Language EN
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
hmtklein
hmtklein
1 Copper
‎03-30-2010 12:50 PM

I had HelpAssistant virus now my memory appears to be full

Hello

This my original post

http://en.community.dell.com/forums/t/19329786.aspx

I must have posted in the wrong place.  Originally I use Combo (which I downloaded from Bleepingcomputer) unfortunately I can log on the forum.

BugBatter was kind enough to direct me to run HAMeb check.exe

Here is my report

C:\Documents and Settings\owner\My Documents\Downloads\HAMeb_check.exe
Tue 03/30/2010 at 14:39:06.12

Full Name                    Remote Desktop Help Assistant Account
Account active               No
Local Group Memberships      *Administrators      

 ~~ Checking profile list ~~

No HelpAssistant profile in List

 ~~ Checking for HelpAssistant directories ~~

none found

 ~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll    REG_EXPAND_SZ      %SystemRoot%\System32\termsrv.dll

 ~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


 ~~ EOF ~~

 

Does anyone have any ideas? I am desperate my the memory on my computer is nearly Full.  I greatly appreciate any help you can give me.

0 Kudos
Reply
14 Replies
Highlighted
1972vet
1972vet
5 Tungsten
‎03-31-2010 08:49 PM

Re: I had HelpAssistant virus now my memory appears to be full

Please download Profiles.exe by noahdfear and save it to your desktop.
  • Double-click profiles.exe to run the tool.
  • Profiles.exe will create a log when done.
  • Copy and paste the contents of that log into your next reply.
Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.
Reports/logs to post in your next reply:
  • ProfileList log
  • mbr.log

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
Reply
hmtklein
hmtklein
1 Copper
‎04-07-2010 07:26 PM

Re: I had HelpAssistant virus now my memory appears to be full

Yeah the REPLY button is working again!!!

 asked me to post this logs

This is from profile.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile  REG_SZ  Default User
    AllUsersProfile  REG_SZ  All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath  REG_EXPAND_SZ  %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-682003330-1979792683-725345543-1003
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\owner

    SystemRoot  REG_SZ  C:\WINDOWS

This is from mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

THANK YOU!

0 Kudos
Reply
1972vet
1972vet
5 Tungsten
‎04-08-2010 10:16 AM

Re: I had HelpAssistant virus now my memory appears to be full

The logs confirm that you have a master boot record rootkit infection. Please thoroughly read through these instructions before you begin...you just may decide that you do not want to take on this much of a risk.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
Reply
hmtklein
hmtklein
1 Copper
‎04-08-2010 06:56 PM

Re: I had HelpAssistant virus now my memory appears to be full

Thank you! here is my log

 

C:\Documents and Settings\owner\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/08/2010 at 20:26:53.31

HelpAssistant account was found to be Inactive


 ~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

 ~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list


HelpAssistant profile not found in registry

 ~~ Checking mbr ~~

user & kernel MBR OK

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/08/2010 at 20:46:36.14

Full Name                    Remote Desktop Help Assistant Account
Account active               No
Local Group Memberships      *Administrators      

 ~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll    REG_EXPAND_SZ      %systemroot%\System32\termsrv.dll

 ~~ Checking profile list ~~

No HelpAssistant profile in List

 ~~ Checking for HelpAssistant directories ~~

none found

 ~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


 ~~ EOF ~~

0 Kudos
Reply
1972vet
1972vet
5 Tungsten
‎04-09-2010 06:42 AM

Re: I had HelpAssistant virus now my memory appears to be full

 

Looks to me like you've already had some work done on this infection as I'm not seeing what I expected to see...I had originally thought this may take only a couple more steps to complete but as things look now, it may already have been removed. Regardless and to be certain, let's see if we can complete these set of instructions, then we'll have combofix take another look at things:
Open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.


Make sure mbr.exe is still on your desktop or the next set of instructions will not work. <- (Important!)

Click start-->Run...then, in the run box, copy/paste the following command:
"%userprofile%\desktop\mbr.exe" -f

Click OK or press Enter, then reboot the comuter.
A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
Reply
hmtklein
hmtklein
1 Copper
‎04-11-2010 11:37 AM

Re: I had HelpAssistant virus now my memory appears to be full

Okay here is my log.... 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

 

The thing that freaks me out is that the available space on my computer is on 6.72 GB of  60... eeke it makes not sense to me?

 

Thank  you 1972vet you're a saint!

0 Kudos
Reply
1972vet
1972vet
5 Tungsten
‎04-11-2010 06:58 PM

Re: I had HelpAssistant virus now my memory appears to be full

OK, that log doesn't look like it should either. The problem I believe is from having done things on your own, here and there, half-way willy nilly...in other words, I really have no idea what else or in what order you may have done things before I took on your log.

We may just have to deal with what cf can do for you...Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
Reply
hmtklein
hmtklein
1 Copper
‎04-11-2010 09:07 PM

Re: I had HelpAssistant virus now my memory appears to be full

I appreciate your help thanks!

 

ComboFix 10-04-11.01 - owner 04/11/2010  22:53:50.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.482 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2010-03-12 to 2010-04-12  )))))))))))))))))))))))))))))))
.

2010-04-11 18:33 . 2010-04-11 18:33    --------    d-----w-    c:\program files\Common Files\Global Graphics
2010-04-11 18:32 . 2010-04-11 18:32    --------    dc----w-    c:\documents and settings\All Users\Application Data\Global Graphics
2010-04-11 18:32 . 2009-11-24 14:54    17304    ----a-w-    c:\windows\system32\ShutdownDCClients.exe
2010-04-11 18:32 . 2009-11-24 14:54    103824    ----a-w-    c:\windows\system32\EventHelper.dll
2010-04-11 18:32 . 2009-11-24 14:53    165264    ----a-w-    c:\windows\system32\doccreatorpm.dll
2010-04-11 18:32 . 2009-11-24 14:53    15760    ----a-w-    c:\windows\system32\DCMessagesPS.dll
2010-04-11 18:32 . 2009-11-24 14:53    99720    ----a-w-    c:\windows\system32\DCMessages.exe
2010-04-11 18:31 . 2010-04-11 18:31    --------    d-----w-    c:\program files\Global Graphics
2010-04-09 00:26 . 2010-04-09 00:26    --------    dc----w-    C:\HelpAsst_backup
2010-04-09 00:21 . 2010-04-09 00:21    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2010-04-06 15:27 . 2010-04-06 15:27    --------    d-----w-    c:\program files\Citrix
2010-04-06 15:25 . 2010-04-06 15:25    72080    ----a-w-    c:\documents and settings\owner\g2mdlhlpx.exe
2010-03-30 15:39 . 2010-03-30 16:03    --------    dc----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-30 15:39 . 2010-03-30 15:43    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-03-30 13:50 . 2008-07-06 12:06    89088    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-30 13:50 . 2010-03-30 13:50    --------    dc----w-    C:\***
2010-03-30 13:50 . 2008-07-06 12:06    89088    -c----w-    c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-30 13:50 . 2008-07-06 12:06    575488    -c----w-    c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-30 13:50 . 2008-07-06 12:06    575488    ------w-    c:\windows\system32\xpsshhdr.dll
2010-03-30 13:50 . 2008-07-06 12:06    1676288    -c----w-    c:\windows\system32\dllcache\xpssvcs.dll
2010-03-30 13:50 . 2008-07-06 12:06    1676288    ------w-    c:\windows\system32\xpssvcs.dll
2010-03-30 13:50 . 2008-07-06 12:06    117760    ------w-    c:\windows\system32\prntvpt.dll
2010-03-30 13:50 . 2008-07-06 10:50    597504    -c----w-    c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-30 13:50 . 2008-07-06 10:50    597504    ------w-    c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-30 01:53 . 2010-03-30 01:53    --------    d-----w-    c:\program files\ESET
2010-03-30 01:30 . 2010-03-30 01:30    --------    d-----w-    c:\program files\NOS
2010-03-30 01:29 . 2010-03-22 19:53    32576    ----a-w-    c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-30 01:29 . 2010-03-22 19:53    29984    ----a-w-    c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-30 00:52 . 2010-03-30 00:52    152576    ----a-w-    c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-30 00:51 . 2010-03-30 00:51    79488    ----a-w-    c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 00:09 . 2009-10-23 15:28    3558912    -c----w-    c:\windows\system32\dllcache\moviemk.exe
2010-03-30 00:02 . 2010-03-30 00:02    --------    d-----w-    c:\windows\system32\wbem\Repository
2010-03-29 23:57 . 2010-03-29 23:58    --------    d-----w-    c:\program files\QuickTime
2010-03-29 23:56 . 2010-03-29 23:57    --------    d-----w-    c:\program files\iTunes
2010-03-29 23:56 . 2010-03-29 23:56    --------    d-----w-    c:\program files\iPod
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\Bonjour
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\Digital Line Detect
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\Modem Helper
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\ATI Technologies
2010-03-29 23:43 . 2010-03-29 23:43    --------    d-----w-    c:\program files\Lavasoft
2010-03-29 23:43 . 2010-03-29 23:43    --------    dc-h--w-    c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-03-29 23:42 . 2010-03-29 23:42    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-03-29 23:41 . 2010-03-29 23:41    --------    d-----w-    c:\windows\tiinst
2010-03-29 23:41 . 2010-03-29 23:41    --------    d-----w-    c:\program files\Common Files\supportsoft
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\windows\SHELLNEW
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\program files\Microsoft ActiveSync
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\program files\Common Files\L&H
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\program files\Microsoft Works
2010-03-26 21:52 . 2010-03-29 23:13    --------    d-----w-    c:\documents and settings\owner\Local Settings\Application Data\AskToolbar
2010-03-26 21:46 . 2010-03-29 23:29    --------    d-----w-    c:\program files\Foxit Software
2010-03-25 21:28 . 2010-03-25 21:28    --------    d-----w-    c:\documents and settings\owner\Application Data\Malwarebytes
2010-03-25 21:28 . 2010-03-25 21:28    --------    dc----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-25 21:28 . 2010-03-29 23:32    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-03-21 15:12 . 2010-03-21 15:12    --------    dc----w-    c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-21 15:10 . 2010-03-29 23:37    --------    d-----w-    c:\program files\Common Files\Adobe AIR(2)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:32 . 2007-07-24 21:55    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-04-06 00:27 . 2010-01-22 21:44    211720    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 00:27 . 2010-01-22 21:44    1352968    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-03-30 18:57 . 2007-07-25 17:59    72520    ----a-w-    c:\documents and settings\owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-30 01:34 . 2009-09-18 18:16    --------    dc----w-    c:\documents and settings\All Users\Application Data\NOS
2010-03-29 23:57 . 2010-02-12 01:31    --------    d-----w-    c:\program files\QuickTime(2)
2010-03-29 23:56 . 2010-02-12 01:36    --------    d-----w-    c:\program files\iTunes(2)
2010-03-29 23:56 . 2010-02-12 01:37    --------    d-----w-    c:\program files\iPod(2)
2010-03-29 23:56 . 2009-09-26 22:27    --------    d-----w-    c:\program files\Common Files\Apple
2010-03-29 23:51 . 2007-07-24 21:54    --------    d-----w-    c:\documents and settings\owner\Application Data\U3
2010-03-29 23:42 . 2010-03-11 04:18    --------    d-----w-    c:\program files\Safari
2010-03-29 23:41 . 2009-09-18 18:26    --------    d-----w-    c:\program files\Yahoo SiteBuilder
2010-03-25 23:55 . 2009-09-26 23:12    56556    ---ha-w-    c:\windows\system32\mlfcache.dat
2010-03-11 04:27 . 2009-09-16 19:51    --------    d-----w-    c:\program files\Google
2010-03-10 04:42 . 2010-01-23 02:19    --------    dc----w-    c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-25 06:24 . 2004-08-04 12:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-01-23 23:04 . 2010-01-23 23:03    1706    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-01-23 03:25 . 2010-01-23 03:24    862040    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-23 03:24 . 2010-01-23 03:24    206944    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-23 03:24 . 2010-01-23 03:24    390288    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-23 03:24 . 2010-01-23 03:24    537576    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-23 03:24 . 2010-01-23 03:24    372280    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-23 03:24 . 2010-01-23 03:24    194104    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-23 03:21 . 2010-01-23 03:20    6296864    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-23 03:20 . 2010-01-23 03:20    933120    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-23 03:20 . 2010-01-23 03:19    3803208    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-23 03:19 . 2010-01-23 03:19    816272    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-23 03:19 . 2010-01-23 03:19    823928    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-23 03:19 . 2010-01-23 03:19    1643272    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-23 03:19 . 2010-01-23 03:19    788880    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-23 03:19 . 2010-01-23 03:18    1181328    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-22 21:53 . 2010-01-22 21:53    0    -c--a-w-    c:\windows\nsreg.dat
2010-01-22 21:43 . 2010-01-22 21:43    869664    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2010-01-22 21:43 . 2010-01-22 21:43    499712    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcp71.dll
2010-01-22 21:43 . 2010-01-22 21:43    348160    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcr71.dll
2010-01-14 16:12 . 2010-01-23 14:27    181120    ------w-    c:\windows\system32\MpSigStub.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-16 39408]
"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-06-25 338456]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-19 149280]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-10-28 1085704]
"DocCreatorClient"="c:\program files\Global Graphics\gDoc\DocCreatorClient.exe" [2009-11-24 292248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-24 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-11 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2010 10:40 PM 64288]
R3 DCMessages;DCMessages;c:\windows\system32\DCMessages.exe [4/11/2010 2:32 PM 99720]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/25/2007 2:27 PM 87936]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 9:19 AM 1181328]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DCMESSAGES

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-11 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-11 c:\windows\Tasks\User_Feed_Synchronization-{E6E15640-2B44-453C-BF38-C02EE205FB7B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 22:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-11  23:01:01
ComboFix-quarantined-files.txt  2010-04-12 03:00

Pre-Run: 6,718,951,424 bytes free
Post-Run: 6,803,050,496 bytes free

- - End Of File - - 416A75B7AFC58DD3C7550028779E255B

0 Kudos
Reply
1972vet
1972vet
5 Tungsten
‎04-12-2010 07:53 AM

Re: I had HelpAssistant virus now my memory appears to be full

Uninstall Java.

Please Disable these:
Windows Defender
Spybot Search and Destroy's TeaTimer

Tell me what you use the program "Global Graphics Software" for...and did you install and do you use a Texas Instruments Smart Card?

The following procedure will clear the backups created by the HelperAsst tool:

Click Start>Run and copy/paste the following bolded command into the Run box and press Enter.

helpasst -cleanup

Next, the path below is to a directory on your system. Locate and right-click on that folder and select "Properties". On your next post, tell me what does it show as the creation date:
C:\***

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
Reply