Malware Denies Access to Administrator

**Drewski** · 2010-01-21, 17:02

i am not able to determine the process, nothing unusual shows, just outlook ms services etc

outlook error message
A data file did not close properly the last time it was used and is being checked for problems. Performance might be affected while the check is in progress."

**Blade81** · 2010-01-21, 17:10

Hi,

Delete c:\documents and settings\HelpAssistant folder.

When done, please reboot into recovery console as you did earlier and give fixmbr command there. Answer yes if asked for confirmation. When done, use exit to reboot system back into normal mode. Post a fresh dds.txt log.

**Drewski** · 2010-01-21, 23:37

Blade,

Good news, the internet explorer now works and I didn't get the microsoft outlook error msg.

Here is the dds.txt log
You did not ask for the attach.txt log so I didn't include it. Should I have?

DDS (Ver_09-12-01.01) - NTFSx86
Run by Andy at 17:31:33.00 on Thu 01/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.1102 [GMT -5:00]

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\taskswitch.exe
C:\WINNT\System32\fast.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\Wireless Laser Mouse\MOffice.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Wireless Laser Mouse\MOUSE32A.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\WINNT\system32\ctfmon.exe
svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\System32\Fast.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
uRun: [EPSON Stylus Photo R1800] c:\winnt\system32\spool\drivers\w32x86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /M "Stylus Photo R1800" /EF "HKCU"
uRun: [QuickGammaLoader] c:\program files\quickgamma\QuickGammaLoader.exe
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [CoolSwitch] c:\winnt\system32\taskswitch.exe
mRun: [FastUser] c:\winnt\system32\fast.exe
mRun: [PinnacleDriverCheck] c:\winnt\system32\PSDrvCheck.exe -CheckReg
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [FLMOFFICE4DMOUSE] c:\program files\wireless laser mouse\MOffice.exe
mRun: [SM1BG] c:\winnt\SM1BG.EXE
mRun: [Gateway Ink Monitor] "c:\program files\gateway\gateway ink monitor\GWInkMonitor.exe"
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Adobe Gamma.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxps://quicken.ehosts.net/netagent/objects/custappx3.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261999558031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://www.pandasoftware.com/activescan/as5/asinst.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D44C75D8-C827-473E-8F68-A77E42500782} - hxxp://www.ritzpix.com/upload/WebUploadClient.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.ritzpix.com/upload/XUpload.ocx
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jaalnrss.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 MBAMSwissArmy;MBAMSwissArmy;c:\winnt\system32\drivers\mbamswissarmy.sys [2010-1-8 38224]
S3 NUVision;Pinnacle DVC 80 Video;c:\winnt\system32\drivers\nuvvid2.sys [2005-10-29 155264]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\winnt\system32\drivers\Pronto2G.sys [2003-9-19 16384]
S3 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2004-5-8 279264]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2010-01-13 11:24:55 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-01-12 23:38:36 0 d-----w- C:\!KillBox
2010-01-08 11:53:46 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-01-08 11:53:44 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-01-08 11:53:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 03:01:33 0 d-----w- c:\program files\Sun
2010-01-08 03:00:57 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2010-01-04 22:08:17 18930 ----a-w- C:\ComboFix Results.zip
2010-01-02 21:01:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-01-02 19:56:26 11520 ----a-r- c:\winnt\system32\drivers\wdcsam.sys
2010-01-02 15:40:00 0 dc-h--w- c:\winnt\ie8
2010-01-01 12:32:55 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-01-01 12:32:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-31 22:31:24 0 d-sha-r- C:\cmdcons
2009-12-31 12:00:32 77312 ----a-w- c:\winnt\MBR.exe
2009-12-31 12:00:31 98816 ----a-w- c:\winnt\sed.exe
2009-12-31 12:00:31 261632 ----a-w- c:\winnt\PEV.exe
2009-12-31 12:00:31 161792 ----a-w- c:\winnt\SWREG.exe
2009-12-30 22:10:40 2048 ------w- C:\Backup Dec30 09.bkf
2009-12-28 11:19:55 0 d-sh--w- c:\documents and settings\administrator\IECompatCache
2009-12-28 11:19:22 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2009-12-28 11:14:12 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2009-12-28 10:15:16 0 d-----w- C:\71b0243af85fe0aa81e9
2009-12-27 17:27:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-12-27 12:46:04 0 d-----w- c:\winnt\system32\wbem\Repository

==================== Find3M ====================

2010-01-08 03:00:16 411368 ----a-w- c:\winnt\system32\deploytk.dll
2003-11-13 20:44:00 319488 ----a-w- c:\program files\PolarZIPLight.dll
2003-08-27 20:19:18 36963 -c----w- c:\program files\common files\SM1updtr.dll
2009-01-03 17:14:01 32768 -csha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010320090104\index.dat

============= FINISH: 17:32:14.71 ===============

**Blade81** · 2010-01-22, 16:41

You did not ask for the attach.txt log so I didn't include it. Should I have?

No need for attach.txt now

Click start->run and copy-paste this in the run box:
mbr >"%userprofile%\desktop\mbrlog.txt"

mbrlog.txt file should appear to your desktop. Please post back its contents.

**Drewski** · 2010-01-23, 13:14

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !

**Blade81** · 2010-01-23, 15:11

Hi,

Does HelpAssistant folder still exist under c:\documents and settings folder?

Click start->run and copy-paste this in the run box:
mbr -f

Do a reboot immediately after that.

After reboot, click start->run and copy-paste this in the run box:
mbr >"%userprofile%\desktop\mbrlog.txt"

Post back the mbrlog.txt file.

**Drewski** · 2010-01-23, 15:37

Hi,

Help Assistant folder was deleted per your instructions.
However, there is another folder called HelpAssistant.Gateway that I did not delete.

Here is the log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !

**Blade81** · 2010-01-23, 15:44

Hi,

Delete that folder too and then repeat the steps in my previous post.

**Drewski** · 2010-01-23, 15:50

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !

**Blade81** · 2010-01-23, 16:09

Hi,

Click start->run and copy paste this into run box:
control userpasswords2

Does HelpAssistant account appear on the list there? If it does, remove it.

Please see if you're able to run Kaspersky online scanner now. Post back its log and let me know if there're still symptoms left.

Thread: Malware Denies Access to Administrator

Thread Tools

Display

Posting Permissions