 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 05 February 2010 - 08:49 PM

Tried running Gmer again. Got the "windows blue screen of death again". Noted that the error message on the blue screen said: " Problem caused by file pflyqKob.sys page fault in non paged area Stop 0x00000050 (oxE4A9D0000 0x0000000 0xB0EECC3E 0x0000000

Then tried running Gmer in safe mode, however I unchecked the "files" button in Gmer and got the followin log. I don't know if is is what you expected or not - but is seemed awfully short (I did notice the file name at the end seemed to be the one that cuased the blue screen of death issue.

Also - if it is important - when I came out of safe mode and tried to log on to the internet through regular windows, my modem was no longer working. I tried resetting it multiple times. Finally got a diagnostic tool which detected that somehow my settings we set to work offline. I don't know what that means or why it happened by the tool provided by by cable/internet service provider automatically fixed it.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-05 19:38:30
Windows 5.1.2600 Service Pack 3
Running: x0fwv1l7.exe; Driver: C:\DOCUME~1\MATT&K~1\LOCALS~1\Temp\pflyqkob.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:212] 87136EAB

---- EOF - GMER 1.0.15 ----


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:37 AM

Posted 05 February 2010 - 09:12 PM

The file is Gmer running under a false name to protect itself from malware.

I'm going to ask you to run Combofix again with a script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
MBR::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Let's see what that shows. smile.gif
Posted Image
m0le is a proud member of UNITE

#13 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 05 February 2010 - 09:35 PM

Here is the log Thank you.

ComboFix 10-02-03.04 - Matt & Karen 02/05/2010 21:22:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.551 [GMT -5:00]
Running from: c:\documents and settings\Matt & Karen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-04 00:43 . 2010-02-04 01:00 -------- d-----w- C:\Combo-Fix
2010-02-02 13:08 . 2010-02-02 13:08 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-02 13:07 . 2010-02-02 13:07 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-02 11:41 . 2010-02-02 11:41 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-02 11:41 . 2010-02-02 11:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-02 11:41 . 2009-07-18 12:39 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-01-26 01:23 . 2010-01-26 01:28 -------- d-----w- c:\windows\system32\NtmsData
2010-01-24 16:10 . 2010-01-24 16:10 152576 ----a-w- c:\documents and settings\Matt & Karen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-24 16:10 . 2010-01-24 16:10 79488 ----a-w- c:\documents and settings\Matt & Karen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-13 11:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 02:18 . 2007-07-28 15:12 -------- d-----w- c:\program files\Dl_cats
2010-02-06 00:20 . 2006-02-19 01:31 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-02-06 00:20 . 2006-02-19 01:31 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-02-05 02:20 . 2009-07-18 14:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-02-03 01:06 . 2009-12-03 01:43 1808 ----a-w- c:\documents and settings\Matt & Karen\Application Data\wklnhst.dat
2010-01-30 17:37 . 2007-05-17 00:56 66328 ----a-w- c:\documents and settings\Lindsay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-28 02:25 . 2010-01-07 01:58 147144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-24 16:14 . 2006-02-18 15:29 -------- d-----w- c:\program files\Java
2010-01-23 19:20 . 2006-02-12 21:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-23 19:20 . 2006-02-19 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-01-23 15:08 . 2009-08-18 19:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-20 15:50 . 2009-02-07 22:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 01:04 . 2006-02-13 00:22 -------- d-----w- c:\documents and settings\Matt & Karen\Application Data\MSN6
2009-12-28 15:26 . 2009-12-28 15:26 51064 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-26 19:52 . 2006-10-05 17:30 -------- d-----w- c:\documents and settings\Matt & Karen\Application Data\Apple Computer
2009-12-26 15:46 . 2009-12-26 15:45 -------- d-----w- c:\program files\iTunes
2009-12-26 15:46 . 2009-12-26 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-26 15:45 . 2009-12-26 15:45 -------- d-----w- c:\program files\iPod
2009-12-26 15:45 . 2007-12-08 13:45 -------- d-----w- c:\program files\Common Files\Apple
2009-12-26 15:43 . 2009-12-26 15:42 -------- d-----w- c:\program files\QuickTime
2009-12-21 19:14 . 2005-10-21 17:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-13 17:40 . 2006-12-27 17:42 -------- d-----w- c:\program files\TurboTax
2009-12-10 11:55 . 2008-04-23 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 01:43 . 2006-02-14 12:26 66328 ----a-w- c:\documents and settings\Matt & Karen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:51 . 2003-07-16 16:17 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
1998-05-12 00:01 . 2006-02-12 22:59 6208 ----a-w- c:\program files\setup4.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-04_00.55.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-06 02:08 . 2010-02-06 02:08 16384 c:\windows\Temp\Perflib_Perfdata_a64.dat
+ 2010-02-06 02:07 . 2010-02-06 02:07 16384 c:\windows\Temp\Perflib_Perfdata_200.dat
+ 2006-02-12 21:32 . 2010-02-06 00:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-02-12 21:32 . 2010-02-04 00:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-04 11:35 . 2010-02-06 00:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"DLCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-12-08 435080]
"FaxCenterServer"="c:\program files\Dell Fax Solutions\fm3032.exe" [2006-12-08 312200]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcicoms.exe"=
"c:\\Program Files\\Dell AIO Printer 946\\dlcimon.exe"=
"c:\\Program Files\\Dell AIO Printer 946\\dlciaiox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/18/2009 9:20 AM 210216]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2/24/2009 8:44 AM 202280]
S3 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 2:23 PM 266240]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2/18/2006 7:36 PM 155264]
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-07-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-18 16:22]

2010-01-23 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-18 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: amazon.com\www
Trusted Zone: internet
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: msn.com\moneycentral
Trusted Zone: turbotax.com
Trusted Zone: usairways.com\www
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://rms2.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 21:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x870527C0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7745f28
\Driver\ACPI -> ACPI.sys @ 0xf7698cb8
\Driver\atapi -> 0x870527c0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> 0x85f60330
PacketIndicateHandler -> NDIS.sys @ 0xf7543a21
SendHandler -> NDIS.sys @ 0xf752187b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0FFFEB05
malicious code @ sector 0x0FFFEB08 !
PE file found in sector at 0x0FFFEB1E !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4628)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-05 21:33:31
ComboFix-quarantined-files.txt 2010-02-06 02:33
ComboFix2.txt 2010-02-04 00:59

Pre-Run: 17,727,610,880 bytes free
Post-Run: 17,710,374,912 bytes free

- - End Of File - - 9DE61E6CBFD21AC720170D122634861A


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:37 AM

Posted 05 February 2010 - 09:45 PM

This looks like a new thing for the MBR rootkit.

Run SystemScan and let's see if the HelpAssistant is present

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

Posted Image
m0le is a proud member of UNITE

#15 steeler6

steeler6
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 05 February 2010 - 10:05 PM

Here you go.

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Matt & Karen\Desktop\sys6744.exe
Running in: User mode
Date: 2/5/2010
Time: 10:01:36 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Guest
Yes | HelpAssistant
| James
| Lindsay
Yes | Matt & Karen
| SUPPORT_388945a0 (Disabled)

### users folders

13/02/2006 21:07:56 (DIR) 0 byte 1453 days old -- Default User
22/01/2008 19:49:37 (DIR) 0 byte 745 days old -- LocalService
25/06/2009 10:15:20 (DIR) 0 byte 225 days old -- NetworkService
15/07/2009 20:00:52 (DIR) 0 byte 205 days old -- James
18/07/2009 08:53:51 (DIR) 0 byte 202 days old -- MATTCitrixLogs
30/01/2010 13:33:46 (DIR) 0 byte 6 days old -- Lindsay
30/01/2010 13:35:01 (DIR) 0 byte 6 days old -- Matt & Karen
05/02/2010 21:10:17 (DIR) 0 byte 0 days old -- HelpAssistant
05/02/2010 21:57:55 (DIR) 0 byte 0 days old -- All Users

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\HelpAssistant\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\James\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Lindsay\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Matt & Karen\Start Menu\Programs\Startup\desktop.ini

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users