Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant folder created, ISP tells me I have Torpig?


  • Please log in to reply
7 replies to this topic

#1 DogFacedBoy

DogFacedBoy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 01 February 2010 - 09:01 PM

I am having problems with my Dell PC running Windows XP SP3. One week ago, the performance of the computer became very sluggish, and web browsers would inexplicably crash. I noticed that a new user account folder "C:\Document and Settings\HelpAssistant" had been silently created, and many files from another user desktop were copied into the HelpAssistant folder. Three days ago, my ISP said they detected malicious network traffic originating from my computer, and identified it as Torpig activity.

I ran Spybot S&D and Malwarebytes' Anti-Malware, and neither report any malware. SUPERAntiSpyware reported presence of Trojan.Agent/Gen, which I quarantined and deleted. I also disabled the "HelpAssistant" account, and deleted its files, but they just come back again eventually. In case of rootkit infection, I ran Gmer's mbr.exe, which creates the log below:

--------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmet.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x8a96dbc0
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x8a789330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
--------------------

My computer performance is still sluggish, and I worry that Torpig is still there. Any advice about how to proceed cleaning up my computer? Thank you!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 01 February 2010 - 11:38 PM

Welcome DogFacedBoy

Open Windows Explorer and rename the C:\mbr.log to C:\mbr.old
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: cd \
press Enter.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

It will produce a new report at C:\mbr.log. Please copy/paste the results in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DogFacedBoy

DogFacedBoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 02 February 2010 - 12:03 AM

Hi boopme,

Thank you for your response. As you requested, I ran mbr.exe again, but with the '-f' option. Here is the output of the new mbr.log file:

--------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x8aa23608
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x8a7e7330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection!
--------------------

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 02 February 2010 - 03:13 PM

You can fix the Master Boot Record with the Windows XP Recovery Console.
  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • Watch for "Press any key to boot from CD" and then press any key to force the computer to boot from the Windows CD. If you do not press a key, the computer will continue to boot up normally. If that happens, try to boot to the Windows XP CD again.
  • When the "Welcome to Setup" screen appears, press R to enter the Recovery Console.
  • The Recovery Console will load and ask which Windows installation would you like to log onto.
  • In most cases, you will enter 1 (which will be the only choice). Note: If you press Enter without typing a number, Recovery Console will quit and restart your computer.
  • If prompted, type in your Administrator password and press Enter. If there is no password, leave it blank and just press enter.
  • At the Recovery Console command prompt, type: fixmbr and then verify that you want to proceed.
  • When finished, remove the XP CD, type exit and press enter to restart the computer.
Vista users can refer to How to fix MBR in Windows XP and Vista <-includes screenshots for both Vista and XP

If you want to install the Recovery Console directly onto your computer so that it is readily available in the future in case you need it again, refer to the How to install and use the Windows XP Recovery Console tutorial.

If you don't have your XP CD you can download an ISO of the Recovery Console files from one of these locations:Burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please refer to How to write a CD/DVD image or ISO and Creating A Windows XP Recovery Console CD Image.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Run your antivirus again.

Edited by boopme, 02 February 2010 - 03:15 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 DogFacedBoy

DogFacedBoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 02 February 2010 - 05:57 PM

Hi boopme, thanks for your continuing advice.

Following your suggestion, I attempted to run the Windows Recovery Console, with the intent of then using of "fixmbr". Unfortunately, I am unable to run the Recovery Console successfully.

I first created a bootable CD with the Recovery Console ISO file. When I boot from it, and then press "R" to enter the Recovery Console, I see the Recovery Console files loading, but then I get this error message:

----------
Setup did not find any hard disk drives installed on your computer.

Make sure any hard disk drives are powered on and properly connected to your computer, and that any disk-related hardware configuration is correct.

Setup cannot continue.
----------

I then tried installing the Recovery Console onto my hard drive directly, and booting into it that way. That failed with a blue screen containing the following error message:

----------
A problem has been detected and windows has been shut down to prevent damage to your computer.

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated.

Technical information:
* STOP: 0x0000007B (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000)
----------

So, I am unable to successfully run the Windows Recovery Console. It appears that Recovery Console is not using the correct hard disk controller. Any other ideas?

EDIT: It turns out that my main drive is on a RAID controller, which is not recognized by default by the Recovery Console. I will try to find some appropriate drivers, and then attempt the Recovery Console process again...

Edited by DogFacedBoy, 02 February 2010 - 07:14 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 02 February 2010 - 09:18 PM

Hello, this malware is dangerously close to borking the PC.
We have 2 options.. We get this into the HJT forum so thet can find and kill this that will be a few days or you will need to format and reinstall.

I'll give you the HJT info now. If you want the other let me know.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, If Rootrepeal wont run,skip over it.
Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 DogFacedBoy

DogFacedBoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 07 February 2010 - 05:04 PM

Hi boopme,

I was eventually able to find suitable RAID drivers and successfully enter the Windows Recovery Console. I ran the "fixmbr" command, which resulted in a repaired MBR as reflected in the output log from "mbr.exe". The output from MBAM is completely clean, as is the output from other malware scanners. So, I think my system is now disinfected. Thanks very much for all your help!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 08 February 2010 - 11:37 AM

This is great news!!
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users