Solved Virus cripples CPU and redirects Ebay Login to phishing site

macoons · 2010/04/06

I was able to restart in safe mode and it appears to be stable. I have open and closed 6 different programs and did some minor word processing and Powerpoint tasks.

broni · 2010/04/06

Please download Profiles by noahdfear.

* Save it to your desktop.
* Double-click profiles.exe and post its log when you reply.

macoons · 2010/04/06

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4033994130-1639493683-3125362582-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.MOMSDELL.001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4033994130-1639493683-3125362582-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Carolyn Coons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4033994130-1639493683-3125362582-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Mark Coons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4033994130-1639493683-3125362582-1008
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Aspen Coons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4033994130-1639493683-3125362582-1009
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Jonathan Coons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4033994130-1639493683-3125362582-501
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Guest

SystemRoot REG_SZ C:\WINDOWS

broni · 2010/04/06

Please, repeat all steps listed in my reply #19, but this time, in safe mode.

macoons · 2010/04/07

C:\Documents and Settings\Carolyn Coons\Desktop\HelpAsst_mebroot_fix.exe
Tue 04/06/2010 at 21:36:36.06

HelpAssistant account was found to be Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

HelpAssistant profile not found in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 04/06/2010 at 21:57:18.43

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.MOMSDELL
HelpAssistant.MOMSDELL.000
HelpAssistant.MOMSDELL.001
HelpAssistant.MOMSDELL.002

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP "=65533:TCP:*:Enabled:Services
"52344:TCP "=52344:TCP:*:Enabled:Services
"8386:TCP "=8386:TCP:*:Enabled:Services
"4943:TCP "=4943:TCP:*:Enabled:Services
"3389:TCP "=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "=65533:TCP:*:Enabled:Services
"52344:TCP "=52344:TCP:*:Enabled:Services
"8386:TCP "=8386:TCP:*:Enabled:Services
"4943:TCP "=4943:TCP:*:Enabled:Services
"3389:TCP "=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

broni · 2010/04/07

Delete your Combofix file, download fresh one, run it and post fresh log.
You can run Combofix in Safe Mode.

macoons · 2010/04/07

After lst reboot prior to your last post machine is running in standard mode and not freezing. Still painfully slow Here is the CF Log:

ComboFix 10-04-06.01 - Carolyn Coons 04/06/2010 23:43:54.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.753 [GMT -7:00]
Running from: c:\documents and settings\Carolyn Coons\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carolyn Coons\Local Settings\Temporary Internet Files\0FV3LVU55.jpg
c:\documents and settings\Carolyn Coons\Local Settings\Temporary Internet Files\3dKo8S5J4.jpg
c:\documents and settings\Carolyn Coons\Local Settings\Temporary Internet Files\iqWs00.jpg
c:\documents and settings\Carolyn Coons\Local Settings\Temporary Internet Files\rfFpS.jpg

.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 05:15 . 2010-04-07 05:15 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.003\UserData
2010-04-07 05:15 . 2010-04-07 05:15 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.003\PrivacIE
2010-04-07 05:10 . 2010-04-07 05:10 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.003\IETldCache
2010-04-07 05:10 . 2009-11-18 02:19 38 ----a-w- c:\documents and settings\HelpAssistant.MOMSDELL.003\jagex_runescape_preferences.dat
2010-04-07 05:10 . 2009-11-18 01:59 63 ----a-w- c:\documents and settings\HelpAssistant.MOMSDELL.003\jagex_runescape_preferences2.dat
2010-04-07 04:47 . 2010-04-07 04:47 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.002\IETldCache
2010-04-07 02:11 . 2010-04-07 02:11 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.001\UserData
2010-04-07 02:11 . 2010-04-07 02:11 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.001\PrivacIE
2010-04-07 02:06 . 2010-04-07 02:06 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.001\IETldCache
2010-04-07 02:06 . 2009-11-18 02:19 38 ----a-w- c:\documents and settings\HelpAssistant.MOMSDELL.001\jagex_runescape_preferences.dat
2010-04-07 02:06 . 2009-11-18 01:59 63 ----a-w- c:\documents and settings\HelpAssistant.MOMSDELL.001\jagex_runescape_preferences2.dat
2010-04-05 15:09 . 2010-04-05 15:09 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.000\UserData
2010-04-05 15:09 . 2010-04-05 15:09 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.000\PrivacIE
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL.000\IETldCache
2010-04-05 15:04 . 2009-11-18 02:19 38 ----a-w- c:\documents and settings\HelpAssistant.MOMSDELL.000\jagex_runescape_preferences.dat
2010-04-05 15:04 . 2009-11-18 01:59 63 ----a-w- c:\documents and settings\HelpAssistant.MOMSDELL.000\jagex_runescape_preferences2.dat
2010-04-05 14:48 . 2010-04-05 14:48 -------- d-----w- C:\_OTM
2010-04-04 06:05 . 2010-04-05 08:22 -------- d-----w- c:\documents and settings\HelpAssistant.MOMSDELL
2010-04-04 05:49 . 2010-04-06 07:24 -------- d-----w- C:\HelpAsst_backup
2010-04-03 19:08 . 2010-04-03 19:08 -------- d-----w- c:\windows\system32\LogFiles
2010-03-31 04:30 . 2010-04-03 17:29 -------- d-----w- c:\program files\Panda Security
2010-03-31 03:36 . 2010-03-31 03:36 -------- d-----w- c:\program files\Trend Micro
2010-03-31 01:25 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-31 01:25 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-31 01:24 . 2010-03-31 01:24 -------- d-sh--w- c:\documents and settings\Aspen Coons\IETldCache
2010-03-28 20:44 . 2010-03-28 20:44 -------- d-----w- c:\documents and settings\Carolyn Coons\Local Settings\Application Data\Threat Expert
2010-03-28 20:39 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-28 20:39 . 2010-03-10 18:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-28 20:39 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-28 20:39 . 2010-02-05 16:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-28 20:38 . 2010-03-28 20:43 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-28 20:38 . 2010-03-28 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-28 20:03 . 2008-02-01 19:55 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-03-28 20:03 . 2007-12-10 21:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-03-28 20:03 . 2007-12-10 21:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-03-28 20:03 . 2007-12-10 21:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-03-28 20:02 . 2010-04-03 23:35 -------- d-----w- c:\program files\Spyware Doctor
2010-03-28 20:02 . 2010-03-28 20:02 -------- d-----w- c:\documents and settings\Carolyn Coons\Application Data\PC Tools
2010-03-23 00:24 . 2010-03-23 00:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-22 05:33 . 2010-03-22 05:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-22 00:24 . 2010-03-22 00:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 05:40 . 2009-09-23 02:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 17:36 . 2007-12-01 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-29 22:24 . 2009-09-23 02:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:24 . 2009-09-23 02:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 20:42 . 2006-03-22 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 03:20 . 2006-03-22 22:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-22 00:25 . 2006-03-22 22:38 -------- d-----w- c:\program files\Lavasoft
2010-03-22 00:20 . 2008-03-18 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-22 00:20 . 2010-03-22 00:20 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2010-03-21 20:58 . 2010-03-21 20:58 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-28 03:01 . 2008-02-10 22:02 -------- d-----w- c:\program files\McAfee
2010-02-25 06:24 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-10 15:38 . 2006-10-27 19:13 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((( SnapShot@2010-04-03_19.25.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-07 05:01 . 2010-04-07 05:01 16384 c:\windows\Temp\Perflib_Perfdata_30c.dat
+ 2010-04-04 00:34 . 2010-04-07 04:05 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-19 03:58 . 2010-04-07 04:05 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-03-19 03:58 . 2010-04-03 16:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-03-22 05:33 . 2010-04-07 04:05 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2010-03-22 05:33 . 2010-04-03 16:12 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2010-04-04 00:34 . 2010-04-07 04:05 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2009-10-14 05:23 . 2010-04-03 16:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"8386:TCP "= 8386:TCP:Services
"4943:TCP "= 4943:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [3/28/2010 1:39 PM 217032]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 10:18 AM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 8:38 AM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/28/2010 1:02 PM 366840]
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 15:38]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 15:38]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-10 19:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-10 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 23:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8926F208]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbfc3
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf748e7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x88ef8330
PacketIndicateHandler -> NDIS.sys @ 0xf7b47b21
SendHandler -> NDIS.sys @ 0xf7b2587b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2010-04-07 00:03:06
ComboFix-quarantined-files.txt 2010-04-07 07:03
ComboFix2.txt 2010-04-04 00:13
ComboFix3.txt 2010-04-03 19:29
ComboFix4.txt 2009-10-14 01:19

Pre-Run: 10,513,076,224 bytes free
Post-Run: 10,475,864,064 bytes free

- - End Of File - - 4D4A24735DBEFE094F1F5605466A1E02

broni · 2010/04/07

Delete your HelpAsst_mebroot_fix.exe file.
Download fresh one from the link listed below, but do NOT run it yet.
Physically disconnect from the internet and then run the tool.

Download and save HelpAsst_mebroot_fix.exe to your desktop.

Close all open programs.

Double click HelpAsst_mebroot_fix.exe to run it.

Pay attention to the running tool.

If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.

After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

Click Start>Run and copy and paste the following command, then hit Enter:

mbr -f

Repeat the above step one more time

Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.

Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

macoons · 2010/04/07

Ok... It opened its blue box and said please wait. Flashed up three or four short lines of identical text then went back to please wait. Stayed on please wait for about 10 minutes then said it found something (clueless as to why I did not write down what that something was?!?!). It did NOT say MBR anything. It did say "attempting to remove. Please be patient this may take awhile" after about 3 minutes it said complete, press any key to continue. I pressed the space bar. It went back to the please wait screen, said something about kernel, then said press any key. I pressed space bar. It closed. I waited about 5 minutes and nothing happened so I followed the bottom portion of your post. Here is the log: (Thanks some more)

C:\Documents and Settings\Carolyn Coons\Desktop\HelpAsst_mebroot_fix.exe
Wed 04/07/2010 at 21:07:03.76

HelpAssistant account was found to be Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP "=-
"52344:TCP "=-
"8386:TCP "=-
"4943:TCP "=-
"3389:TCP "=-
"5146:TCP "=-
"8792:TCP "=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP "=-
"52344:TCP "=-
"8386:TCP "=-
"4943:TCP "=-
"3389:TCP "=-
"5146:TCP "=-
"8792:TCP "=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-4033994130-1639493683-3125362582-1005
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.MOMSDELL.003 ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.MOMSDELL.003 files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 04/07/2010 at 21:31:13.45

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x895DAD30]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.MOMSDELL
HelpAssistant.MOMSDELL.000
HelpAssistant.MOMSDELL.001
HelpAssistant.MOMSDELL.002

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP "=65533:TCP:*:Enabled:Services
"52344:TCP "=52344:TCP:*:Enabled:Services
"8792:TCP "=8792:TCP:*:Enabled:Services
"5146:TCP "=5146:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "=65533:TCP:*:Enabled:Services
"52344:TCP "=52344:TCP:*:Enabled:Services
"8792:TCP "=8792:TCP:*:Enabled:Services
"5146:TCP "=5146:TCP:*:Enabled:Services

~~ EOF ~~

broni · 2010/04/07

It looks much better

After running a tool listed below, it'll produce rather large log. Instead of pasting it here...
...Upload the file(s) here: http://uploadmb.com/
Post download link (Direct Link).

Please download OTM

Save it to your desktop.

Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes

:Services

:Reg

:Files
C:\Documents and Settings\HelpAssistant
C:\Documents and Settings\HelpAssistant.MOMSDELL
C:\Documents and Settings\HelpAssistant.MOMSDELL.000
C:\Documents and Settings\HelpAssistant.MOMSDELL.001
C:\Documents and Settings\HelpAssistant.MOMSDELL.002
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

macoons · 2010/04/08

Ok. It was running much faster, but after running OTM it is really erratic. After it rebooted, it was slow to respond to commands and when I was navigating here it rebooted seemingly out of the blue. Anyway the performance isn't nearly as stable and quick as before it ran (for whatever all that's worth). Here is the link to the log:

http://www.uploadmb.com/dw.php?id=1270705961

broni · 2010/04/08

That's fine. We still have work to do.

Delete your Combofix file, download fresh one, run it and post fresh log.

macoons · 2010/04/08

Had significant difficulties in downloading combofix. Download would work fine but then would give me an error saying it couldn't copy it from the some temp directory to the desktop. Computer locked up and gave me the blue error screen. I rebooted in Safe Mode and was able to download it and run it from there. Here is the log:

ComboFix 10-04-07.04 - Carolyn Coons 04/08/2010 17:03:07.5.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.939 [GMT -7:00]
Running from: c:\documents and settings\Carolyn Coons\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-08 05:51 . 2010-04-08 05:51 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-04-08 05:50 . 2010-04-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-04-08 05:46 . 2010-04-08 05:46 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-04-08 05:46 . 2009-11-18 02:19 38 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences.dat
2010-04-08 05:46 . 2009-11-18 01:59 63 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences2.dat
2010-04-07 04:47 . 2010-04-07 04:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-05 14:48 . 2010-04-05 14:48 -------- d-----w- C:\_OTM
2010-04-04 05:49 . 2010-04-06 07:24 -------- d-----w- C:\HelpAsst_backup
2010-04-03 19:08 . 2010-04-03 19:08 -------- d-----w- c:\windows\system32\LogFiles
2010-03-31 04:30 . 2010-04-03 17:29 -------- d-----w- c:\program files\Panda Security
2010-03-31 03:36 . 2010-03-31 03:36 -------- d-----w- c:\program files\Trend Micro
2010-03-31 01:25 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-31 01:25 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-31 01:24 . 2010-03-31 01:24 -------- d-sh--w- c:\documents and settings\Aspen Coons\IETldCache
2010-03-28 20:44 . 2010-03-28 20:44 -------- d-----w- c:\documents and settings\Carolyn Coons\Local Settings\Application Data\Threat Expert
2010-03-28 20:39 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-28 20:39 . 2010-03-10 18:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-28 20:39 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-28 20:39 . 2010-02-05 16:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-28 20:38 . 2010-03-28 20:43 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-28 20:38 . 2010-03-28 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-28 20:03 . 2008-02-01 19:55 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-03-28 20:03 . 2007-12-10 21:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-03-28 20:03 . 2007-12-10 21:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-03-28 20:03 . 2007-12-10 21:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-03-28 20:02 . 2010-04-03 23:35 -------- d-----w- c:\program files\Spyware Doctor
2010-03-28 20:02 . 2010-03-28 20:02 -------- d-----w- c:\documents and settings\Carolyn Coons\Application Data\PC Tools
2010-03-23 00:24 . 2010-03-23 00:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-22 05:33 . 2010-03-22 05:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-22 00:24 . 2010-03-22 00:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-22 00:20 . 2010-03-22 00:20 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2010-03-21 20:58 . 2010-03-21 20:58 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 05:40 . 2009-09-23 02:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 17:36 . 2007-12-01 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-29 22:24 . 2009-09-23 02:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:24 . 2009-09-23 02:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 20:42 . 2006-03-22 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 03:20 . 2006-03-22 22:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-22 00:25 . 2006-03-22 22:38 -------- d-----w- c:\program files\Lavasoft
2010-03-22 00:20 . 2008-03-18 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-28 03:01 . 2008-02-10 22:02 -------- d-----w- c:\program files\McAfee
2010-02-25 06:24 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-10 15:38 . 2006-10-27 19:13 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((( SnapShot@2010-04-03_19.25.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-08 07:38 . 2010-04-08 20:37 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-19 03:58 . 2010-04-08 20:37 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-03-19 03:58 . 2010-04-03 16:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-03-22 05:33 . 2010-04-08 20:37 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2010-03-22 05:33 . 2010-04-03 16:12 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2010-04-07 08:59 . 2010-04-08 20:37 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2009-10-14 05:23 . 2010-04-03 16:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"8792:TCP "= 8792:TCP:Services
"5146:TCP "= 5146:TCP:Services
"7709:TCP "= 7709:TCP:Services
"7710:TCP "= 7710:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [3/28/2010 1:39 PM 217032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 8:38 AM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 10:18 AM 93320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/28/2010 1:02 PM 366840]
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 15:38]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 15:38]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-10 19:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-02-10 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 17:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x894BC250]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbfc3
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf748e7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x89436330
PacketIndicateHandler -> NDIS.sys @ 0xf7b47b21
SendHandler -> NDIS.sys @ 0xf7b2587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-08 17:13:48
ComboFix-quarantined-files.txt 2010-04-09 00:13
ComboFix2.txt 2010-04-07 07:03
ComboFix3.txt 2010-04-04 00:13
ComboFix4.txt 2010-04-03 19:29
ComboFix5.txt 2010-04-09 00:01

Pre-Run: 9,971,662,848 bytes free
Post-Run: 9,937,481,728 bytes free

- - End Of File - - 176B72208C24E63AE78788C36C594C3B

macoons · 2010/04/08

Also rebooted and running in standard mode.

broni · 2010/04/08

Delete your HelpAsst_mebroot_fix.exe file. Download fresh one.

Physically disconnect from the internet. Do NOT reconnect until I say so.

Download and save HelpAsst_mebroot_fix.exe to your desktop.

Close all open programs.

Double click HelpAsst_mebroot_fix.exe to run it.

Pay attention to the running tool.

If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.

After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

Click Start>Run and copy and paste the following command, then hit Enter:

mbr -f

Repeat the above step one more time

Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.

Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

macoons · 2010/04/08

C:\Documents and Settings\Carolyn Coons\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/08/2010 at 17:57:31.59

HelpAssistant account was found to be Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP "=-
"52344:TCP "=-
"8792:TCP "=-
"5146:TCP "=-
"7709:TCP "=-
"7710:TCP "=-
"3389:TCP "=-
"4631:TCP "=-
"7762:TCP "=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP "=-
"52344:TCP "=-
"8792:TCP "=-
"5146:TCP "=-
"7709:TCP "=-
"7710:TCP "=-
"3389:TCP "=-
"4631:TCP "=-
"7762:TCP "=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-4033994130-1639493683-3125362582-1005
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/08/2010 at 18:24:05.07

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x890E10C8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP "=65533:TCP:*:Enabled:Services
"52344:TCP "=52344:TCP:*:Enabled:Services
"4631:TCP "=4631:TCP:*:Enabled:Services
"7762:TCP "=7762:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "=65533:TCP:*:Enabled:Services
"52344:TCP "=52344:TCP:*:Enabled:Services
"4631:TCP "=4631:TCP:*:Enabled:Services
"7762:TCP "=7762:TCP:*:Enabled:Services

~~ EOF ~~

broni · 2010/04/08

This looks really good

Do NOT connect to the internet yet (bad computer, let's call it "Computer 1 "). The rootkit, you had, HelpAssistant is really nasty piece, so we have to make sure, nothing is lurking there.

Using computer, you're posting from, let's call it "Computer 2" (plus USB flash drive to move files)....

Download, and run Flash Disinfector, and save it to your desktop. Install it on Computer 2

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

==============================================================

On Computer 2, download fresh Malwarebytes definitions from here: http://mbam.malwarebytes.org/database/mbam-rules.exe
It's a self-installing file. Using USB stick, move it to Computer 1 and double click on the file, which will update your Malwarebytes on Computer 1.
Run Malwarebytes on Computer 1, copy the log to Computer 2 and post it back here.

Next....
On Computer 2, download following program, move it to Computer 1, run it there, copy the log and post it back here from the Computer 2.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

[color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Let me know, if something is unclear.

macoons · 2010/04/08

The Malwarebytes is giving me the following message "The current database is not supported by this version of Anti-Malware. Please download the latest version of the program" I downloaded and transfered the 1.45 version released Mar 29th and still get the same message...

broni · 2010/04/08

OK. Your version should be just couple of days old, so you can run it as is.
Dr.Web will be rather fresh.

macoons · 2010/04/10

Well THAT took forever The Dr Web complete scan took over 24 hours. Here are the two logs:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/8/2010 9:48:22 PM
mbam-log-2010-04-08 (21-48-22).txt

Scan type: Quick scan
Objects scanned: 140649
Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DR Web

7d991e16142a34b0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d991e16142a34b0.bup;Trojan.Packed.682;;
7d991e16142a34b0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a11192a2af0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a11192a2af0.bup;Trojan.Virtumod.1798;;
7d9a11192a2af0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a11192a2de0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a11192a2de0.bup;Trojan.Virtumod.1798;;
7d9a11192a2de0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1121f37bb0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1121f37bb0.bup;Trojan.Virtumod.1798;;
7d9a1121f37bb0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1121f37da0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1121f37da0.bup;Trojan.Virtumod.1798;;
7d9a1121f37da0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a11220191190.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a11220191190.bup;Trojan.Virtumod.1798;;
7d9a11220191190.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1122019ea0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1122019ea0.bup;Trojan.Virtumod.1798;;
7d9a1122019ea0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a11339192900.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a11339192900.bup;Probably Trojan.Packed.829;;
7d9a11339192900.bup\stream001;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a11339192900.bup;Probably Trojan.Packed.829;;
7d9a11339192900.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1133a162130.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1133a162130.bup;Trojan.Siggen.3283;;
7d9a1133a162130.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1133a322e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1133a322e0.bup;Trojan.Siggen.3283;;
7d9a1133a322e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1133a33c80.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1133a33c80.bup;Trojan.Siggen.3283;;
7d9a1133a33c80.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1133a42e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1133a42e0.bup;Probably Trojan.Packed.829;;
7d9a1133a42e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1133a48c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1133a48c0.bup;Probably Trojan.Packed.829;;
7d9a1133a48c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a116143b2420.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a116143b2420.bup;Probably Trojan.Virtumod;;
7d9a116143b2420.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1161502fd0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1161502fd0.bup;Probably Trojan.Virtumod;;
7d9a1161502fd0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a11616f3d80.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a11616f3d80.bup;Trojan.Packed.682;;
7d9a11616f3d80.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1a15201d40.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1a15201d40.bup;Trojan.Packed.682;;
7d9a1a15201d40.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c1c236d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c1c236d0.bup;Trojan.Virtumod.1798;;
7d9a1c1c236d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c1c238c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c1c238c0.bup;Trojan.Virtumod.1798;;
7d9a1c1c238c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c1c92ee0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c1c92ee0.bup;Probably Trojan.Virtumod;;
7d9a1c1c92ee0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c1f362af0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c1f362af0.bup;Trojan.Virtumod.1798;;
7d9a1c1f362af0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c1f372610.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c1f372610.bup;Trojan.Virtumod.1798;;
7d9a1c1f372610.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c1f372800.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c1f372800.bup;Trojan.Virtumod.1798;;
7d9a1c1f372800.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c201a3a90.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c201a3a90.bup;Trojan.Virtumod.1798;;
7d9a1c201a3a90.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1c201b4e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1c201b4e0.bup;Trojan.Virtumod.1798;;
7d9a1c201b4e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1f1f362de0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1f1f362de0.bup;Trojan.Virtumod.1798;;
7d9a1f1f362de0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1f1f3632c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1f1f3632c0.bup;Trojan.Virtumod.1798;;
7d9a1f1f3632c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1f201830d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1f201830d0.bup;Trojan.Virtumod.1798;;
7d9a1f201830d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a1f201833c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a1f201833c0.bup;Trojan.Virtumod.1798;;
7d9a1f201833c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a21615b2ce0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a21615b2ce0.bup;Trojan.Packed.682;;
7d9a21615b2ce0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a2a1511380.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a2a1511380.bup;Probably Trojan.Virtumod;;
7d9a2a1511380.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a2a15633c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a2a15633c0.bup;Trojan.Fakealert.5338;;
7d9a2a15633c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a316152137a0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a316152137a0.bup;Trojan.Packed.682;;
7d9a316152137a0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a41616c2420.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a41616c2420.bup;Trojan.Packed.682;;
7d9a41616c2420.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a4a15351f0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a4a15351f0.bup;Trojan.Packed.682;;
7d9a4a15351f0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a516162033c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a516162033c0.bup;Trojan.Packed.682;;
7d9a516162033c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a5a16291380.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a5a16291380.bup;Trojan.Packed.682;;
7d9a5a16291380.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61114141d40.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61114141d40.bup;Probably Trojan.Virtumod;;
7d9a61114141d40.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61114322ee0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61114322ee0.bup;Probably Trojan.Virtumod;;
7d9a61114322ee0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61114322fd0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61114322fd0.bup;Probably Trojan.Virtumod;;
7d9a61114322fd0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a611143232c0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a611143232c0.bup;Probably Trojan.Virtumod;;
7d9a611143232c0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a611143234b0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a611143234b0.bup;Probably Trojan.Virtumod;;
7d9a611143234b0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a611143235b0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a611143235b0.bup;Probably Trojan.Virtumod;;
7d9a611143235b0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61114323990.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61114323990.bup;Probably Trojan.Virtumod;;
7d9a61114323990.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61115222fd0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61115222fd0.bup;Probably Trojan.Virtumod;;
7d9a61115222fd0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a6111543d80.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a6111543d80.bup;Probably Trojan.Virtumod;;
7d9a6111543d80.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61115f1e40.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61115f1e40.bup;Probably Trojan.Virtumod;;
7d9a61115f1e40.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61116143e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61116143e0.bup;Probably Trojan.Virtumod;;
7d9a61116143e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a611162700.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a611162700.bup;Probably Trojan.Virtumod;;
7d9a611162700.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61116272e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61116272e0.bup;Probably Trojan.Virtumod;;
7d9a61116272e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61116274e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61116274e0.bup;Probably Trojan.Virtumod;;
7d9a61116274e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61116276d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61116276d0.bup;Probably Trojan.Virtumod;;
7d9a61116276d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61116277d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61116277d0.bup;Probably Trojan.Virtumod;;
7d9a61116277d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a61263b2fd0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a61263b2fd0.bup;Probably Trojan.Virtumod;;
7d9a61263b2fd0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9a612a3b2e0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9a612a3b2e0.bup;Probably Trojan.Virtumod;;
7d9a612a3b2e0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9cb434233de0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9cb434233de0.bup;Trojan.Packed.683;;
7d9cb434233de0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7d9cb4342b11f0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d9cb4342b11f0.bup;Trojan.Packed.683;;
7d9cb4342b11f0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7da21b122c2f1a80.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da21b122c2f1a80.bup;Trojan.Siggen.64289;;
7da21b122c2f1a80.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7da32171519cb0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da32171519cb0.bup;Trojan.Siggen.64289;;
7da32171519cb0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7da35421272420.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da35421272420.bup;Trojan.Siggen.64289;;
7da35421272420.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
7da3542401860.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da3542401860.bup;Trojan.Siggen.64289;;
7da3542401860.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Archive contains infected objects;Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Incurable.Deleted.;
posodilo.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.DownLoad.49158;Deleted.;
A0014379.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175;Trojan.Fakealert.14113;Deleted.;
A0014849.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178;Trojan.DownLoad.49158;Deleted.;
n002106201r0409X54993239Y1f2a5606Z0100f080316P000001070[1];C:\_OTM\MovedFiles\04052010_074828\c_documents and settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\B;Trojan.Fakealert.14113;Deleted.;

Log in or Sign up

Solved Virus cripples CPU and redirects Ebay Login to phishing site

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Virus cripples CPU and redirects Ebay Login to phishing site

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

broni Moderator Malware Analyst

macoons Inactive Thread Starter

Share This Page

Useful Searches