Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sinowal rootkit / Zeus trojan virus infection?


  • This topic is locked This topic is locked
25 replies to this topic

#1 notb4coffee

notb4coffee

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 03 April 2010 - 03:47 PM

Thanks in advance to everyone who volunteers their time to help us poor souls out when we get into these messes! thumbup.gif

Here's what's going on with my system:
After attempting to sign-in to eBay a few days ago, I was redirected to an OBVIOUSLY bogus "security" page asking for a plethora of personal and financial information. I contacted eBay's Trust and Safety Team immediately with my concern of possible password theft (even though I didn't enter any personal information on the psedo-page, I had just come from the main signin page so I figured that my username & password had already been compromised). They emailed a response that included a diagnosis of the aforementioned infection along with a very abbrieviated set of detection and removal instructions. I know that certain detection programs can sometimes give false positives and that COMPLETE removal can occassionally be a bit tricky, so I'm appealing to the more (IMHO) experienced and reputable individuals here on BC to direct me appropriately.

Along with the browser redirection issue I've also noticed that my machine will not restart or shut down completely anymore. It halts on the "saving your settings" screen until I manually press the reset button on the front of the case. I'm not sure if it's related, but I've never had problems with this in the past, so I'm thinking it very well may be related. I have Windows XP Pro w/SP 3 and use IE 7.

I've worked my way through all the steps in the Preparation Guide and have included the requested files.

Mary
------


DDS (Ver_10-03-17.01) - NTFSx86
Run by BinkzFam at 19:23:33.45 on Thu 04/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1345 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Downloads\Security Prog\Defogger.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.30.1/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SBCSTray] c:\program files\sunbelt software\counterspy\SBCSTray.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ImageDrive-{0CFE4D98-44D7-4542-9842-B924978C2A4F}] "c:\program files\nero\nero 7\nero imagedrive\ImageDrive.exe"
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outloo~1.lnk - c:\program files\paypal payment request wizard\outlook wizard\OEHook.exe
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233371204218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233371181078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxps://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hslda.webex.com/client/T26L10NSP49EP26/event/ieatgpc.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-31 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-5 27784]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-4-18 353672]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-31 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\drivers\spyemrg.sys --> c:\windows\system32\drivers\spyemrg.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1

=============== Created Last 30 ================

2010-04-02 00:09:55 149040 ----a-w- c:\windows\system32\ImageDrive.cpl
2010-04-02 00:01:15 0 ----a-w- c:\documents and settings\admin\defogger_reenable
2010-03-29 01:44:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

==================== Find3M ====================

2008-03-08 20:46:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008030820080309\index.dat

============= FINISH: 19:23:53.56 ===============



Attached Files


~Adequately caffeinated for your safety~


BC AdBot (Login to Remove)

 


#2 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 05 April 2010 - 01:17 PM

[quote name='notb4coffee' date='Apr 3 2010, 03:47 PM' post='1699175']
[eBay] emailed a response that included a diagnosis of the aforementioned infection along with a very abbrieviated set of detection and removal instructions.

Thought it might help to include the following update since my first post:

eBay directed me to this link:
http://www2.gmer.net/mbr/mbr.exe

I downloaded and ran it, with the following results:

-------------
malicious code @ sector 0x0950E4C4
PE file found in sector at 0x0950E4DA
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

-----------------

The email instructions had this to offer in the way of a fix for XP users:
--------------------
"If it is the older version of the virus, it will tell you to type "mbr.exe f" to remove it. Type in the command to remove it and once it is done it will say "original mbr restored successfully!". If this is the case, you can follow the instructions on how to clear the cache and cookies and restart your computer."
--------------------

I'm more than a little hesitant to follow those instructions. What if I do NOT receive the "original mbr restored successfully" message??? Will my machine even boot afterwards if not?
Any help with this would be appreciated.

Thank you in advance!
Mary

~Adequately caffeinated for your safety~


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 07 April 2010 - 09:38 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

We'll be assaulting this infection in a different manner than eBay suggested.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade

In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 08 April 2010 - 01:27 AM

Hi, Blade! I can't tell you how happy I was to see your reply earlier this evening. Wow, this board is busy! You malware guys really have your work cut out for you busy.gif

Nothing has changed with my system since my last post. However, I've noticed that Defogger is no longer enabled. I'm guessing that ComboFix had something to do with it stopping, because the Defogger info box is no longer on my desktop and I'm postitive it was still there before I ran ComboFix.
Also, though the instructions in your post didn't mention it, I re-enabled my antivirus and firewall once ComboFix was finished.

Below is the log/text file you requested. (NOTE: I downloaded the executable from LINK 2 in your post. I ran the program but was still prompted to download an available UPDATE, which took a bit longer. Thought you might want to know.)

Thank you!!!
Mary
----------------

ComboFix 10-04-07.01 - BinkzFam 04/08/2010 0:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1404 [GMT -5:00]
Running from: c:\documents and settings\admin\Desktop\renamed.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-785-F.sbr.sgn
c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-805-F.sbr.sgn
c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-807-F.sbr.sgn
c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-807-F.sbr.sgn.unsgn
c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-825-F.sbr.sgn.unsgn
c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-832-F.sbr.sgn.unsgn
c:\documents and settings\admin\Local Settings\Temporary Internet Files\CSC2.5U-EN-849-F.sbr.sgn
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\encapi32.dll
c:\windows\system32\Thumbs.db

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-08 05:39 . 2006-11-08 19:23 102912 ----a-r- c:\windows\system32\drivers\viamraid_2.sys
2010-04-07 01:00 . 2010-04-07 01:00 -------- d-----w- c:\windows\LastGood
2010-03-29 01:44 . 2010-03-29 01:44 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-03-24 01:09 . 2010-03-24 01:48 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 03:20 . 2008-05-27 01:14 -------- d-----w- c:\program files\GetRight
2010-04-07 18:10 . 2008-05-12 22:17 -------- d-----w- c:\documents and settings\admin\Application Data\MailWasher
2010-04-07 01:00 . 2008-07-08 09:49 1410730 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 00:58 . 2010-02-24 17:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 00:57 . 2008-05-27 00:13 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-07 00:53 . 2010-04-07 00:53 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-07 00:52 . 2010-02-24 20:46 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 05:46 . 2010-02-24 17:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-02-24 17:35 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 17:35 . 2010-02-24 17:35 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-02-24 17:35 . 2010-02-24 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 02:19 . 2007-10-22 20:36 -------- d-----w- c:\program files\Bible
2010-01-27 01:49 . 2010-01-27 01:49 503808 ----a-w- c:\documents and settings\admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6ea41697-n\msvcp71.dll
2010-01-27 01:49 . 2010-01-27 01:49 499712 ----a-w- c:\documents and settings\admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6ea41697-n\jmc.dll
2010-01-27 01:49 . 2010-01-27 01:49 348160 ----a-w- c:\documents and settings\admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6ea41697-n\msvcr71.dll
2010-01-27 01:44 . 2010-01-27 01:44 61440 ----a-w- c:\documents and settings\admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d7813b4-n\decora-sse.dll
2010-01-27 01:44 . 2010-01-27 01:44 12800 ----a-w- c:\documents and settings\admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d7813b4-n\decora-d3d.dll
2010-01-20 01:51 . 2010-01-20 01:51 423464 ----a-w- c:\documents and settings\admin\Application Data\E-centives\BSTIEPrintCtl1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 62976]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-28 2046816]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 62976]

c:\documents and settings\admin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-30 805392]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2009-5-31 888987]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 06:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-01-31 18:01 140832 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-01-31 18:03 1862112 ----a-w- c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 20:01 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2006-05-03 16:45 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-02-12 21:00 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-10-15 23:00 1818624 ----a-w- c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 20:35 4608 ----a-w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 13:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerTweak Menu]
2005-07-05 19:34 828416 ----a-w- c:\windows\system32\mmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 11:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 20:28 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-23 01:04 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-01-31 17:59 1129232 ----a-w- c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gusvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3795:TCP"= 3795:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"1515:TCP"= 1515:TCP:Services
"1530:TCP"= 1530:TCP:Services

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2008 11:42 AM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/31/2008 11:41 AM 297752]
S1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\Drivers\spyemrg.sys --> c:\windows\system32\Drivers\spyemrg.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 10:30 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 15:30]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 15:30]

2010-04-07 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2010-04-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2010-04-07 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-08 15:46]

2008-03-08 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-08 15:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://192.168.30.1/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
.
.
------- File Associations -------
.
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SBCSTray - c:\program files\Sunbelt Software\CounterSpy\SBCSTray.exe
SafeBoot-SBCSSvc



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 00:44
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89896C88]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> 0x89896c88
\Driver\atapi -> atapi.sys @ 0xb9ecf850
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578fa2
ParseProcedure -> ntkrnlpa.exe @ 0x80577c04
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578fa2
ParseProcedure -> ntkrnlpa.exe @ 0x80577c04
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-04-08 00:46:03
ComboFix-quarantined-files.txt 2010-04-08 05:45

Pre-Run: 44,139,634,688 bytes free
Post-Run: 44,448,292,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="XXCLONE: (Cloned Volume) [d:0,p:1] \WINDOWS" /fastdetect /NoExecute=OptIn

- - End Of File - - 8FE2032FDC821C272652150CC4E3E9AE

~Adequately caffeinated for your safety~


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 08 April 2010 - 04:11 PM

Hello Mary.

You've got a pretty nasty bug; it's one of the newer variants of the Sinowal infection. Special thanks to my colleague noahdfear for developing a tool which will help us remove it.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

~Blade


In your next reply, please include the following:
HelpAsst_mebroot_fix Log

Edited by Blade Zephon, 08 April 2010 - 04:13 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 08 April 2010 - 08:10 PM

Hi, Blade:
Well, it took 2 attempts to download and successfully run the fix, but it finally worked. Also, my machine shut down successfully for the first time in weeks. I hope that's a good sign.
Here's the log:

C:\Documents and Settings\admin\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/08/2010 at 19:07:54.00

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3795:TCP"=-
"3389:TCP"=-
"1515:TCP"=-
"1530:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3795:TCP"=-
"3389:TCP"=-
"1515:TCP"=-
"1530:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1085031214-854245398-1801674531-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/08/2010 at 20:06:28.39

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys videX32.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~Adequately caffeinated for your safety~


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 09 April 2010 - 09:00 PM

Hello Mary.

Excellent. . . things appear to have gone smoothly. smile.gif

Let's run a comprehensive check for any remaining malware on the machine. Please be aware that this will take some time to run.

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .

~Blade


In your next reply, please include the following:
Kaspersky Online Scan

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 10 April 2010 - 09:59 PM

Blade:
Started downloading the files/updates last night and finished scanning my computer earlier today.
Here's the text file.
Thank you!
Mary

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, April 10, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3, v.3311 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, April 10, 2010 10:25:09
Records in database: 3931058
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 205762
Threats found: 5
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 04:43:21


File name / Threat / Threats count
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\SSWKHYLO\oHce85a965V0100f070006Rd239c6e1102T8500fd81201l0409K28603c01317[1].pdf Infected: Exploit.JS.Pdfka.bqo 1
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\SSWKHYLO\oHce85a965V0100f070006Rd239c6e1102T8500fd81201l0409K28603c01320[1] Infected: Exploit.Win32.DirektShow.a 1
C:\WINDOWS\system32\efg.exe Infected: Trojan.Win32.Genome.lcg 1
G:\PBell\Edrive\My edrive Documents\Computer and Hardware\Downloaded Programs\Desktop Wallpaper\whatchildisthisv2.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
G:\PBell\Edrive\Restored Files\WINDOWS\Application Data\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Magistr.a 1
G:\RecovMay08\#Root\WINDOWS\Application Data\Identities\{E9C23420-020D-11DA-B8D1-C00999F4DD75}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Magistr.a 1

Selected area has been scanned.

~Adequately caffeinated for your safety~


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 11 April 2010 - 06:07 PM

Hello Mary:

Before we continue. . . I'd like to clarify something. On your machine, is the G:\ drive a backup drive only? If this is not the case, what is it's purpose? The reason I ask is because you've some infected files on it, but depending on whether they are backups or not will alter how they should be dealt with.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 11 April 2010 - 06:43 PM

Hi, Blade:
I totally understand why you're asking. I only hope my explanation makes the rest of the clean-up easier instead of more difficult for you!
:-)
The G drive is my second hard drive, taken off my last computer and installed on this one so that I'd have some extra space and still be able to easily access all my old files.
I saw that it had infected files, and it looks like the path to my old outlook express files was where it was found.

Just in case it would help, C drive has my OS; D is the DVD Burner, and E is a CD Burner.
Mary

~Adequately caffeinated for your safety~


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 12 April 2010 - 10:50 AM

Hello Mary.

Alright, that makes sense.

So would it be okay to just delete those files? Or do you have some old emails that you absolutely cannot live without?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 12 April 2010 - 11:04 AM

Blade:
I prefer to NOT delete the files, but I will if I have to.....
I'd like to be able to at least go into the Inbox and save a few select emails if possible.
Or maybe it would be okay for me to scan the directory with Kaspersky and just delete the infected one or two items rather than the whole folder?
Mary

~Adequately caffeinated for your safety~


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 12 April 2010 - 11:50 AM

QUOTE
Or maybe it would be okay for me to scan the directory with Kaspersky and just delete the infected one or two items rather than the whole folder?


Unfortunately, due to the way Outlook Express stores emails that isn't possible.

Honestly it would just be best to delete those files. . . attempting to recover emails from them could release another infection into the system. . . and there's no real way of telling how dangerous that infection might be. We can try to recover those emails if you really need to, but I'd advise against it. If you wish to delete the files, stop here and let me know, otherwise, read on.

***************************************************

If you do not wish to delete those files, you'll need to first load that old inbox into Outlook Express while keeping it separate from your current inbox. This is done through several steps.

First

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Second, you need to locate your current inbox. From Outlook Express: click Tools>Options. On the Maintenance tab click the button labeled Store Folder. That should give you the location of your current Inbox file.

Next you need to close Outlook Express and navigate to that location using windows explorer, and rename your inbox.dbx file to inbox.new.dbx by right clicking the file and choosing rename.

Next you'll need to navigate here G:\PBell\Edrive\Restored Files\WINDOWS\Application Data\Microsoft\Outlook Express and copy the inbox.dbx file there to the location of your current inbox. Now try to start Outlook Express. Hopefully it will start without errors and you'll have access to your old inbox.

Now, delete the emails in your Inbox folder - keep only the emails that are of extreme importance. After you finish deleting the emails, please right click on the Deleted Items folder and click Empty 'Deleted Items' Folder.

At this point I would also recommend printing off hard copies of each of the emails you choose to keep; if our attempt at disinfecting the folder fails we will have no choice but to delete it.

Now, we need to Compact all your remaining Emails. Compacting makes the size of the folders smaller by compacting the files contained within them. All the Emails are still readable and still intact just smaller.

To do this click from the top toolbar File / Folder / Compact All Folders

Finally, we need to restore your current Inbox. Close Outlook Express, then use Windows Explorer to navigate to the location of your current Inbox. Rename inbox.dbx to inbox.old.dbx then rename inbox.new.dbx to inbox.dbx.

Try starting Outlook Express again, and hopefully you should see your current Inbox.

Finally, run another Kaspersky Scan, just as directed above. However, you only need to scan the C:\ drive this time.

Let me know how that goes.

~Blade

In your next reply, please include the following:
Kaspersky Online Scan Log

Edited by Blade Zephon, 12 April 2010 - 11:52 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 notb4coffee

notb4coffee
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Gateway to the West
  • Local time:04:05 AM

Posted 12 April 2010 - 12:36 PM

Blade:
Outlook Express is not my current email client.
I've been using Outlook 2007 for the past few years.
I only use OE when I need to access those old emails. It's not very often, but I'm always glad I have them saved when I need to refer to them.

I'll go ahead and just save the most important ones, compact the folders, run the scan and (hopefully) post the results later tonight.
Unfortunately the rest of my day is already filled with other obligations so I won't have any more time to spend on this until after 7 P.M. CST.

Thank you again!
I'm so grateful you've been able to help me with this, and that you've been patient with me too. Sorry if I've made you crazy with this old email stuff.
crazy.gif

I'll post again as soon as I'm finished with the scan and patiently await your reply.
Hope the rest of your day is great!
Mary




~Adequately caffeinated for your safety~


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:05 AM

Posted 12 April 2010 - 06:23 PM

Okay. . . take your time smile.gif

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users