Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant/rootkit infection?/browser hijack-redirect - PART 2


  • Please log in to reply
10 replies to this topic

#1 JakePuff

JakePuff

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 February 2010 - 01:55 AM

Hi there!

First off I'd like to say I am new to this site, but for the brief time that I've been reading here, I find your info unbelievably amazing! THANK YOU in advance to the whole response team!

From reading a bit from previous post (by same title abve) - I believe I have the SAME or similar problem as poster Chantel!

I would like to comment first on poster/user "Chantel" - You seem to have much knowledge and know what you are doing. Seems you know alot about computers.

And for the responder/admin -- MYRTI MYRTI -- WOW man!!! You are like a super genius!!! I suspect the rest of the team here are as well!

So to start, I basically have the same problem, HelpAssistant folder kept re-creating itself on my HDD, system slowed down, system crashed and froze many times. In addition to Chantel's case, I noticed a number of ports opened in my windows firewall. Every time I kept closing or deleting them they came right back when the system was re-booted. So before posting anything else, what would you like me to do?

Thank you so much for any help given!

Jake

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 AM

Posted 06 February 2010 - 08:11 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 JakePuff

JakePuff
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 February 2010 - 03:40 AM

Hi Elise, Thank you!

I'm sure I am infected. I have saimilar problem as user "Chantel" in Hijack Forum, Hence name in my "subject title".

HelpAssistant folder kept re-creating itself on my HDD. System has slowed down. System crashed and froze many times. I noticed a number of ports opened in my windows firewall. Every time I kept closing or deleting them they came right back when the system was re-booted. Ports were 65533, 52344, 3249, 2479 and Remote Desktop. Ran MBAM many times it did find hijacker with backdoor. Deleted them, but suspect system is seriously infected. What logs would you like me to send you?

Thank you so much for any help given! :-)

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 AM

Posted 08 February 2010 - 03:57 AM

Please download mbr.exe and save it to your desktop.

Doubleclick on it to run it. A command window will flash briefly (if you run Vista, right click on the file and select "run as administrator".

After finishing a log file, mbr.log should be created on your desktop. Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 JakePuff

JakePuff
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 February 2010 - 04:20 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01749DDC1
malicious code @ sector 0x01749DDC4 !
PE file found in sector at 0x01749DDDA !

#6 JakePuff

JakePuff
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 February 2010 - 02:28 PM

Hi Elise,

How are you? What do the results show of the mbr? By the way, I should mention that I had done that mbr fix already. I think the command was 'mbr -f'. Perhaps I shouldn't have done that?
Thanks,
Jake

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 AM

Posted 08 February 2010 - 03:02 PM

Hello, sorry, have been occupied a bit :thumbsup:

How are things running right now? Are you able to remove the HelpAssistant account now (after running mbr.exe -f)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 JakePuff

JakePuff
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 February 2010 - 07:08 PM

Hi Elise,

I ran MBAM again this time it came up clean. I deleted the helpassitant folderss (I think). I don't know about the user though. What can you tell from the mbr log I posted. It looks like there is malicious code in there no?? Also I did have a few minutes access online and downloaded and ran the Microsoft security esentials software locally. It came up with a bunch of problems that were in the java folder. I tried deleting it. What should I do to check to see if backdoor access is still there by the trojans?
Thank you!
Jake

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 AM

Posted 09 February 2010 - 04:59 AM

Hello, your MBR log shows what it is supposed to show after an MBR infection is cleaned. However, this infection is a bit tricky and often the state of the HelpAssistant account is another indication.

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 JakePuff

JakePuff
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 10 February 2010 - 01:47 AM

Hi Elise, thanks for getting back to me :-) !
Here are the results. Curious though, I do see the logmein account there. I uninstalled that software a long time ago. It also has a folder on the pc. Wonder if I should erase that folder.


SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Meeeee\Desktop\sys91977.exe
Running in: User mode
Date: 2/10/2010
Time: 1:12:03 AM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| ASPNET
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | LogMeInRemoteUser
Yes | Meeeee
| SUPPORT_388945a0 (Disabled)

### users folders

19/01/2006 01:38:49 (DIR) 0 byte 1483 days old -- Default User
20/01/2006 05:01:54 (DIR) 0 byte 1482 days old -- Administrator
27/01/2006 15:44:00 (DIR) 0 byte 1475 days old -- All Users
30/12/2006 17:24:17 4096 byte 1138 days old -- ADMINI~1.EC2.LOG
28/01/2010 17:48:54 (DIR) 0 byte 13 days old -- LocalService
28/01/2010 17:48:55 (DIR) 0 byte 13 days old -- NetworkService
29/01/2010 04:43:15 (DIR) 0 byte 12 days old -- LogMeInRemoteUser
29/01/2010 04:43:16 (DIR) 0 byte 12 days old -- Administrator.EC29D2D7EC
08/02/2010 16:55:44 (DIR) 0 byte 2 days old -- Meeeee

### startup files in users folders

C:\documents and settings\Administrator.EC29D2D7EC\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Meeeee\Start Menu\Programs\Startup\desktop.ini

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:16 AM

Posted 10 February 2010 - 02:51 AM

Hello, the help assistant account is disabled. Which means the MBR rootkit is no longer there.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users