Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 + HelpAssistant MBR Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 fumming

fumming

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 13 February 2010 - 09:48 PM

I have arrived here in search of some much needed help. Thread that lead me here

I have removed Internet Security 2010 but can NOT get rid of HelpAssistant MBR Infection that was also installed.
Previous suggestions for removal do not work in my case...i.e. booting into Recovery Console and running fixmbr
When in Recovery Console, my installation Directory is labeled as "D:\WINDOWS" this should be "C:\WINDOWS"

All the info I could gather is attached and posted here as per the Preparation Guide.

output from mbr.exe run on the desktop:

CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a01cb68
NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> 0x89e03330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
Use "Recovery Console" command "fixmbr" to clear infection !


output of " mbr.exe -f " run in C:
CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a01cb68
NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> 0x89e03330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
Use "Recovery Console" command "fixmbr" to clear infection !


output of " mbr.exe -t " run in C:
CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A01CB68]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a01cb68
NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> 0x89e03330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
Use "Recovery Console" command "fixmbr" to clear infection !



I'm at my wits end, any help would be greatly appreciated!

EDIT: Some extra info:
services.exe is the process that is recreating the HelpAssistant Directory.
This same process is opening three listening ports: 65533, 2479, and 9132
I think services.exe is being injected.

Attached Files


Edited by fumming, 13 February 2010 - 10:00 PM.


BC AdBot (Login to Remove)

 


#2 fumming

fumming
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 February 2010 - 01:02 AM

thumbup.gif Disregard previous post....Issue solved!!!!

This Machine is clean....took nearly 24 hours from time of infection, lol.

While booting from my XP disc did not allow a proper fix of the mbr, installing the recovery console via
ComboFix and then running fixmbr did!

Also, I issued the command:
CODE
net user HelpAssistant /DELETE

Then, deleted the reg key assosiated with this profile and deleted the c:\documents and settings\HelpAssistant directory.

services.exe is no longer being injected into, no ports open, and no HelpAssistant files are being created.

Beware of this "Internet Security 2010 aka IS2010", I contracted this virus via a Firefox exploit, Its nothing to laugh at.





#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:25 PM

Posted 18 February 2010 - 06:18 AM

Since the issue seems to be resolved, this topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users