Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Security Wall Virus turns into helpassistant trojan in MBR. HELP!!!


  • This topic is locked This topic is locked
55 replies to this topic

#1 dw_17fan

dw_17fan

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 24 February 2010 - 09:07 PM

Hello, this is my 1st post. I have been reading the forums and getting my pc ready for help by downloading the prep programs. I have ran DDS successfully and have a log file to attach. I can't get GMER.exe to finish without the Pc crashing to a BLUE screen. I have Windows XP Sp3 and normally use Firefox web browser. I have the Panda Cloud Anti-virus installed. (didn't work too well, obviously) I have Windows XP installed on 2 separate hard drives so i can still access the web and the Pc. The helpassistant folder virus was on both hard drives. I thought it was gone but it has reappeared when I tried to restore windows to a previous date before the problems. I know that they hide inside the restore folder, but i had already used Malware Bytes' Anti-malware and Panda Antivirus both deleted "all" infected files, or so I thought....ARGH!! I had ran those scans multiple times along with mbr.exe and rkill.exe and even Combofix. I had to repair/replace my hosts file after getting rid of the "My Security Wall" virus. I know you guys say not to use Combofix and Mbr without help from an expert first, but I felt desperate and pressed for time. I depend on my PC for work from home and paying our bills. I'm sorry for jumping the gun and I would really appreciate any help in this matter. I would understand if you guys don't want to help... My thanks in advance for anyone reading this and deciding to help. I don't know what else to do.

Here is the DDS log file.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Jerry at 21:09:43.12 on Wed 02/24/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1535 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry.JERRYSGAMERIG\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198565048656
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerry~2.jer\applic~1\mozilla\firefox\profiles\0d7jt9tm.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.pcworld.com/index.php?/topic/64582-helpassistant-folder-keeps-appearing/|http://forums.majorgeeks.com/showthread.php?t=35407|http://www.bleepingcomputer.com/forums/index.php|http://www.yahoo.com/
FF - plugin: c:\program files\microsoft silverlight\npctrl.1.0.21115.0.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114312]
R2 NanoServiceMain;NanoServiceMain;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2009-10-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146952]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 95880]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101512]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-12-24 1174664]

=============== Created Last 30 ================

2010-02-25 00:48:51 0 ----a-w- c:\documents and settings\jerry.jerrysgamerig\defogger_reenable
2010-02-24 08:50:13 0 d-----w- C:\ComboFix
2010-02-23 08:31:51 0 d-----w- c:\docume~1\jerry~2.jer\applic~1\Malwarebytes
2010-02-23 08:31:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 08:31:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 08:31:45 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-02-23 08:29:58 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-23 08:29:40 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-23 08:27:22 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-02-23 08:27:21 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-02-23 08:24:00 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-23 08:08:56 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-02-23 08:01:38 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-23 07:55:18 2560 ------w- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 03:54:07 261632 ----a-w- c:\windows\PEV.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 21:10:03.21 ===============

Attached Files


Edited by dw_17fan, 25 February 2010 - 03:35 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 26 February 2010 - 10:25 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's try something with Gmer to get it to run.

Please rerun Gmer but uncheck Devices first

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 27 February 2010 - 12:28 AM

I tried to run gmer like you said. It still crashes to a blue screen and memory dumps saying it is a registry error. I ran CCleaner and scanned for all registry errors after running the application scan. I cleaned both then tried gmer again, still crashed to blue screen with same registry error. Last night I made an Avira Antivirus Rescue CD while I was waiting for someone to reply after my 1st post a couple nights ago. I ran it in it's native Linux mode and it renamed over 100+ files on 3 separate hard drives.(I have 2 SATA drives and 2 IDE drives) It found a lot of Trojans, Toolbar/Hotbars, Adware, Spyware, etc... I was in the process of deleting those files when i noticed your reply. I am barely running Windows on an older install on a separate hard drive. Win XP has some system files that are missing or corrupted now and it is asking me to insert a service pack 3 disc. I downloaded the iso file and burned it to a cd. I tried to run it but there are errors there, too. Here is the mbr log showing a rootkit infection. I will post another DDS log here since there have been some changes since I first asked for help. I hope that you will be still willing to help. Thanks for your time!!!

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jerry at 0:29:47.32 on Sat 02/27/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1650 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Jerry.JERRYSGAMERIG\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198565048656
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerry~2.jer\applic~1\mozilla\firefox\profiles\xolvmzq8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/combofix/how-to-use-combofix|http://www.yahoo.com/?r33=1267081963|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrl.1.0.21115.0.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114312]
R2 NanoServiceMain;NanoServiceMain;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2009-10-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146952]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 95880]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101512]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-12-24 1174664]

=============== Created Last 30 ================

2010-02-27 04:19:39 0 d-----w- c:\program files\CCleaner
2010-02-27 03:19:21 19569 ----a-w- c:\windows\000001_.tmp
2010-02-27 03:15:18 0 d-----w- c:\windows\system32\CatRoot_bak
2010-02-25 07:27:46 0 d-----w- C:\ComboFix
2010-02-25 03:46:06 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-24 23:21:13 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2010-02-24 23:21:13 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-02-24 23:21:13 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2010-02-24 04:34:32 1611 ----a-w- C:\Remote Assistance.lnk
2010-02-23 08:31:51 0 d-----w- c:\docume~1\jerry~2.jer\applic~1\Malwarebytes
2010-02-23 08:31:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 08:31:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 08:31:45 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-02-23 08:29:58 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-23 08:29:58 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-02-23 08:29:51 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 08:29:40 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-23 08:29:13 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-02-23 08:28:45 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-02-23 08:27:22 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-02-23 08:27:22 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-02-23 08:27:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-02-23 08:27:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-02-23 08:27:21 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-02-23 08:27:21 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-02-23 08:27:21 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-23 08:27:21 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-23 08:24:00 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-23 08:08:56 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-02-23 08:07:33 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-23 08:07:22 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-02-23 08:07:06 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-23 08:01:38 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-23 07:56:24 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-23 07:56:23 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-23 07:56:23 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-23 07:55:37 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-23 07:55:28 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-02-23 07:55:18 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-02-23 07:55:17 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-23 07:55:17 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-02-23 07:55:15 512000 -c----w- c:\windows\system32\dllcache\jscript.dll

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 03:54:07 261632 ----a-w- c:\windows\PEV.exe

============= FINISH: 0:30:11.70 ===============

Attached Files


Edited by dw_17fan, 27 February 2010 - 01:20 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 27 February 2010 - 05:55 AM

MBR rootkit is now invading your profiles and enabling something called HelpAssistant. Run this program and let's see if this is the case here.

Download Profiles by noahdfear

Double click the file and copy and paste the resulting log into your next reply.
Posted Image
m0le is a proud member of UNITE

#5 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 27 February 2010 - 07:32 AM

Yes it is. Here is the log file. How can I stop this rootkit/virus? I would appreciate it so much!!!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User.WINDOWS
AllUsersProfile REG_SZ All Users.WINDOWS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService.NT AUTHORITY.000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService.NT AUTHORITY.000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-651377827-725345543-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-651377827-725345543-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Jerry.JERRYSGAMINGRIG

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-651377827-725345543-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Christine.JERRYSGAMINGRIG

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-651377827-725345543-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Anna-Marie.JERRYSGAMINGRIG

SystemRoot REG_SZ C:\WINDOWS



Edited by dw_17fan, 27 February 2010 - 07:36 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 27 February 2010 - 09:17 AM

We need to disable it.

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 27 February 2010 - 03:57 PM

This is from the main hard drive that is having the most problems. Below this log I am posting the log file from the other hard drive that is allowing me to type these posts and do the virus scanning and downloading of these files.(Helpassistant became a profile on that drive but after running Malwarebyte's Anti-malware program and Avira Anti-virus Rescue CD it is no longer taking over PC on the older XP drive like it is on the main drive, for now)

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Jerry.JERRYSGAMINGRIG\Desktop\sys31133.exe
Running in: User mode
Date: 2/27/2010
Time: 3:49:10 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Anna-Marie
Yes | Christine
| Guest (Disabled)
Yes | HelpAssistant
Yes | Jerry
| SUPPORT_388945a0 (Disabled)

### users folders

03/10/2008 00:54:14 (DIR) 0 byte 512 days old -- All Users
17/09/2009 16:35:04 (DIR) 0 byte 163 days old -- Anna-Marie
30/09/2009 00:37:45 (DIR) 0 byte 150 days old -- NetworkService.NT AUTHORITY
30/09/2009 00:38:18 (DIR) 0 byte 150 days old -- LocalService.NT AUTHORITY
30/09/2009 01:03:05 (DIR) 0 byte 150 days old -- Christine
30/09/2009 01:27:23 (DIR) 0 byte 150 days old -- NetworkService
30/09/2009 01:27:25 (DIR) 0 byte 150 days old -- LocalService
30/09/2009 01:27:27 (DIR) 0 byte 150 days old -- Default User
13/10/2009 23:19:34 (DIR) 0 byte 137 days old -- NetworkService.NT AUTHORITY.000
13/10/2009 23:19:53 (DIR) 0 byte 137 days old -- LocalService.NT AUTHORITY.000
14/10/2009 15:01:34 (DIR) 0 byte 136 days old -- Jerry
17/10/2009 16:00:52 (DIR) 0 byte 133 days old -- Default User.WINDOWS
14/01/2010 21:05:16 (DIR) 0 byte 44 days old -- All Users.WINDOWS
25/02/2010 06:46:14 (DIR) 0 byte 2 days old -- Jerry.JERRYSGAMINGRIG
04/02/2010 11:04:27 (DIR) 0 byte 23 days old -- Christine.JERRYSGAMINGRIG
11/02/2010 02:10:08 (DIR) 0 byte 16 days old -- Anna-Marie.JERRYSGAMINGRIG

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\eBay Countdown.url
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan.lnk
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\Startup\IMVU.lnk
C:\documents and settings\Christine\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\Yahoo! Widgets.lnk

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

[size=4]Here is the other log file from the older, but functioning XP drive. Both are XP service pack 3, but this one is only used in cases such as these virus attacks.
[/size
]

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Jerry.JERRYSGAMERIG\Desktop\sys31133.exe
Running in: User mode
Date: 2/27/2010
Time: 3:42:31 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Anna-Marie
Yes | Christine
| Guest (Disabled)
Yes | HelpAssistant
Yes | Jerry

### users folders

03/11/2007 11:27:05 (DIR) 0 byte 847 days old -- Anna-Marie.JERRYLEE
07/04/2007 15:33:42 (DIR) 0 byte 1057 days old -- Christine.JERRY-30BA6BBB6
07/04/2007 15:33:50 (DIR) 0 byte 1057 days old -- Anna-Marie.JERRY-30BA6BBB6
07/04/2007 15:33:51 (DIR) 0 byte 1057 days old -- Anna-Marie
28/07/2007 00:30:26 (DIR) 0 byte 945 days old -- Christine
10/04/2007 12:48:51 (DIR) 0 byte 1054 days old -- Jerry Williams
22/12/2007 06:11:06 (DIR) 0 byte 798 days old -- NetworkService.NT AUTHORITY
24/12/2007 19:06:16 (DIR) 0 byte 796 days old -- Anna-Marie.JERRYS-GAME-RIG
24/12/2007 21:41:38 (DIR) 0 byte 796 days old -- LocalService.NT AUTHORITY
06/01/2008 17:34:42 (DIR) 0 byte 783 days old -- Default User.WINDOWS
19/08/2009 01:25:11 (DIR) 0 byte 192 days old -- All Users
20/11/2009 22:21:24 (DIR) 0 byte 99 days old -- Christine.JERRYS-GAME-RIG
23/02/2010 02:48:51 (DIR) 0 byte 4 days old -- All Users.WINDOWS
23/02/2010 02:54:59 (DIR) 0 byte 4 days old -- NetworkService
23/02/2010 02:54:59 (DIR) 0 byte 4 days old -- LocalService
23/02/2010 02:54:59 (DIR) 0 byte 4 days old -- Default User
24/02/2010 22:46:09 (DIR) 0 byte 3 days old -- LocalService.NT AUTHORITY.000
24/02/2010 22:46:10 (DIR) 0 byte 3 days old -- NetworkService.NT AUTHORITY.000
26/02/2010 19:24:27 (DIR) 0 byte 1 days old -- Jerry.JERRYS-GAME-RIG
27/02/2010 06:12:45 (DIR) 0 byte 0 days old -- Jerry.JERRYSGAMERIG

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\Dr.Speed.lnk
C:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
C:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
C:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie.JERRY-30BA6BBB6\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie.JERRYLEE\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie.JERRYS-GAME-RIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
C:\documents and settings\Christine.JERRY-30BA6BBB6\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYS-GAME-RIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry Williams\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYS-GAME-RIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMERIG\Start Menu\Programs\Startup\desktop.ini

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

Edited by dw_17fan, 27 February 2010 - 04:18 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 27 February 2010 - 06:30 PM

Okay, we need to deal with one at a time or this will get a bit complex. The main hard drive is the problem so let's start there.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 28 February 2010 - 12:51 AM

I'm Sorry if this is too long of a post. I didn't know if you wanted it like this or zipped. After I ran Combofix and the log file was generated, I tried to get on the internet and post this. The PC went to a blue screen while I was deleting the help assistant folder. I was doing that because the hard drive space was getting low, or so i thought. There was no official error message, other than the 0's and x's at the bottom. I didn't have time to write it down as the memory dump took only a second before reboot. So I loaded the other XP drive to post this. I see that it was able to delete the whole helpassistant folder from the main drive. I hope to hear from you soon! THANKS SO MUCH FOR YOUR HELP!!

ComboFix 10-02-27.04 - Jerry 02/27/2010 23:44:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1586 [GMT -5:00]
Running from: c:\documents and settings\Jerry.JERRYSGAMINGRIG\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Anna-Marie\Application Data\.#
c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\inst.exe
c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\My Security Wall
c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\SystemProc
c:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Jerry\Application Data\inst.exe
c:\program files\INSTALL.LOG
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\recycler\S-1-5-21-1645522239-1677128483-839522115-1004
c:\recycler\S-1-5-21-1645522239-1677128483-839522115-1005
c:\recycler\S-1-5-21-1645522239-1677128483-839522115-1006
c:\recycler\S-1-5-21-448539723-839522115-962910248-1002
c:\recycler\S-1-5-21-507921405-606747145-725345543-1004
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\_004046_.tmp.dll
c:\windows\system32\_004047_.tmp.dll
c:\windows\system32\_004048_.tmp.dll
c:\windows\system32\_004049_.tmp.dll
c:\windows\system32\_004056_.tmp.dll
c:\windows\system32\_004057_.tmp.dll
c:\windows\system32\_004058_.tmp.dll
c:\windows\system32\_004059_.tmp.dll
c:\windows\system32\_004061_.tmp.dll
c:\windows\system32\_004062_.tmp.dll
c:\windows\system32\_004065_.tmp.dll
c:\windows\system32\_004066_.tmp.dll
c:\windows\system32\_004068_.tmp.dll
c:\windows\system32\_004069_.tmp.dll
c:\windows\system32\_004070_.tmp.dll
c:\windows\system32\_004072_.tmp.dll
c:\windows\system32\_004075_.tmp.dll
c:\windows\system32\_004076_.tmp.dll
c:\windows\system32\_004080_.tmp.dll
c:\windows\system32\_004081_.tmp.dll
c:\windows\system32\_004083_.tmp.dll
c:\windows\system32\_004086_.tmp.dll
c:\windows\system32\_004088_.tmp.dll
c:\windows\system32\_004089_.tmp.dll
c:\windows\system32\_004090_.tmp.dll
c:\windows\system32\_004091_.tmp.dll
c:\windows\system32\_004092_.tmp.dll
c:\windows\system32\_004095_.tmp.dll
c:\windows\system32\_004096_.tmp.dll
c:\windows\system32\_004097_.tmp.dll
c:\windows\system32\_004098_.tmp.dll
c:\windows\system32\_004099_.tmp.dll
c:\windows\system32\_004104_.tmp.dll
c:\windows\system32\_004106_.tmp.dll
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 04:45 . 2010-02-28 04:45 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-02-28 04:45 . 2010-02-28 04:45 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-28 04:45 . 2010-02-28 04:45 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-28 04:26 . 2010-02-28 04:26 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-28 04:26 . 2010-02-28 04:26 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-27 12:51 . 2010-02-27 12:51 -------- d-----w- c:\program files\Panda Security
2010-02-27 12:51 . 2009-09-09 15:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
2010-02-27 12:38 . 2010-02-27 12:49 -------- d-----w- c:\program files\Common Files\Panda Security
2010-02-27 06:34 . 2005-08-18 08:52 93568 ----a-r- c:\windows\system32\drivers\nvata.sys
2010-02-24 21:02 . 2010-02-24 21:02 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Local Settings\Application Data\Panda Security
2010-02-24 20:02 . 2003-10-22 23:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2010-02-24 20:02 . 2010-02-25 11:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Panda Security
2010-02-23 09:49 . 2010-02-23 09:49 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\Malwarebytes
2010-02-23 09:49 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 09:49 . 2010-02-23 09:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-02-23 09:49 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 08:31 . 2010-02-25 08:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 07:24 . 2010-02-23 07:24 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\MSZUPW
2010-02-22 22:55 . 2010-02-22 22:55 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Local Settings\Application Data\OLYMPUS
2010-02-22 22:54 . 2010-02-22 22:54 -------- d-----w- c:\program files\OLYMPUS
2010-02-04 14:06 . 2010-02-04 14:06 -------- d-----w- c:\documents and settings\Christine.JERRYSGAMINGRIG\Application Data\Temp
2010-02-04 14:06 . 2010-02-04 14:06 -------- d-----w- c:\documents and settings\Christine.JERRYSGAMINGRIG\Local Settings\Application Data\Eastman_Kodak_Company
2010-02-04 14:06 . 2010-02-04 14:06 17672 ----a-w- c:\documents and settings\Christine.JERRYSGAMINGRIG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-30 10:17 . 2010-01-30 10:17 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 13:10 . 2008-01-27 08:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-27 12:51 . 2009-12-18 04:35 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\Panda Security
2010-02-12 06:09 . 2009-10-16 01:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2010-02-01 10:40 . 2009-10-15 17:04 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\Temp
2010-01-30 10:17 . 2009-10-28 02:43 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\Vso
2010-01-30 10:17 . 2009-10-28 02:43 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-30 10:17 . 2009-10-28 02:43 47360 ----a-w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\pcouffin.sys
2010-01-29 02:04 . 2010-01-29 02:04 -------- d-----w- c:\program files\Pcsx2
2010-01-26 02:29 . 2010-01-25 20:07 -------- d-----w- c:\program files\Project64 1.6
2010-01-24 04:01 . 2009-11-25 11:06 -------- d-----w- c:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Application Data\IMVU
2010-01-24 04:00 . 2010-01-24 04:00 -------- d-----w- c:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Application Data\Vivox
2010-01-23 14:22 . 2008-04-01 23:55 -------- d-----w- c:\program files\InterActual
2010-01-22 12:33 . 2010-01-22 12:33 -------- d-----w- c:\program files\Recuva
2010-01-22 06:31 . 2010-01-22 06:31 -------- d-----w- c:\documents and settings\Christine.JERRYSGAMINGRIG\Application Data\Panda Security
2010-01-19 02:01 . 2008-01-28 07:53 -------- d-----w- c:\program files\exPressit S.E. 2.2
2010-01-18 20:43 . 2009-12-28 17:25 -------- d-----w- c:\program files\Dragon Age
2010-01-15 07:03 . 2008-01-28 00:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 06:44 . 2009-08-12 01:15 -------- d-----w- c:\program files\AVIConverter
2010-01-15 06:16 . 2009-10-17 19:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2010-01-14 06:29 . 2009-10-16 02:20 -------- d-----w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\Nero
2010-01-14 06:23 . 2010-01-14 06:12 -------- d-----w- c:\program files\Common Files\Nero
2010-01-14 06:22 . 2008-01-28 00:47 -------- d-----w- c:\program files\Nero
2010-01-08 07:04 . 2010-01-08 07:04 -------- d-----w- c:\program files\7-Zip
2010-01-03 02:19 . 2008-08-07 21:32 -------- d-----w- c:\program files\iWin Games
2010-01-02 15:53 . 2010-01-02 15:53 227 ----a-w- c:\windows\PowerReg.dat
2010-01-02 06:39 . 2008-08-20 04:48 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-02 06:29 . 2010-01-02 06:29 -------- d-----w- c:\program files\Black Isle
2009-12-31 16:50 . 2009-10-14 20:52 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 00:07 . 2009-10-14 04:21 17672 ----a-w- c:\documents and settings\Jerry.JERRYSGAMINGRIG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-10-14 04:13 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-10-14 20:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2009-10-14 20:52 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2009-10-14 20:52 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2009-10-14 20:52 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-08-13 23:19 . 2009-08-13 23:19 1508 ----a-w- c:\program files\uninstal.log
2008-05-13 04:28 . 2008-05-13 04:28 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-02-21 18:46 . 2008-10-24 06:12 169192 ----a-w- c:\program files\UBSoftUpdate.exe
2002-07-26 21:02 . 2008-10-24 06:12 153088 ----a-w- c:\program files\UNWISE.EXE
2002-05-21 14:00 . 2002-05-21 14:00 1362 ----a-r- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe" [2006-05-10 249856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C6501Sound"="c6501.cpl" [BU]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-26 54672]

c:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-11-12 16:35 221488 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-21 01:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Documents and Settings\\Anna-Marie.JERRYSGAMINGRIG\\Application Data\\IMVUClient\\1VivoxVoice.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"53:UDP"= 53:UDP:Promo
"9323:TCP"= 9323:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [5/4/2009 11:15 AM 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [4/17/2009 11:08 AM 32768]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2/27/2010 7:51 AM 199432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/28/2009 12:37 PM 25832]
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2009-05-04 16:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\Mozilla\Firefox\Profiles\s3q7xhe4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
HKLM-Run-nwiz - nwiz.exe
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\SystemProc\lsass.exe
MSConfigStartUp-TOY5KNQ8OC - c:\docume~2\JERRY~2.JER\LOCALS~1\Temp\Yqh.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 00:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Jerry.JERRYSGAMINGRIG\Application Data\SystemProc\lsass.exe???????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\Perflib_Perfdata_f20.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A235218]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> 0x8a235218
\Driver\atapi -> atapi.sys @ 0xb7f0f852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> 0x8966c330
PacketIndicateHandler -> NDIS.sys @ 0xb7e11a21
SendHandler -> NDIS.sys @ 0xb7def87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2010-02-28 00:15:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 05:15
ComboFix2.txt 2010-02-24 09:17
ComboFix3.txt 2010-02-23 07:54

Pre-Run: 5,989,732,352 bytes free
Post-Run: 13,250,265,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 0257B7C1600D1FEBDFB1C69979D33B7C

Edited by dw_17fan, 28 February 2010 - 12:53 AM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 28 February 2010 - 06:10 AM

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

CODE
@echo off
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-651377827-725345543-1000" /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
exit
cls


Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

Now reboot the PC and delete the folder if it is still present:

c:\documents and settings\HelpAssistant

Now reboot again and run SystemScan and post the log so we can check that the HelpAssistant has stayed disabled.
Posted Image
m0le is a proud member of UNITE

#11 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 28 February 2010 - 07:59 PM

Hello Mr. Mole,

I did as you instructed. Helpassistant is diabled. My Panda Antivirus software is not working on the main hard drive. I'm unprotected when I try to post here from that HD. I tried to re-install the setup file but every time it runs it almost finishes, but then it freezes up and Firefox and/or Internet Explorer can no longer access the web. The Antivirus is installed, but I can't update virus definitions or enable the protection from the console menu. It keeps saying to restart the PC to enable protection, but every time I restart it says the same thing. This is the only thing I have done to deviate from our sessions. I'm sorry for that, but I was worried about new infections that could complicate our cleansing process. I can try and uninstall it and wait until you think it would be okay to try again. I am enthusiastic that we can eradicate this infection very soon!

Thank You for your patience!!!
Jerry

Here is the Log File.

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Jerry.JERRYSGAMINGRIG\Desktop\sys31133.exe
Running in: User mode
Date: 2/28/2010
Time: 7:04:18 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Anna-Marie
Yes | Christine
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | Jerry
| SUPPORT_388945a0 (Disabled)

### users folders

03/10/2008 00:54:14 (DIR) 0 byte 513 days old -- All Users
17/09/2009 16:35:04 (DIR) 0 byte 164 days old -- Anna-Marie
30/09/2009 00:37:45 (DIR) 0 byte 151 days old -- NetworkService.NT AUTHORITY
30/09/2009 00:38:18 (DIR) 0 byte 151 days old -- LocalService.NT AUTHORITY
30/09/2009 01:03:05 (DIR) 0 byte 151 days old -- Christine
30/09/2009 01:27:23 (DIR) 0 byte 151 days old -- NetworkService
30/09/2009 01:27:25 (DIR) 0 byte 151 days old -- LocalService
30/09/2009 01:27:27 (DIR) 0 byte 151 days old -- Default User
13/10/2009 23:19:34 (DIR) 0 byte 138 days old -- NetworkService.NT AUTHORITY.000
13/10/2009 23:19:53 (DIR) 0 byte 138 days old -- LocalService.NT AUTHORITY.000
14/10/2009 15:01:34 (DIR) 0 byte 137 days old -- Jerry
17/10/2009 16:00:52 (DIR) 0 byte 134 days old -- Default User.WINDOWS
14/01/2010 21:05:16 (DIR) 0 byte 45 days old -- All Users.WINDOWS
27/02/2010 23:53:27 (DIR) 0 byte 1 days old -- Jerry.JERRYSGAMINGRIG
04/02/2010 11:04:27 (DIR) 0 byte 24 days old -- Christine.JERRYSGAMINGRIG
11/02/2010 02:10:08 (DIR) 0 byte 17 days old -- Anna-Marie.JERRYSGAMINGRIG

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\eBay Countdown.url
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan.lnk
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\Startup\IMVU.lnk
C:\documents and settings\Christine\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\Yahoo! Widgets.lnk

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 28 February 2010 - 08:19 PM

Now that Help Assistant has been disabled we should rerun Combofix to search for anything else

Please do that in the same way as before.
Posted Image
m0le is a proud member of UNITE

#13 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 28 February 2010 - 09:30 PM

Combofix had me write down some file names of rootkit activity before reboot, but I see that it deleted them all. Looks like things are progressing greatly!!

ComboFix 10-02-27.04 - Jerry 02/28/2010 20:35:32.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1685 [GMT -5:00]
Running from: c:\documents and settings\Jerry.JERRYSGAMINGRIG\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\intel64.exe
c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\ntos.exe
c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\oembios.exe
c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\sdra64.exe
c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\twex.exe
c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\twext.exe
c:\documents and settings\Jerry.JERRYSGAMERIG\Application Data\wsnpoema.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-03-01 00:26 . 2010-03-01 00:26 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-01 00:26 . 2010-03-01 00:26 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-01 00:25 . 2010-03-01 00:25 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-03-01 00:22 . 2010-03-01 00:22 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-03-01 00:22 . 2010-03-01 00:22 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-28 23:40 . 2009-03-30 23:23 193792 ----a-w- c:\windows\system32\TpUtil.dll
2010-02-28 23:40 . 2009-03-30 23:22 87296 ----a-w- c:\windows\system32\PavLspHook.dll
2010-02-28 23:40 . 2009-03-30 23:22 55552 ----a-w- c:\windows\system32\pavipc.dll
2010-02-28 23:40 . 2007-02-08 15:53 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL
2010-02-28 23:40 . 2009-03-30 23:22 518400 ----a-w- c:\windows\system32\PavSHook.dll
2010-02-28 23:40 . 2010-02-28 23:40 -------- d-----w- c:\windows\system32\PAV
2010-02-28 23:40 . 2008-03-18 21:58 58672 ----a-w- c:\windows\system32\avldr.dll
2010-02-28 23:38 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-27 12:51 . 2010-02-27 12:51 -------- d-----w- c:\program files\Panda Security
2010-02-27 12:51 . 2009-09-09 15:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
2010-02-27 06:34 . 2005-08-18 08:52 93568 ----a-r- c:\windows\system32\drivers\nvata.sys
2010-02-24 20:02 . 2003-10-22 23:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2010-02-24 20:02 . 2010-02-25 11:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Panda Security
2010-02-23 09:49 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 09:49 . 2010-02-23 09:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-02-23 09:49 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 08:31 . 2010-02-25 08:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 07:24 . 2010-02-23 07:24 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\MSZUPW
2010-02-22 22:54 . 2010-02-22 22:54 -------- d-----w- c:\program files\OLYMPUS
2010-01-30 10:17 . 2010-01-30 10:17 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 23:40 . 2008-01-27 08:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 06:09 . 2009-10-16 01:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2010-01-30 10:17 . 2009-10-28 02:43 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-29 02:04 . 2010-01-29 02:04 -------- d-----w- c:\program files\Pcsx2
2010-01-26 02:29 . 2010-01-25 20:07 -------- d-----w- c:\program files\Project64 1.6
2010-01-23 14:22 . 2008-04-01 23:55 -------- d-----w- c:\program files\InterActual
2010-01-22 12:33 . 2010-01-22 12:33 -------- d-----w- c:\program files\Recuva
2010-01-19 02:01 . 2008-01-28 07:53 -------- d-----w- c:\program files\exPressit S.E. 2.2
2010-01-18 20:43 . 2009-12-28 17:25 -------- d-----w- c:\program files\Dragon Age
2010-01-15 07:03 . 2008-01-28 00:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 06:44 . 2009-08-12 01:15 -------- d-----w- c:\program files\AVIConverter
2010-01-15 06:16 . 2009-10-17 19:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2010-01-14 06:23 . 2010-01-14 06:12 -------- d-----w- c:\program files\Common Files\Nero
2010-01-14 06:22 . 2008-01-28 00:47 -------- d-----w- c:\program files\Nero
2010-01-08 07:04 . 2010-01-08 07:04 -------- d-----w- c:\program files\7-Zip
2010-01-03 02:19 . 2008-08-07 21:32 -------- d-----w- c:\program files\iWin Games
2010-01-02 15:53 . 2010-01-02 15:53 227 ----a-w- c:\windows\PowerReg.dat
2010-01-02 06:39 . 2008-08-20 04:48 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-02 06:29 . 2010-01-02 06:29 -------- d-----w- c:\program files\Black Isle
2009-12-31 16:50 . 2009-10-14 20:52 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-10-14 04:13 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-10-14 20:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2009-10-14 20:52 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2009-10-14 20:52 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2009-10-14 20:52 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-08-13 23:19 . 2009-08-13 23:19 1508 ----a-w- c:\program files\uninstal.log
2008-05-13 04:28 . 2008-05-13 04:28 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-02-21 18:46 . 2008-10-24 06:12 169192 ----a-w- c:\program files\UBSoftUpdate.exe
2002-07-26 21:02 . 2008-10-24 06:12 153088 ----a-w- c:\program files\UNWISE.EXE
2002-05-21 14:00 . 2002-05-21 14:00 1362 ----a-r- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe" [2006-05-10 249856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C6501Sound"="c6501.cpl" [BU]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-26 54672]
"APVXDWIN"="c:\program files\Panda Security\Panda Global Protection 2010\APVXDWIN.EXE" [2009-09-25 906496]
"SCANINICIO"="c:\program files\Panda Security\Panda Global Protection 2010\Inicio.exe" [2009-08-12 56064]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 21:58 58672 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-11-12 16:35 221488 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-21 01:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Documents and Settings\\Anna-Marie.JERRYSGAMINGRIG\\Application Data\\IMVUClient\\1VivoxVoice.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"53:UDP"= 53:UDP:Promo
"9323:TCP"= 9323:TCP:EKDiscovery
"7834:TCP"= 7834:TCP:Services

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2/28/2010 6:38 PM 28552]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [5/4/2009 11:15 AM 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [4/17/2009 11:08 AM 32768]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2/27/2010 7:51 AM 199432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/28/2009 12:37 PM 25832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\Basic clean-up.job
- c:\program files\Panda Security\Panda Global Protection 2010\PlaTasks.exe [2010-02-28 18:46]

2010-03-01 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2009-05-04 16:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
JSEFile=c:\progra~1\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 20:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4AE640]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> 0x8a4ae640
\Driver\atapi -> atapi.sys @ 0xb7f0f852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> 0x8964b330
PacketIndicateHandler -> NDIS.sys @ 0xb7e11a21
SendHandler -> NDIS.sys @ 0xb7def87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\windows\SYSTEM32\avldr.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2010-02-28 20:45:41
ComboFix-quarantined-files.txt 2010-03-01 01:45
ComboFix2.txt 2010-02-28 05:15
ComboFix3.txt 2010-02-24 09:17
ComboFix4.txt 2010-02-23 07:54

Pre-Run: 13,517,017,088 bytes free
Post-Run: 13,639,397,376 bytes free

- - End Of File - - 9E782964FE0D493AC772F69E28BDF810


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 AM

Posted 01 March 2010 - 07:45 AM

Something is wrong. You may be clean from malware but something has regenerated the Help Assistant folder and we need to check that it is still disabled.

Please run SystemScan again so I camn be sure before we delete the folder manually.
Posted Image
m0le is a proud member of UNITE

#15 dw_17fan

dw_17fan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 01 March 2010 - 02:37 PM

You are right. Here is the log. Maybe I shouldn't have ran the setup file for the antivirus. Do you want me to run the batch file again? I'm sorry, I've already deleted the helpassistant folder after scanning as per your instructions. I didn't know it was re-enabled. It is not there right now, I just checked. I see that the rootkit or kits, are still present in the mbr. What can we do to fix this?

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Jerry.JERRYSGAMINGRIG\Desktop\sys31133.exe
Running in: User mode
Date: 3/1/2010
Time: 2:15:51 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Anna-Marie
Yes | Christine
| Guest (Disabled)
Yes | HelpAssistant
Yes | Jerry
| SUPPORT_388945a0 (Disabled)

### users folders

03/10/2008 00:54:14 (DIR) 0 byte 514 days old -- All Users
17/09/2009 16:35:04 (DIR) 0 byte 165 days old -- Anna-Marie
30/09/2009 00:37:45 (DIR) 0 byte 152 days old -- NetworkService.NT AUTHORITY
30/09/2009 00:38:18 (DIR) 0 byte 152 days old -- LocalService.NT AUTHORITY
30/09/2009 01:03:05 (DIR) 0 byte 152 days old -- Christine
30/09/2009 01:27:23 (DIR) 0 byte 152 days old -- NetworkService
30/09/2009 01:27:25 (DIR) 0 byte 152 days old -- LocalService
30/09/2009 01:27:27 (DIR) 0 byte 152 days old -- Default User
13/10/2009 23:19:34 (DIR) 0 byte 139 days old -- NetworkService.NT AUTHORITY.000
13/10/2009 23:19:53 (DIR) 0 byte 139 days old -- LocalService.NT AUTHORITY.000
14/10/2009 15:01:34 (DIR) 0 byte 138 days old -- Jerry
17/10/2009 16:00:52 (DIR) 0 byte 135 days old -- Default User.WINDOWS
14/01/2010 21:05:16 (DIR) 0 byte 46 days old -- All Users.WINDOWS
28/02/2010 19:32:09 (DIR) 0 byte 1 days old -- Jerry.JERRYSGAMINGRIG
28/02/2010 20:45:43 (DIR) 0 byte 1 days old -- Anna-Marie.JERRYS-GAME-RIG
28/02/2010 20:45:43 (DIR) 0 byte 1 days old -- Jerry.JERRYS-GAME-RIG
04/02/2010 11:04:27 (DIR) 0 byte 25 days old -- Christine.JERRYSGAMINGRIG
11/02/2010 02:10:08 (DIR) 0 byte 18 days old -- Anna-Marie.JERRYSGAMINGRIG

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\eBay Countdown.url
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan.lnk
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
C:\documents and settings\Anna-Marie\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Anna-Marie.JERRYSGAMINGRIG\Start Menu\Programs\Startup\IMVU.lnk
C:\documents and settings\Christine\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Christine.JERRYSGAMINGRIG\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Jerry.JERRYSGAMINGRIG\Start Menu\Programs\Startup\Yahoo! Widgets.lnk

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users