Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus / ave.exe / XP Antimalware 2010 Virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 Spey

Spey

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 04 May 2010 - 04:32 PM

Redirect Virus is current problem.

Couple days ago problems began with XP Antimalware Virus. Was able to resolve this problem renaming Malwarbytes.exe and running Malwarbytes.
AVE.exe problem after that (resolved also I believe, through various steps).
Redirect Virus remains; redirecting internet searches (I think this may actually be where problem began …). I have run various programs (w/ updated definitions) attempting to rid Redirect Virus (Malwarbytes, AVG8.5, HitManPro3.5, CCleaner - all report back clean system).

Computer O/S: XP/Pro/TabletPCEdition/SP-3
Browser: IE-7.x, Google Chrome, FireFox
Virus Scanner: AVG 8.5
Firewall: On
CD Emulation Software: Disabled via DeFogger


DDS.txt below:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 13:43:39.66 on Mon 05/03/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1285 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Chris\Desktop\Redirect Virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TosRotation] "c:\program files\toshiba\toshiba rotation utility\TRot.exe"
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoStrCmpLogical = 00000000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\office
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} - hxxp://www.bxwa.com/fastbid/fastbidx1.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} - hxxp://www.bxwa.com/fastbid/fastbidx2.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/48.13/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231735756068
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231735741667
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/AbacastClient2.1.20.2.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.0.103 HP000D9D129060

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\e9j1cugk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-31 12552]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2005-1-7 6528]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-31 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-31 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 108552]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2005-1-26 5888]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 297752]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-27 304464]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2005-1-26 86016]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2005-1-26 126976]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-8-30 20952]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2005-1-7 8832]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2005-1-7 14208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-27 135664]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2005-1-21 409984]
S3 TMicAry;Toshiba Audio Effect with MicArray;c:\windows\system32\drivers\TMicAry.sys [2005-1-21 138240]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2004-3-3 666624]

=============== Created Last 30 ================

2010-05-03 20:40:44 0 ----a-w- c:\documents and settings\chris\defogger_reenable
2010-05-03 20:16:16 711168 ----a-w- c:\windows\isRS-000.tmp
2010-05-03 19:19:43 0 d-sha-r- C:\cmdcons
2010-05-03 19:15:54 98816 ----a-w- c:\windows\sed.exe
2010-05-03 19:15:54 77312 ----a-w- c:\windows\MBR.exe
2010-05-03 19:15:54 256512 ----a-w- c:\windows\PEV.exe
2010-05-03 19:15:54 161792 ----a-w- c:\windows\SWREG.exe
2010-05-03 18:42:03 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-03 18:29:40 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-03 18:29:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-03 18:29:22 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-28 21:10:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-28 21:10:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 19:40:47 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-27 19:40:47 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-03 16:45:42 79379 ----a-w- c:\windows\hpfins05.dat
1996-12-15 17:07:00 27 -csh--w- c:\windows\system\_NSI_.DAT
2008-12-19 01:53:20 1004 --sha-w- c:\windows\system32\sys_drv.dat

============= FINISH: 13:45:50.14 ===============

Attached Files


Edited by Spey, 05 May 2010 - 09:39 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 06 May 2010 - 05:52 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 06 May 2010 - 09:56 PM

Syler,
Thank you for your reply.
Requested reports attached.

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 May 2010 - 08:59 AM

Hi Spey,

When replying with the log, please copy and paste them into the thread instead of attaching them, thanks.

  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log called HelpAsst.log will open, Please post the contents of that log.

unite.jpg


#5 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 07 May 2010 - 01:14 PM

AVG Resident Shield was disabled prior to running HelpAsst -mbrt
1st run of tool did not appear to detect mbr infection (did not give option to run mbr -f)
Here's the HelpAsst.log from after the reboot:


C:\Documents and Settings\Chris\Desktop\Redirect Virus\HelpAsst_mebroot_fix.exe
Fri 05/07/2010 at 10:46:47.04

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Fri 05/07/2010 at 11:04:48.21

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AB11E18]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1059290884-3304166017-1552487277-1004
%SystemDrive%\Documents and Settings\HelpAssistant.CHRIS-TOSHIBA

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.CHRIS-TOSHIBA

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8909:TCP"=8909:TCP:*:Enabled:Services
"8910:TCP"=8910:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8909:TCP"=8909:TCP:*:Enabled:Services
"8910:TCP"=8910:TCP:*:Enabled:Services


~~ EOF ~~

Edited by Spey, 07 May 2010 - 01:15 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 May 2010 - 06:45 PM

Can you tell me if you have any other partitions on your drive, including recovery partitions?

  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
CODE
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>log.txt&START log.txt
  • Click on the File tab, and select Save.
  • In the box that opens type help.bat for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this )
  • Double click help.bat, a box will pop up briefly on your screen and disappear, this is normal.
  • It will produce a file on your desktop called log.txt, please copy and paste this in your next reply.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Once you have done those steps, please run HelpAsst_mebroot_fix.exe again.

Then please post back here with the following logs:
  • log.txt
  • Combofix.txt
  • HelpAsst.log

Thanks

unite.jpg


#7 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 10 May 2010 - 05:19 PM

One partition.

Below is the log.txt

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/10/2010 1:13 PM
Password expires Never
Password changeable 5/10/2010 1:13 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/10/2010 1:13 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.


Below is the Combofix.txt

ComboFix 10-05-07.05 - Chris 05/10/2010 14:41:36.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1489 [GMT -7:00]
Running from: c:\documents and settings\Chris\Desktop\Redirect Virus\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Chris\g2mdlhlpx.exe
c:\documents and settings\HelpAssistant.CHRIS-TOSHIBA\g2mdlhlpx.exe
c:\documents and settings\HelpAssistant\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-07 19:00 . 2010-05-08 01:33 -------- d-----w- c:\documents and settings\HelpAssistant.CHRIS-TOSHIBA\UserData
2010-05-07 18:12 . 2010-05-07 18:12 -------- d-----w- c:\documents and settings\HelpAssistant.CHRIS-TOSHIBA\Contacts
2010-05-07 16:58 . 2010-05-07 16:58 -------- d-----w- C:\HelpAsst_backup
2010-05-05 19:06 . 2010-05-05 19:07 -------- d-----w- c:\program files\Apoint2K
2010-05-05 19:06 . 2004-05-09 03:38 101833 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2010-05-05 19:06 . 2003-08-30 01:37 87865 ----a-w- c:\windows\system32\Vxdif.dll
2010-05-03 18:42 . 2010-05-03 18:42 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-03 18:29 . 2010-05-03 18:45 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-03 18:29 . 2010-05-03 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-03 18:29 . 2010-05-03 18:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-28 23:15 . 2010-04-28 23:15 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 21:10 . 2010-04-28 21:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 21:09 . 2010-04-28 21:09 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-10 20:11 . 2008-05-26 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-06 21:12 . 2006-09-29 05:43 -------- d-----w- c:\program files\CCleaner
2010-05-05 19:06 . 2005-01-07 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-03 20:19 . 2009-08-30 20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 20:15 . 2009-10-08 21:02 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-02 06:46 . 2010-02-17 06:27 0 ----a-w- c:\documents and settings\HelpAssistant\ntuser.tmp
2010-05-01 02:41 . 2008-07-09 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2010-05-01 02:39 . 2005-08-18 18:23 -------- d-----w- c:\program files\Yahoo!
2010-04-29 22:39 . 2009-08-30 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-08-30 20:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 18:40 . 2010-04-29 18:40 61440 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-625ea053-n\decora-sse.dll
2010-04-29 18:40 . 2010-04-29 18:40 503808 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1bae3867-n\msvcp71.dll
2010-04-29 18:40 . 2010-04-29 18:40 499712 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1bae3867-n\jmc.dll
2010-04-29 18:40 . 2010-04-29 18:40 12800 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-625ea053-n\decora-d3d.dll
2010-04-29 18:40 . 2010-04-29 18:40 348160 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1bae3867-n\msvcr71.dll
2010-04-27 04:57 . 2009-12-25 11:05 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc
2010-04-08 02:25 . 2005-01-26 23:09 -------- d-----w- c:\program files\Google
2010-04-02 09:01 . 2010-04-02 04:20 -------- d-----w- c:\program files\Flickr Uploadr
2010-04-02 04:21 . 2010-04-02 04:21 -------- d-----w- c:\documents and settings\Chris\Application Data\Flickr
2010-03-25 05:38 . 2006-09-01 08:57 -------- d-----w- c:\documents and settings\Chris\Application Data\GARMIN
2010-03-25 05:38 . 2010-03-25 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-03-25 05:38 . 2010-03-25 05:36 -------- d-----w- c:\program files\Garmin
2010-03-25 05:36 . 2010-03-25 05:36 -------- d-----w- c:\program files\DIFX
2010-03-24 18:44 . 2010-03-24 18:43 -------- d-----w- c:\program files\NW_Topos
2010-03-23 05:04 . 2010-03-23 05:04 -------- d-----w- c:\program files\AMR Player
2010-03-19 07:33 . 2010-03-19 07:33 -------- d-----w- c:\program files\NaviComputer
2010-03-18 19:53 . 2006-06-06 01:50 -------- d-----w- c:\documents and settings\Chris\Application Data\toshiba
2010-03-15 21:25 . 2010-03-15 21:25 -------- d-----w- c:\documents and settings\Chris\Application Data\HandBrake
2010-03-15 21:24 . 2010-03-15 21:24 -------- d-----w- c:\program files\Handbrake
2010-03-11 12:38 . 2005-01-07 18:03 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-01-07 18:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-01-07 18:02 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-01-07 18:03 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2005-01-07 18:03 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 2005-01-07 18:03 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-01-07 18:02 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-01-07 18:03 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
1996-12-15 17:07 . 2007-03-03 00:24 27 -csh--w- c:\windows\system\_NSI_.DAT
2008-12-19 01:53 . 2008-12-11 02:14 1004 --sha-w- c:\windows\system32\sys_drv.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-05-03_19.52.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-10 21:39 . 2010-05-10 21:39 16384 c:\windows\Temp\Perflib_Perfdata_e50.dat
+ 2010-05-10 21:39 . 2010-05-10 21:39 16384 c:\windows\Temp\Perflib_Perfdata_300.dat
+ 2010-05-05 19:06 . 2008-04-13 18:39 23040 c:\windows\system32\ReinstallBackups\0045\DriverFiles\i386\mouclass.sys
+ 2010-05-05 19:06 . 2008-04-13 19:18 52480 c:\windows\system32\ReinstallBackups\0045\DriverFiles\i386\i8042prt.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
- 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\dllcache\mouclass.sys
+ 2004-08-03 23:14 . 2008-04-13 19:18 52480 c:\windows\system32\dllcache\i8042prt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"000StTHK"="000StTHK.exe" [2001-06-24 24576]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 88361]
"TPSMain"="TPSMain.exe" [2004-12-28 270336]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-04-14 2046816]
"CrossMenu"="c:\program files\Toshiba\CrossMenu\CrossMenu.exe" [2005-01-07 798720]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2004-12-16 90112]
"TPSODDCtl"="TPSODDCtl.exe" [2004-12-28 110592]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2004-08-11 258048]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-25 126976]
"TFNF5"="TFNF5.exe" [2004-06-28 73728]
"TosRotation"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2004-12-14 266240]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2004-07-01 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-16 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-1-7 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-30 15:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 11:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
2008-04-14 00:12 16384 ----a-w- c:\windows\Help\splshwrp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TMESRV.EXE"=c:\program files\TOSHIBA\TME3\TMESRV31.EXE /Logon
"TMERzCtl.EXE"=c:\program files\TOSHIBA\TME3\TMERzCtl.EXE /Service
"TMESBS.EXE"=c:\program files\TOSHIBA\TME3\TMESBS32.EXE /Client
"Pinger"=c:\toshiba\IVP\ISM\pinger.exe /run
"SmoothView"=c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe
"SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
"TSkrMain"=c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
"Tvs"=c:\program files\Toshiba\Tvs\TvsTray.exe
"TAudEffect"=c:\program files\TOSHIBA\TAudEffect\TAudEff.exe /run
"NDSTray.exe"=NDSTray.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TFncKy"=TFncKy.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed - Porsche Unleashed\\PORSCHE.ICD"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"<NO NAME>"=
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"8909:TCP"= 8909:TCP:Services
"8910:TCP"= 8910:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"6005:TCP"= 6005:TCP:Services
"6006:TCP"= 6006:TCP:Services
"2260:TCP"= 2260:TCP:Services
"3020:TCP"= 3020:TCP:Services

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/31/2009 12:55 PM 12552]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/28/2004 12:31 AM 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [1/7/2005 3:25 PM 6528]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/31/2009 12:55 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/31/2009 12:55 PM 108552]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [1/26/2005 4:06 PM 5888]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/31/2009 12:54 PM 297752]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/27/2010 2:57 PM 304464]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [1/26/2005 4:06 PM 86016]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [1/26/2005 4:06 PM 126976]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/30/2009 1:58 PM 20952]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [1/7/2005 2:47 PM 8832]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [1/7/2005 5:30 AM 14208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 7:06 PM 135664]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [1/21/2005 12:18 PM 409984]
S3 TMicAry;Toshiba Audio Effect with MicArray;c:\windows\system32\drivers\TMicAry.sys [1/21/2005 12:18 PM 138240]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [3/3/2004 4:27 PM 666624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 13:41]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 02:05]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 02:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\e9j1cugk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AB034D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf7482852
IoDeviceObjectType -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a05a8
ParseProcedure -> TUKERNEL.EXE @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a05a8
ParseProcedure -> TUKERNEL.EXE @ 0x8056c1d6
NDIS: Intel® PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> 0x89b478f0
PacketIndicateHandler -> NDIS.sys @ 0xf7847a0d
SendHandler -> NDIS.sys @ 0xf785bb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-05-10 14:59:46
ComboFix-quarantined-files.txt 2010-05-10 21:59
ComboFix2.txt 2010-05-05 17:40
ComboFix3.txt 2010-05-03 19:55

Pre-Run: 674,897,920 bytes free
Post-Run: 625,213,440 bytes free

- - End Of File - - 00E3D083C7E1DDD197A4606A5AFBEABB


Below is the HelpAsst.log

C:\Documents and Settings\Chris\Desktop\Redirect Virus\HelpAsst_mebroot_fix.exe
Tue 05/11/2010 at 8:23:53.36

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/11/2010 at 8:38:43.56

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AA1CBE8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1059290884-3304166017-1552487277-1004
%SystemDrive%\Documents and Settings\HelpAssistant.CHRIS-TOSHIBA.000

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.CHRIS-TOSHIBA
HelpAssistant.CHRIS-TOSHIBA.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9477:TCP"=9477:TCP:*:Enabled:Services
"9478:TCP"=9478:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9477:TCP"=9477:TCP:*:Enabled:Services
"9478:TCP"=9478:TCP:*:Enabled:Services


~~ EOF ~~

Edited by Spey, 11 May 2010 - 10:46 AM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 11 May 2010 - 09:43 AM

You have posted log.txt twice, can you post the new HelpAsst.log please.

unite.jpg


#9 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 11 May 2010 - 10:51 AM

My apologies; I have corrected post #7 (the earlier post) amending the HelpAsst.log portion.

Edited by Spey, 11 May 2010 - 10:53 AM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 11 May 2010 - 06:05 PM

No problem, it looks like HelpAsst is not detecting the mbr infection, please run it again with these following steps.


Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

unite.jpg


#11 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 12 May 2010 - 12:15 PM

2-Questions:
I keep getting error messages “you are running very low on disk space on SQ003916(C:)”. So I free up over 1GB of HD space on C:Drive, then the empty space is consumed again. Each time I run one of these processes, is System Restore re-consuming the available HD space? If so, is there a way to remove the various Restore Points that have been created since we started this process to free up space on HD, while leaving earlier Restore Points?

Last set of procedures completed:
Ran helpasst –mbrt from Start>Run
Tool did not report detection of mbr
Restart (with 5+ min wait)
Ran helpasst –mbrt from Start>Run
Tool did not report detection of mbr
Start>Run>mbr -f command
Start>Run>mbr -f command a second time
Shut down the computer, wait few minutes
Start computer; wait 5+ minutes (for CPU usage to stabilize)
Start>Run> helpasst -mbrt
Below post log contents HelpAsst.log

C:\Documents and Settings\Chris\Desktop\Redirect Virus\HelpAsst_mebroot_fix.exe
Tue 05/11/2010 at 18:17:27.19

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 05/12/2010 at 9:14:26.34

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A878C38]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1059290884-3304166017-1552487277-1004
%SystemDrive%\Documents and Settings\HelpAssistant.CHRIS-TOSHIBA.001

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.CHRIS-TOSHIBA
HelpAssistant.CHRIS-TOSHIBA.000
HelpAssistant.CHRIS-TOSHIBA.001

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3311:TCP"=3311:TCP:*:Enabled:Services
"5122:TCP"=5122:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3311:TCP"=3311:TCP:*:Enabled:Services
"5122:TCP"=5122:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 05/12/2010 at 9:38:49.01

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AA04B48]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1059290884-3304166017-1552487277-1004
%SystemDrive%\Documents and Settings\HelpAssistant.CHRIS-TOSHIBA.001

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.CHRIS-TOSHIBA
HelpAssistant.CHRIS-TOSHIBA.000
HelpAssistant.CHRIS-TOSHIBA.001

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3311:TCP"=3311:TCP:*:Enabled:Services
"5122:TCP"=5122:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3311:TCP"=3311:TCP:*:Enabled:Services
"5122:TCP"=5122:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~




#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 12 May 2010 - 08:12 PM

This infection creates a new folder every time we try and kill it, this can sometimes take up some space so we
will remove them. As for the system restore, it could be taking a bit of space, but if we wanted to remove them
we would have to clean them all out and we don't want to do that yet.


Go to Start>>Run and type helpasst -cleanup


Reboot your computer

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following line, then press Enter.

fixmbr

You will get a warning about running fixmbr, type y then press Enter.

Then type EXIT and press Enter to reboot the machine.




Once you have rebooted, go to start then run and enter the following line.

"%userprofile%\desktop\Redirect Virus\HelpAsst_mebroot_fix.exe" -mbrt

Then please post the log it produces.

unite.jpg


#13 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 May 2010 - 01:43 AM


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 05/12/2010 at 23:41:36.55

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1059290884-3304166017-1552487277-1004
%SystemDrive%\Documents and Settings\HelpAssistant.CHRIS-TOSHIBA.001

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.CHRIS-TOSHIBA
HelpAssistant.CHRIS-TOSHIBA.000
HelpAssistant.CHRIS-TOSHIBA.001

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3311:TCP"=3311:TCP:*:Enabled:Services
"5122:TCP"=5122:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7092:TCP"=7092:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3311:TCP"=3311:TCP:*:Enabled:Services
"5122:TCP"=5122:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7092:TCP"=7092:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services


~~ EOF ~~


#14 Spey

Spey
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 May 2010 - 10:30 AM

Status Update since last set of instructions and log posting.

RE: I keep getting error messages “you are running very low on disk space on SQ003916(C:)”.
Over 2GB free disk space consumed again.

Yesterday I moved a little over 2GB of files to ext-HD to free up some more space and confirmed the space was available (to provide working space for your instructions). Then I ran your last set of instructions. fixmbr ran through a cleanup procedure which freed up a little under 1GB of space for a little over 3GB free disk space as of yesterday evening. This morning (after no downloads or additions to HD) low disk space error messages again with only 235MB free disk space as of this morning.

I just ran CCleaner>Cleaner to clean up various cache, etc. After running Cleaner 321MB free disk space.
Interestingly CCleaner reviled clean up of software files for software that I had been removed some time ago (specifically related to AVG 8.0 – I have been running AVG 8.5 for some time now). Cleaner details of file deleted = Utilities – AVG AntiVirus 8.0 65,989kb 20 files.

A few improvements as follows:
In casual internet browsing IE is:
Loading pages much faster
Experiencing much less redirects (no redirect issues as of this morning)
CPU Usage Idle (as reported by Windows Task Manager):
Now bounces 0% - 7%
Previously 3% - 11%

Anything we can do to reduce the continued consumption of free disk space would be greatly appreciated.
Anything we can do to get some/all of it back would be great.

Requested log is in previous post above.

Thanks for your help and patience

Edited by Spey, 13 May 2010 - 11:10 AM.


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 13 May 2010 - 02:02 PM

Hi Spey,

I will try to help you free up your space but first of all I need to try and confirm if we have killed off
the infection.

Click Start>Run and type helpasst -folder then hit Enter.
The tool will run and prompt for confirmation to remove any HelpAssistant folders found.
If prompted, restart your computer.
When complete, click Start>Run and type helpasst -mbrt then hit Enter.
Post the new log that opens when it finishes.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users