Virtumonde...and other problems!

[justwayne]

Next step

Ok, I will download and run the tool when I get home from work. Out of curiosity, are all thise logs simply used to identify the problem or do they actually fix anything at the same time?

Another quick question: wouldn't it have been simpler to do a Windows Repair or is the problem more complex and that is why we're going through all these steps?

 

[justwayne]

Still going..

Well, Mebroot is still running after...two hours! I hope this is normal. It now tells me "HelpAssistant directory found~attempting to remove" and that it could take a while. Looks like we're on the right track, doesn't it?!!
Well, I hope it doesn't take all night, because if it does, it will be left unsttended!!

 

[justwayne]

Here's the log!

Ok, it's not too late, so I am posting my log before going to bed!!


C:\Documents and Settings\Christian.CATSEYE2\Desktop\HelpAsst_mebroot_fix.exe
04/05/2010 at 19:05:22.50

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"7957:TCP"=-
"7958:TCP"=-
"3071:TCP"=-
"4642:TCP"=-
"2338:TCP"=-
"3176:TCP"=-
"1666:TCP"=-
"1832:TCP"=-
"2898:TCP"=-
"4296:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"7957:TCP"=-
"7958:TCP"=-
"3071:TCP"=-
"4642:TCP"=-
"2338:TCP"=-
"3176:TCP"=-
"1666:TCP"=-
"1832:TCP"=-
"2898:TCP"=-
"4296:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-57989841-1592454029-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 04/05/2010 at 21:32:16.17

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B66AE0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82b66ae0
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828a18f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-57989841-1592454029-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.CATSEYE2

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.CATSEYE2

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services


~~ EOF ~~

 

[justwayne]

Oh one last thing I forgot to mention

In your instructions, it said "If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer". I should mention here that during the process, all there was in the window were the words "checking MBR". It stayed like that for 10-15 minutes and then I realized that the computer had frozen. So I had to reboot.
I still got the log, but does this mean that the fix didn't work?

 

[km2357]

Out of curiosity, are all thise logs simply used to identify the problem or do they actually fix anything at the same time?

Some like HaMebCheck and DDS and GMER are used to identify problems and others like ComboFix and HelpAsst_mebroot_fix.exe are fixing things.

wouldn't it have been simpler to do a Windows Repair or is the problem more complex and that is why we're going through all these steps?

I don't know if a Windows Repair would fix your problem, a full reformat and reinstall of Windows would. It's taking some time, but I'm sticking with you till we fix your computer.

In your instructions, it said "If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer". I should mention here that during the process, all there was in the window were the words "checking MBR". It stayed like that for 10-15 minutes and then I realized that the computer had frozen. So I had to reboot.
I still got the log, but does this mean that the fix didn't work?

Based on the first log, it looks like HelpAsst_mebroot_fix.exe was working, it was fixing what needed to be fixed and deleting what needed to be deleted. On the 2nd log, it looked like it didn't fully complete. Perhaps due to the "Checking MBR" being frozen and your rebooting of the computer.

Go ahead and run HelpAsst_mebroot_fix.exe one more time and let it run to completion. I'll repost the instructions below:

Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

 

[justwayne]

Ok

Thanks for sticking with me! I'll try again after work. What should I do if it freezes again?

 

[km2357]

If it looks like it has frozen, go ahead and leave it alone, it may still be working. If it stays frozen for 5 hours or more, then go ahead and stop it. We'll then work on a different approach regarding HelpAsst_mebroot_fix.exe.

 

[justwayne]

New log

Hi, well it worked smoothly, this time. I hope the new log is helpful! Here it is:


device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82d4be00
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828b38f0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
Use "Recovery Console" command "fixmbr" to clear infection !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 05/05/2010 at 17:47:04.23

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

 

[km2357]

The new log looks great. HelpAsst_mebroot_fix did its job. :bigthumb:

From this point on till the end of the fix, you'll be using your computer as you'll need to go online with it in the upcoming steps.

First, I'd like for you to delete the following folder from your computer, if found:

C:\Documents and Settings\HelpAssistant


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u20.
• Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Remove the following old versions of Java:
  
  
• Java(TM) 6 Update 18
  
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
  
• From your desktop double-click on the download to install the newest version.

Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

• Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
• Then select the items you wish to clean up.
  
• In the Windows Tab:
  
• Clean all entries in the Internet Explorer section except Cookies
• Clean all the entries in the Windows Explorer section
• Clean all entries in the System section
• Clean all entries in the Advanced section
• Clean any others that you choose
  
• In the Applications Tab:
  
• Clean all except cookies in the Firefox/Mozilla section if you use it
• Clean all in the Opera section if you use it
• Clean Sun Java in the Internet Section
• Clean any others that you choose
  
• Click the Run Cleaner button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK and it will scan and clean your system.
• Click exit when done.
• If it asks you to reboot at the end, click NO

Step # 3 Run Malwarebytes' Anti-Malware

• Launch Malwarebytes' Anti-Malware.
• Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
• Next click the Scanner tab and select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• You can also access the log by doing the following:
  
• Click on the Malwarebytes' Anti-Malware icon to launch the program.
• Click on the Logs tab.
• Click on the log at the bottom of those listed to highlight it.
• Click Open.

In your next post/reply, I need to see the following:

1. The MalwareBytes' Log
2. A fresh DDS Log

 

[justwayne]

Logs

Hi,
I got two logs from DDS. One is called "Attach" and it says to zip it and post it "only if requested". Please let me know what you want me to do, but note I don't have Winzip so i would not be able to zip it unless I download it first! I hope that's ok. If you really need it, I could also zip it at work.

Right now, I must say that the computer seems to be running faster. One thing I notice is that it still takes a few seconds too many for the broser to launch and the homepage to open.

I could be wrong, but I suspect that I might have to update certain things, such as Windows update and my antivirus (which should be upgraded anyway - I tried about a month ago when it prompted me to do so and got an error message telling me upgrade had failed). I will not do it until you instruct me to. I must say I'm happy this is working nicely and I find your instruction easy to follow! Than you for that; I know fixing a computer problem can be intimidating and scary!

Here are the 2 logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/05/2010 8:48:54 PM
mbam-log-2010-05-06 (20-48-54).txt

Scan type: Quick scan
Objects scanned: 196723
Time elapsed: 16 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Christian at 21:02:23.10 on 06/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.229 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Christian.CATSEYE2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-9 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-20 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-9 1370488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1285864]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]

=============== Created Last 30 ================

2010-05-06 23:59:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-06 23:59:24 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 00:05:24 0 d-----w- C:\HelpAsst_backup
2010-05-04 00:41:40 220024 ----a-w- c:\windows\sigcheck.exe
2010-05-04 00:23:39 12377 ----a-w- c:\windows\look.bat
2010-05-04 00:23:27 0 d-----w- c:\windows\maxdriver
2010-04-29 21:12:01 0 d-sha-r- C:\cmdcons
2010-04-29 21:03:44 77312 ----a-w- c:\windows\MBR.exe
2010-04-29 21:03:44 256512 ----a-w- c:\windows\PEV.exe
2010-04-29 21:03:44 161792 ----a-w- c:\windows\SWREG.exe
2010-04-29 21:03:43 98816 ----a-w- c:\windows\sed.exe
2010-04-24 21:21:19 0 d-----w- c:\docume~1\christ~1.cat\applic~1\Malwarebytes
2010-04-24 21:18:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 21:16:49 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-04-24 21:16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 00:31:54 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-21 00:30:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-21 00:24:55 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-15 22:14:14 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-04-10 01:39:18 527 ----a-w- c:\windows\wininit.ini
2010-04-09 17:34:31 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-04-09 17:34:31 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 23:22:35 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-04 23:22:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 21:03:43.60 ===============

 

[km2357]

I got two logs from DDS. One is called "Attach" and it says to zip it and post it "only if requested". Please let me know what you want me to do, but note I don't have Winzip so i would not be able to zip it unless I download it first! I hope that's ok. If you really need it, I could also zip it at work.

No need to post the Attach Log. All I needed to see was the main DDS Log which you posted and it looks good.

Right now, I must say that the computer seems to be running faster. One thing I notice is that it still takes a few seconds too many for the broser to launch and the homepage to open.

Try the following tips at the website below to see if they help any:

http://www.malwareremoval.com/tutorials/runningslowly.php

I could be wrong, but I suspect that I might have to update certain things, such as Windows update and my antivirus (which should be upgraded anyway - I tried about a month ago when it prompted me to do so and got an error message telling me upgrade had failed). I will not do it until you instruct me to.

Go ahead and update your AntiVirus and run Windows Update as well, if you can.


Your version of MalwareBytes' has an out of date database version (4052). The latest Database version is in the 4070's. Go ahead and update MalwareBytes' (click the Update tab, next click Check for Updates to download any updates, if available.) and do another Quick Scan and post the Log in your next post/reply.


Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. Kaspersky Log
3. How is your computer doing, any problems?

 

[justwayne]

follow up

hi,

Before i run Kaspersky, I need to know: I have a full (legal and purchased!) version of AVG 9.0. Will this interfere with it? It's asking me to turn it off or something. I'm always a bit nervous when doing something with my antivirus!!

I have updated MalwareBytes ans am posting the new log now. The computer seems to be running fine, but loading the browser is still slow. Even if I was to close it right now and re-open it, it would take a minute to open. Do you think there might be a problem with IE and it needs to be reinstalled? Should I switch to Firefix?

Also, at the beginning o this thread, I mentioned that I suspected I had XP installed twice (by accident!) on my computer. Is there a way to find out? And if it's the case, wouldn't it eat up some of the HD space unnecessarily?

Here's the MalwareBytes log, for now:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/05/2010 5:12:01 PM
mbam-log-2010-05-07 (17-12-01).txt

Scan type: Quick scan
Objects scanned: 202558
Time elapsed: 15 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Looks pretty good, eh? :bigthumb:

 

[km2357]

Looks pretty good, eh?

A clean MalwareBytes' Log does indded look good.

Before i run Kaspersky, I need to know: I have a full (legal and purchased!) version of AVG 9.0. Will this interfere with it? It's asking me to turn it off or something. I'm always a bit nervous when doing something with my antivirus!!

I believe Kaspersky should run ok with AVG enabled. It may take longer time to do a Kaspersky scan with AVG enabled than with it disabled. Kaspersky scans usually take 2-4 hours depending on how much stuff is on the Hard Drive. The more space taken up on the Hard Drive the longer the scan.

The computer seems to be running fine, but loading the browser is still slow. Even if I was to close it right now and re-open it, it would take a minute to open. Do you think there might be a problem with IE and it needs to be reinstalled? Should I switch to Firefix?

You can try uninstalling and reinstalling IE to see if that helps. You can also try another browser: FireFox, Opera or Google Chrome

Also, at the beginning o this thread, I mentioned that I suspected I had XP installed twice (by accident!) on my computer. Is there a way to find out? And if it's the case, wouldn't it eat up some of the HD space unnecessarily?

When you boot up the computer, does it give you the option to choose between two Window XP's? If it does, then you have two XP installations. If it just shows a selection between the Recovery Console and Windows XP, then you just have one XP installation.

 

[justwayne]

Kaspersky

Hi,

I tried to run Kaspersky, but it froze at 34 minutes - 2% scanned. I even went out for a couple of hours and came back and it was still showing 34 minutes! Nothing of what it scanned was infected. Why are we running this one anyway? Isn't just another anti-virus? Isn't AVG enough?

I haven't done anything with IE yet. I don't know if it needs to be fixed 9somehow) or uninstalled-reinstalled. Or if it's even necessary! Any thoughts?

 

[km2357]

I tried to run Kaspersky, but it froze at 34 minutes - 2% scanned. I even went out for a couple of hours and came back and it was still showing 34 minutes! Nothing of what it scanned was infected. Why are we running this one anyway? Isn't just another anti-virus? Isn't AVG enough?

Kaspersky is an online scanner, it doesn't remove anything like AVG does. Malware fighters/removal helpers like myself have our users run online scans to see if there is anything left over that we need to get rid of. Online scanners can sometimes show files/folders that an antivirus like AVG can miss. It is usually the last thing/one of the last things we have people do for us. Since Kaspersky froze up on you, I'll have you try another online scanner in this post.

I haven't done anything with IE yet. I don't know if it needs to be fixed 9somehow) or uninstalled-reinstalled. Or if it's even necessary! Any thoughts?

Earlier in this thread (and in your last post), you mention IE being slow/loading up slow? Is it still doing this? If it is you can try uninstalling-reinstalling it to see if it goes back to normal. If IE is back to normal, then no need to do anything to it.

----------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Make sure that Remove found threats is unchecked
12. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13. Push the
    
    button.
14. Push
    

 

[justwayne]

ESET scan

Hi,
Here's my ESET scan:

C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\0A4ZLG35\data[1].html JS/Exploit.Pdfka.NXM trojan
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\8TX4AQQE\data[1].html JS/Exploit.Pdfka.NXM trojan
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\IH5K32A4\data[1].htm JS/Exploit.Agent.NBC trojan
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\JJZZTKD0\data[1].htm JS/Exploit.Agent.NBC trojan
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application


Looks like there are still a few little bugs!

 

[km2357]

The files in the C:\HelpAsst_backup folder are files that HelpAsst_mebroot_fix.exe removed/quarantined when we ran it. They are harmless where they are. We'll be removing them in an upcoming post.

As for the C:\I386\GTDownDE_87.ocx file, that is a false positive related to Dell Support. So nothing to worry about there.

We are just about done, how is the computer doing, also how is the other account on the computer doing as well?

 

[justwayne]

Getting there!

Hi,
The computer is running much faster! We still have to go through our files and delete stuff we no longer use. Also, I think too many apps load at startup, don't you? Unfortunately, we use most of them regularly.
The other user says that his side is running faster as well. We both use pretty well the same programs. The one thing we both notice is that startup is slow and Windos still takes a while to open but once it is, surfinig is a breeze, compared to a month ago!
I still haven't uninstalled/reinstalled IE8 because I wanted to see what your comments on the ESET log would be.

When we're done, I wouls be grateful if you could give me some advice as to how to avoid this to happen again! :thanks:

 

[km2357]

Great to hear that the computer is running much faster and that the other account is running faster as well! :bigthumb:

As for the startup programs, since you mentioned using them regularly, disabling them wouldn't be worthwhile since you use them so much that disabling them would be a hassle/waste of time. Overall, it looks like your startup list is ok, but if you want to disable somethings let me know and I'll let you know what you can disable.

Regarding the slow startup, clearing up some HD space will help, also getting more RAM (if your computer has low RAM) will help speed up your computer as well.


If there are no more malware-related problems, then you are good to go.


Let's do some cleanup.


You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log
TDSSKiller.exe
The TDSSKiller Log
SystemLook.exe
The SystemLook Log
The HAMeb_check Log


To remove Maxlook, do the following:

Go to Start > Run - type in maxlook -cleanup & click OK


To remove HelpAsst_mebroot_fix (and clear its quarantine), do the following:

Go to Start > Run - type in helpasst -cleanup & click OK


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK


Empty your Recycle Bin.


You can reenable Teatimer.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
• Select the More options tab
• Choose the option to clean up system restore and OK it.
• This will remove all restore points except the new one you just created.

.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it asks you if you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

• Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
• Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
  Computer Safety on line Anti Malware
• Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button on the task bar at the bottom of your screen
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then doubleclick it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok..
• Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
• Please read Tony Klein's excellent article: How I got Infected in the First Place
• Please read Understanding Spyware, Browser Hijackers, and Dialers
• Please read Simple and easy ways to keep your computer safe and secure on the Internet
• If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
  Opera.
  If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
• Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
• If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.


If you want to work on disabling some programs at startup, let me know and I'll keep the thread open a little while longer.

 

[justwayne]

Almost done!

When you say I can reenable Teatimer, is it a recommandation or an option? In your opinion, SHOULD it be reenabled?

I have printed your instructions and will work through them when I get home!