61 replies to this topic

[stewarteli]

Malwarebytes found Trojan.banker located in c:/windows/system32/acroiehelpe.dll. I deleted it and it keeps coming back - there is also a file c:/windows/system32/acroiehelpe.txt that comes back with it. Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:48 PM, on 9/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
c:\windows\system32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\program files\synaptics\syntp\syntpenh.exe
c:\windows\stsystra.exe
c:\program files\dell\mediadirect\pcmservice.exe
c:\program files\hp\hp software update\hpwuschd2.exe
c:\windows\system32\wltray.exe
c:\program files\roxio\drag-to-disc\drgtodsc.exe
c:\program files\common files\installshield\updateservice\issch.exe
c:\windows\system32\ctfmon.exe
c:\program files\digital line detect\dlg.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\microsoft office\office12\outlook.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080108
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {050C8642-C1A9-480b-95A1-55FECB2B8C9A} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: printer.bat
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{78983312-7C79-417F-A22D-D0448F12B210}: NameServer = 4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\progra~1\symantec\liveup~1\lucoms~1.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - SmithMicro Inc. - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6032 bytes


Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2837
Windows 5.1.2600 Service Pack 2

9/22/2009 1:53:24 PM
mbam-log-2009-09-22 (13-53-20).txt

Scan type: Quick Scan
Objects scanned: 102117
Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AcroIEHelpe.dll (Trojan.Banker) -> No action taken.


While this says no action taken, i have run Malwarebytes several times and deleted this file - it keeps coming back.

Thanks!

[negster22]

Hi and Welcome to the Malwarebytes' forum,

I can see this in your HJT log:
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

First, you need to disable Ad-Watch an keep it off until you are clean, because it can reverse changes we make to remove malicious startups. You can re-enable it once we are completely done

For Ad-Aware --- Not Ad-Aware 2007 versions:
Open Ad-Aware
Go to AdWatch User Interface
Go to Tools and Preferences
At the bottom of the screen you will see 2 options Active and Automatic:
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.

For Ad-Aware 2007:
On the Real-time protection status screen --> Go to Settings --> Uncheck "Load Ad-Watch at startup"

Reboot.
---
Please download [url="http://www.atribune.org/ccount/click.php?id=1"]ATF Cleaner[/url] by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

[u]If you use Firefox browser[/u]

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.

[u]If you use Opera browser[/u]

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this [url="http://www2.gmer.net/download.php"]Antirootkit Program[/url] to a folder that you create such as C:\ARK.

Normally, I would ask you to disable the active protection component of your antivirus by following the directions that apply here:
[url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]
However, I don't see an AV running in your log. After you follow all the directions in my reply you must install one.

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  
• Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information to troubleshoot your situation.[/quote].

Please download Combofix from one of these locations:
[url="http://download.bleepingcomputer.com/sUBs/ComboFix.exe"]HERE[/url] or [url="http://www.forospyware.com/sUBs/ComboFix.exe"]HERE[/url]

I want you to rename Combofix.exe as you download it to a name of your choice such as stewarteli.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
  
  
• For Internet Explorer:
  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
[url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (stewarteli.exe) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.
Please post C:\ComboFix.txt, the ARK quick scan results, and ARK.txt in your next reply.

Now, since you need an antivirus - please download, install and run this highly rated antivirus called Antivir by Avira:[/b]
[url="http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html"]http://www.free-av.com/en/trialpay_downloa..._antivirus.html[/url]

[stewarteli]

[quote name='stewarteli' date='Sep 22 2009, 05:55 PM' post='131239']

Negster22, thank you for replying. I disabled Adwatch from running at start up and then downloaded the Antiroot Program. When I attempted to run it, i got the following error message:
c:\ARK\8ruruzyw.exe is not a valid Win32 application.

Then i downloaded Combofix and when i attempted to run it got these messages:
Windows cannot find 132788R22FWJFW/iexplorer.exe'. Make sure you typed the name correctly and then try again. To search for a file, click the start button and then click search.

I got the same error messages with /hidec.exe' and n.pif' and nircmd.cfxxe

any idea what i should do next?

[stewarteli]

I forgot to add that I downloaded and successfully ran the ATF Cleaner before I downloaded the Antirootkit Program.

[negster22]

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate.

Please open it with notepad and post the contents here. If the log generated OK then ignore the rest of the directions.
_______________

Only if win32kdiag.exe doesn't run, then download the program to a clean PC and transfer it to removable media (USB drive, CDROM) as follows[/b]

• I want you to rename win32kdiag.exe as you download it to suze.pif
  
• Then copy it to removable media and copy that file (suze.pif) to the desktop of the infected PC.

Notes:

• It is very important that save the newly renamed PIF file to your desktop.
  
• You must rename win32kdiag.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename it as you download it. To do that:
  
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • When downloading, choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Now launch the program suze.pif on the infected PC:

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\suze.pif" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate - be sure to let it finish.

Please open it with notepad and post the contents here.

If this is not clear tell me and I will expand upon it.

[stewarteli]

negster22, on Sep 23 2009, 03:09 PM, said:

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate.

Please open it with notepad and post the contents here. If the log generated OK then ignore the rest of the directions.
_______________

Only if win32kdiag.exe doesn't run, then download the program to a clean PC and transfer it to removable media (USB drive, CDROM) as follows[/b]

• I want you to rename win32kdiag.exe as you download it to suze.pif
  
• Then copy it to removable media and copy that file (suze.pif) to the desktop of the infected PC.

Notes:

• It is very important that save the newly renamed PIF file to your desktop.
  
• You must rename win32kdiag.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename it as you download it. To do that:
  
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • When downloading, choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Now launch the program suze.pif on the infected PC:

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\suze.pif" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate - be sure to let it finish.

Please open it with notepad and post the contents here.

If this is not clear tell me and I will expand upon it.

[stewarteli]

ok - here is the result of that:

Running from: C:\Documents and Settings\Beth Stewart\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Beth Stewart\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


thanks for responding to my post so quickly this morning

Attached Files

•  Win32kDiag.txt   324bytes   49 downloads

[stewarteli]

stewarteli, on Sep 23 2009, 04:05 PM, said:

ok - here is the result of that:

Running from: C:\Documents and Settings\Beth Stewart\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Beth Stewart\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


thanks for responding to my post so quickly this morning


I also ran Spybot S&D and found virtumonde.zip

23.09.2009 17:33:11 - ##### check started #####
23.09.2009 17:33:11 - ### Version: 1.5.2
23.09.2009 17:33:11 - ### Date: 9/23/2009 5:33:11 PM
23.09.2009 17:33:15 - ##### checking bots #####
23.09.2009 17:44:09 - found: Microsoft.WindowsSecurityCenter_disabled Settings
23.09.2009 17:53:25 - found: Virtumonde Library
23.09.2009 18:48:15 - ##### check finished #####

[stewarteli]

I ran a Kaspersky scan from the internet and it found no threats or infections. Malwarebytes is the only program finding this trojan.banker file and it only shows up during the heuristics and extra part of the scan at the end. But - the file acroiehelpe.dll and acroiehelpe.txt are still there, and if I delete them, they come back.

[negster22]

If AcroIEHelpe.dll is located in TEMP then it's a threat but yours is in system32:
http://www.threatexp...ehelpe.dll.html

Make sure you can view hidden files and folders

Please upload these files to theVirus Total Scanner by browsing to each files folder location, and then click "Send":

C:\WINDOWS\system32\AcroIEHelpe.dll
C:\WINDOWS\system32\AcroIEHelpe.txt

Please post back the url's to the scan report results.

Next, open a command prompt by doing the following :

• Click start -> run, type cmd and hit Enter
  
• Copy/paste the following command in bold at the command prompt exactly as written
  
• Type C:\WINDOWS\system32\AcroIEHelpe.txt > C:\results.txt && notepad C:\results.txt
  
• A TXT file called results.txt will open in Notepad
  
• Please copy/paste the content of that file in your next reply

[stewarteli]

negster22, on Sep 24 2009, 09:55 PM, said:

If AcroIEHelpe.dll is located in TEMP then it's a threat but yours is in system32:
http://www.threatexp...ehelpe.dll.html

Make sure you can view hidden files and folders

Please upload these files to theVirus Total Scanner by browsing to each files folder location, and then click "Send":

C:\WINDOWS\system32\AcroIEHelpe.dll
C:\WINDOWS\system32\AcroIEHelpe.txt

Please post back the url's to the scan report results.

Next, open a command prompt by doing the following :

• Click start -> run, type cmd and hit Enter
  
• Copy/paste the following command in bold at the command prompt exactly as written
  
• Type C:\WINDOWS\system32\AcroIEHelpe.txt > C:\results.txt && notepad C:\results.txt
  
• A TXT file called results.txt will open in Notepad
  
• Please copy/paste the content of that file in your next reply

Hi Nester22 -
Thanks for replying -

ok - i can view hidden files and folders

I uploaded the two files to VirusTotal and here are the urls -

the url for the .txt file is: http://www.virustotal.com/reanalisis.html?...7181-1253882996

the url for the .dll file is: http://www.virustotal.com/reanalisis.html?...7181-1253883408

Below are the results from running the cmd on acroiehelpe.txt
{050C8642-C1A9-480b-95A1-55FECB2B8C9A}
dl/AcroIEHelpe16.dll
006

Thanks again for your help -

[stewarteli]

ok - let me try those urls again

http://www.virustotal.com/analisis/e2d8554...7181-1253173369

http://www.virustotal.com/analisis/1ea5766...2e90-1253884032

stewarteli, on Sep 25 2009, 01:01 PM, said:

Hi Nester22 -
Thanks for replying -

ok - i can view hidden files and folders

I uploaded the two files to VirusTotal and here are the urls -

the url for the .txt file is: http://www.virustotal.com/reanalisis.html?...7181-1253882996

the url for the .dll file is: http://www.virustotal.com/reanalisis.html?...7181-1253883408

Below are the results from running the cmd on acroiehelpe.txt
{050C8642-C1A9-480b-95A1-55FECB2B8C9A}
dl/AcroIEHelpe16.dll
006

Thanks again for your help -

[negster22]

I believe this is a false positive. I'll get back to you later - I've got to go to work.

[stewarteli]

negster22, on Sep 25 2009, 03:42 PM, said:

I believe this is a false positive. I'll get back to you later - I've got to go to work.

I'd love for that to be the case! is there a reasonable explanation for the acroiehelpe.dll and acroiehelpe.txt returning everytime they're deleted if it is a false positive?

Thanks for your help - hope work goes well!

[negster22]

Let's try this to capture and submit the file to confirm its status:
Go to the upload page here
http://www.bleepingcomputer.com/submit-mal....php?channel=75
Click Browse to this file
C:\WINDOWS\system32\AcroIEHelpe.dll
Select the file, then click Open
Click Send File

[stewarteli]

negster22, on Sep 25 2009, 09:49 PM, said:

Let's try this to capture and submit the file to confirm its status:
Go to the upload page here
http://www.bleepingcomputer.com/submit-mal....php?channel=75
Click Browse to this file
C:\WINDOWS\system32\AcroIEHelpe.dll
Select the file, then click Open
Click Send File

ok - i have submitted it. yesterday i wiped the free space and when i turned on the computer this morning, malwarebytes didn't find it. i looked in c:\windows\system32 and the files were not there. then i looked again in a few minutes and they had returned - ran malwarebytes again and it found it that time.

[negster22]

I received sample and it is being researched. Thanks.

[stewarteli]

negster22, on Sep 26 2009, 04:34 PM, said:

I received sample and it is being researched. Thanks.

thanks for your help

[negster22]

You're welcome!

This is most definitely malware but it has very low detection rates among the antiviruses.

Something is blocking Combofix from downloading or running properly. It could be your security programs or the malware.

I need you to disable all your antimalware applications including your antivirus and firewall plus Ad-Watch.

I need you to delete your current copy of your renamed Combofix on your desktop and redownload it, renaming as you download like before. If it still doesn't work.

Then delete the renamed Combofix again and download it again as follows. Either:
1. Download it from a clean machine again by renaming it as you download and transfer it to your infected PC's desk top using removable media (CD, floppy or flash drive).
OR
2. You can try downloading it in "safe mode with networking" from the infected PC (this is not the safest configuration, however) - still renaming as you go.

To boot into Safe Mode with Networking:
1. Restart the computer
2. Watch the screen while it is black. After the BIOS memory check is done,
start tapping the F8 key. If done right, the Windows Advanced Options Menu will
appear.
3. Select Safe Mode with Networking from the menu.

Starting Windows in Safe Mode may take several minutes

Next, Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clickOK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.

KillAll::

File::
C:\WINDOWS\system32\AcroIEHelpe.dll
C:\WINDOWS\system32\AcroIEHelpe.txt

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Explorer\Browser Helper Objects\{050C8642-C1A9-480b-95A1-55FECB2B8C9A}]

Save this to your desktop as CFScript.txt by selecting File -> Save as.



Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe

This will cause ComboFix launch and run. It normally reboots at the end of its cycle.

Please post back the log that opens when it finishes - C:\Combofix.txt.

[stewarteli]

i turned off my firewall, adwatch, spybot - then deleted combofix and downloaded it again and it still will not run. I will have access to a clean computer on Tuesday morning and will download it and try using it from a flashdrive. thanks - will get back to you tuesday am with my results.