hmtklein

11 Posts

March 30th, 2010 12:00

I had HelpAssistant virus now my memory appears to be full

Hello

This my original post

http://en.community.dell.com/forums/t/19329786.aspx

I must have posted in the wrong place. Originally I use Combo (which I downloaded from Bleepingcomputer) unfortunately I can log on the forum.

BugBatter was kind enough to direct me to run HAMeb check.exe

Here is my report

C:\Documents and Settings\owner\My Documents\Downloads\HAMeb_check.exe
Tue 03/30/2010 at 14:39:06.12

Full Name                    Remote Desktop Help Assistant Account
Account active               No
Local Group Memberships      *Administrators

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll    REG_EXPAND_SZ     %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Does anyone have any ideas? I am desperate my the memory on my computer is nearly Full. I greatly appreciate any help you can give me.

Responses(14)

1972vet

3.3K Posts

March 31st, 2010 20:00

Please download Profiles.exe by noahdfear and save it to your desktop.

Double-click profiles.exe to run the tool.
Profiles.exe will create a log when done.
Copy and paste the contents of that log into your next reply.

Please download mbr.exe and save it to your desktop <- (Important!).

Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
A black DOS window will open and quickly disappear. This is normal.
A log file named mbr.log will be created and saved on your desktop.
Copy and paste the results of the mbr.log in your next reply.

Reports/logs to post in your next reply:

ProfileList log
mbr.log

hmtklein

11 Posts

April 7th, 2010 19:00

Yeah the REPLY button is working again!!!

1972vet asked me to post this logs

This is from profile.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-682003330-1979792683-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\owner

SystemRoot REG_SZ C:\WINDOWS

This is from mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

THANK YOU!

1972vet

3.3K Posts

April 8th, 2010 10:00

The logs confirm that you have a master boot record rootkit infection. Please thoroughly read through these instructions before you begin...you just may decide that you do not want to take on this much of a risk.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

hmtklein

11 Posts

April 8th, 2010 18:00

Thank you! here is my log

C:\Documents and Settings\owner\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/08/2010 at 20:26:53.31

HelpAssistant account was found to be Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

HelpAssistant profile not found in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/08/2010 at 20:46:36.14

Full Name                    Remote Desktop Help Assistant Account
Account active               No
Local Group Memberships      *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll    REG_EXPAND_SZ     %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

1972vet

3.3K Posts

April 9th, 2010 06:00

Looks to me like you've already had some work done on this infection as I'm not seeing what I expected to see...I had originally thought this may take only a couple more steps to complete but as things look now, it may already have been removed. Regardless and to be certain, let's see if we can complete these set of instructions, then we'll have combofix take another look at things:
Open Windows Explorer and rename the C:\mbr.log to C:\ mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.

Make sure mbr.exe is still on your desktop or the next set of instructions will not work. <- (Important!)

Click start-->Run...then, in the run box, copy/paste the following command:
"%userprofile%\desktop\mbr.exe" -f

Click OK or press Enter, then reboot the comuter.
A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

hmtklein

11 Posts

April 11th, 2010 11:00

Okay here is my log....

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

The thing that freaks me out is that the available space on my computer is on 6.72 GB of 60... eeke it makes not sense to me?

Thank you 1972vet you're a saint!

1972vet

3.3K Posts

April 11th, 2010 18:00

OK, that log doesn't look like it should either. The problem I believe is from having done things on your own, here and there, half-way willy nilly...in other words, I really have no idea what else or in what order you may have done things before I took on your log.

We may just have to deal with what cf can do for you...Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

hmtklein

11 Posts

April 11th, 2010 21:00

I appreciate your help thanks!

ComboFix 10-04-11.01 - owner 04/11/2010 22:53:50.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.482 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-11 18:33 . 2010-04-11 18:33    --------    d-----w-    c:\program files\Common Files\Global Graphics
2010-04-11 18:32 . 2010-04-11 18:32    --------    dc----w-    c:\documents and settings\All Users\Application Data\Global Graphics
2010-04-11 18:32 . 2009-11-24 14:54    17304    ----a-w-    c:\windows\system32\ShutdownDCClients.exe
2010-04-11 18:32 . 2009-11-24 14:54    103824    ----a-w-    c:\windows\system32\EventHelper.dll
2010-04-11 18:32 . 2009-11-24 14:53    165264    ----a-w-    c:\windows\system32\doccreatorpm.dll
2010-04-11 18:32 . 2009-11-24 14:53    15760    ----a-w-    c:\windows\system32\DCMessagesPS.dll
2010-04-11 18:32 . 2009-11-24 14:53    99720    ----a-w-    c:\windows\system32\DCMessages.exe
2010-04-11 18:31 . 2010-04-11 18:31    --------    d-----w-    c:\program files\Global Graphics
2010-04-09 00:26 . 2010-04-09 00:26    --------    dc----w-    C:\HelpAsst_backup
2010-04-09 00:21 . 2010-04-09 00:21    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2010-04-06 15:27 . 2010-04-06 15:27    --------    d-----w-    c:\program files\Citrix
2010-04-06 15:25 . 2010-04-06 15:25    72080    ----a-w-    c:\documents and settings\owner\g2mdlhlpx.exe
2010-03-30 15:39 . 2010-03-30 16:03    --------    dc----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-30 15:39 . 2010-03-30 15:43    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-03-30 13:50 . 2008-07-06 12:06    89088    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-30 13:50 . 2010-03-30 13:50    --------    dc----w-    C:\***
2010-03-30 13:50 . 2008-07-06 12:06    89088    -c----w-    c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-30 13:50 . 2008-07-06 12:06    575488    -c----w-    c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-30 13:50 . 2008-07-06 12:06    575488    ------w-    c:\windows\system32\xpsshhdr.dll
2010-03-30 13:50 . 2008-07-06 12:06    1676288    -c----w-    c:\windows\system32\dllcache\xpssvcs.dll
2010-03-30 13:50 . 2008-07-06 12:06    1676288    ------w-    c:\windows\system32\xpssvcs.dll
2010-03-30 13:50 . 2008-07-06 12:06    117760    ------w-    c:\windows\system32\prntvpt.dll
2010-03-30 13:50 . 2008-07-06 10:50    597504    -c----w-    c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-30 13:50 . 2008-07-06 10:50    597504    ------w-    c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-30 01:53 . 2010-03-30 01:53    --------    d-----w-    c:\program files\ESET
2010-03-30 01:30 . 2010-03-30 01:30    --------    d-----w-    c:\program files\NOS
2010-03-30 01:29 . 2010-03-22 19:53    32576    ----a-w-    c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-30 01:29 . 2010-03-22 19:53    29984    ----a-w-    c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-30 00:52 . 2010-03-30 00:52    152576    ----a-w-    c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-30 00:51 . 2010-03-30 00:51    79488    ----a-w-    c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 00:09 . 2009-10-23 15:28    3558912    -c----w-    c:\windows\system32\dllcache\moviemk.exe
2010-03-30 00:02 . 2010-03-30 00:02    --------    d-----w-    c:\windows\system32\wbem\Repository
2010-03-29 23:57 . 2010-03-29 23:58    --------    d-----w-    c:\program files\QuickTime
2010-03-29 23:56 . 2010-03-29 23:57    --------    d-----w-    c:\program files\iTunes
2010-03-29 23:56 . 2010-03-29 23:56    --------    d-----w-    c:\program files\iPod
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\Bonjour
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\Digital Line Detect
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\Modem Helper
2010-03-29 23:45 . 2010-03-29 23:45    --------    d-----w-    c:\program files\ATI Technologies
2010-03-29 23:43 . 2010-03-29 23:43    --------    d-----w-    c:\program files\Lavasoft
2010-03-29 23:43 . 2010-03-29 23:43    --------    dc-h--w-    c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-03-29 23:42 . 2010-03-29 23:42    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-03-29 23:41 . 2010-03-29 23:41    --------    d-----w-    c:\windows\tiinst
2010-03-29 23:41 . 2010-03-29 23:41    --------    d-----w-    c:\program files\Common Files\supportsoft
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\windows\SHELLNEW
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\program files\Microsoft ActiveSync
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\program files\Common Files\L&H
2010-03-29 23:30 . 2010-03-29 23:30    --------    d-----w-    c:\program files\Microsoft Works
2010-03-26 21:52 . 2010-03-29 23:13    --------    d-----w-    c:\documents and settings\owner\Local Settings\Application Data\AskToolbar
2010-03-26 21:46 . 2010-03-29 23:29    --------    d-----w-    c:\program files\Foxit Software
2010-03-25 21:28 . 2010-03-25 21:28    --------    d-----w-    c:\documents and settings\owner\Application Data\Malwarebytes
2010-03-25 21:28 . 2010-03-25 21:28    --------    dc----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-25 21:28 . 2010-03-29 23:32    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-03-21 15:12 . 2010-03-21 15:12    --------    dc----w-    c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-21 15:10 . 2010-03-29 23:37    --------    d-----w-    c:\program files\Common Files\Adobe AIR(2)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:32 . 2007-07-24 21:55    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-04-06 00:27 . 2010-01-22 21:44    211720    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 00:27 . 2010-01-22 21:44    1352968    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-03-30 18:57 . 2007-07-25 17:59    72520    ----a-w-    c:\documents and settings\owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-30 01:34 . 2009-09-18 18:16    --------    dc----w-    c:\documents and settings\All Users\Application Data\NOS
2010-03-29 23:57 . 2010-02-12 01:31    --------    d-----w-    c:\program files\QuickTime(2)
2010-03-29 23:56 . 2010-02-12 01:36    --------    d-----w-    c:\program files\iTunes(2)
2010-03-29 23:56 . 2010-02-12 01:37    --------    d-----w-    c:\program files\iPod(2)
2010-03-29 23:56 . 2009-09-26 22:27    --------    d-----w-    c:\program files\Common Files\Apple
2010-03-29 23:51 . 2007-07-24 21:54    --------    d-----w-    c:\documents and settings\owner\Application Data\U3
2010-03-29 23:42 . 2010-03-11 04:18    --------    d-----w-    c:\program files\Safari
2010-03-29 23:41 . 2009-09-18 18:26    --------    d-----w-    c:\program files\Yahoo SiteBuilder
2010-03-25 23:55 . 2009-09-26 23:12    56556    ---ha-w-    c:\windows\system32\mlfcache.dat
2010-03-11 04:27 . 2009-09-16 19:51    --------    d-----w-    c:\program files\Google
2010-03-10 04:42 . 2010-01-23 02:19    --------    dc----w-    c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-25 06:24 . 2004-08-04 12:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-01-23 23:04 . 2010-01-23 23:03    1706    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-01-23 03:25 . 2010-01-23 03:24    862040    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-23 03:24 . 2010-01-23 03:24    206944    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-23 03:24 . 2010-01-23 03:24    390288    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-23 03:24 . 2010-01-23 03:24    537576    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-23 03:24 . 2010-01-23 03:24    372280    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-23 03:24 . 2010-01-23 03:24    194104    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-23 03:21 . 2010-01-23 03:20    6296864    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-23 03:20 . 2010-01-23 03:20    933120    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-23 03:20 . 2010-01-23 03:19    3803208    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-23 03:19 . 2010-01-23 03:19    816272    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-23 03:19 . 2010-01-23 03:19    823928    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-23 03:19 . 2010-01-23 03:19    1643272    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-23 03:19 . 2010-01-23 03:19    788880    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-23 03:19 . 2010-01-23 03:18    1181328    -c--a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-22 21:53 . 2010-01-22 21:53    0    -c--a-w-    c:\windows\nsreg.dat
2010-01-22 21:43 . 2010-01-22 21:43    869664    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2010-01-22 21:43 . 2010-01-22 21:43    499712    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcp71.dll
2010-01-22 21:43 . 2010-01-22 21:43    348160    -c--a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcr71.dll
2010-01-14 16:12 . 2010-01-23 14:27    181120    ------w-    c:\windows\system32\MpSigStub.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-16 39408]
"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-06-25 338456]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-19 149280]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-10-28 1085704]
"DocCreatorClient"="c:\program files\Global Graphics\gDoc\DocCreatorClient.exe" [2009-11-24 292248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-24 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-11 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2010 10:40 PM 64288]
R3 DCMessages;DCMessages;c:\windows\system32\DCMessages.exe [4/11/2010 2:32 PM 99720]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/25/2007 2:27 PM 87936]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 9:19 AM 1181328]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DCMESSAGES

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-11 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:19]

2010-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-11 c:\windows\Tasks\User_Feed_Synchronization-{E6E15640-2B44-453C-BF38-C02EE205FB7B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\43yyfhah.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 22:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-11 23:01:01
ComboFix-quarantined-files.txt 2010-04-12 03:00

Pre-Run: 6,718,951,424 bytes free
Post-Run: 6,803,050,496 bytes free

- - End Of File - - 416A75B7AFC58DD3C7550028779E255B

1972vet

3.3K Posts

April 12th, 2010 07:00

Uninstall Java.

Please Disable these:
Windows Defender
Spybot Search and Destroy's TeaTimer

Tell me what you use the program "Global Graphics Software" for...and did you install and do you use a Texas Instruments Smart Card?

The following procedure will clear the backups created by the HelperAsst tool:

Click Start>Run and copy/paste the following bolded command into the Run box and press Enter.

helpasst -cleanup

Next, the path below is to a directory on your system. Locate and right-click on that folder and select "Properties". On your next post, tell me what does it show as the creation date:
C:\***

hmtklein

11 Posts

April 12th, 2010 19:00

Hmmmm I could not get to that path. The last few days windows installer has been opening like crazy. Internet Explorer hasn't been working ever since IE8 came out. I do not know if these things are related. I'm not sure if I use a texas instruments smartcard, would that be internal? I bought this machine refurbished, so I'm really not sure. However, Intel PROSet/Wireless is my wireless, I'm not sure what the texas instruments smartcard would be for. Global Graphic is a pdf reader/writer.

1972vet

3.3K Posts

April 12th, 2010 20:00

Read this:

http://support.microsoft.com/kb/949220

...and click the "Fixit" link. Post back and let us know how IE works for you now. Thanks!

hmtklein

11 Posts

April 14th, 2010 15:00

Hi!

I don't know exactly when it happened but you fixed my memory full problem! Woooohooo! I ran defrag today and voila! The memory problem vanished! Internet Explorer it working now but it takes 10 minutes to load it because the windows installer box pops up??? I can get through life with IE8, I am just so darn happy that my memory is cleaned up! Thank you thank you thank you!

Heather

1972vet

3.3K Posts

April 14th, 2010 16:00

Please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, ( WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall

Zone Alarm Beware This download includes the Ask Toolbar...The ZoneAlarm Spy Blocker toolbar is powered by "Ask.com". The "Ask" search engine will cause "targeted" ads to be presented to you based upon the content of the web pages you visit, any personally identifiable information you have provided to "Ask.com", or keywords appearing in your search queries. Many security experts consider this type of behavior offensive...Windows 2k/XP/Vista

Outpost Free

Comodo Beware This download includes the HopSurf toolbar...If YOU DONT WANT THIS TOOLBAR be sure to remove the check from the box when presented during the installation. By installing the HopSurf toolbar, you grant Comodo permission to collect information about your Internet usage. Read the HopSurf EULA. Don't be too alarmed by this caveat...I highly recommend this firewall, but it may just be best suited for advanced users.

Keep your software updated...make it easier on yourself and install the free security tool "Secunia PSI"

It helps in the background to protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software that it finds AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar... last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup:
("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!

hmtklein

11 Posts

April 14th, 2010 17:00

THANK YOU!

View All

No Events found!

Virus & Spyware

I had HelpAssistant virus now my memory appears to be full