Cannot install mbam.exe

[noahdfear]

Hi SteelBarracuda,

kadah has graciously agreed to allow me to work with you directly. Hope you don't mind

You may want to write down or print the following for reference.

Please delete the copy of HelpAsst_Mebroot_fix.exe you currently have and replace it with this one

Close out all other open programs and windows.

Double click the file to run it and follow any prompts.

When the tool completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

[SteelBarracuda]

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe

Sun 02/28/2010 at 12:44:43.00

HelpAssistant account was found to be Inactive

termsrv32.dll found ~ attempting to remove

Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

HelpAssistant profile not found in registry

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 02/28/2010 at 14:05:27.09

Full Name Remote Desktop Help Assistant Account

Account active No

Local Group Memberships

The command completed successfully.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x0BA50E41

malicious code @ sector 0x0BA50E44 !

PE file found in sector at 0x0BA50E5A !

~~ EOF ~~

[noahdfear]

Looks good. I can only assume you are no longer getting the alert since the log doesn't show any HelpAssistant folders present. The mbr is OK as well.

I've just a couple of things to add then kadah will be back with you.

First, please click Start>Run and type (or copy and paste) the following bolded command then hit Enter.

helpasst -cleanup

You can then delete HelpAsst_Mebroot_fix.exe when it finishes.

Next, click Start>Run and type cmd then hit Enter to open a command window.

Highlight and copy the contents of the code box below, then right click in the command window and select Paste.

reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List >>%temp%\temp.txt
start notepad %temp%\temp.txt
exit
cls

The pasted commands will execute quickly, a log will open in notepad and the command window will close on it's own.

Please post the contents of that log here.

Note - if instead of a log opening you're asked if you want to create temp.txt, click no and inform us.

Finally, did you knowingly configure your computer to use a proxy?

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

[SteelBarracuda]

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

1900:UDP REG_SZ 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

2869:TCP REG_SZ 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

10243:TCP REG_SZ 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

10280:UDP REG_SZ 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

10281:UDP REG_SZ 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

10282:UDP REG_SZ 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

10283:UDP REG_SZ 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

10284:UDP REG_SZ 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

65533:TCP REG_SZ 65533:TCP:*:Enabled:Services

52344:TCP REG_SZ 52344:TCP:*:Enabled:Services

3246:TCP REG_SZ 3246:TCP:*:Enabled:Services

2479:TCP REG_SZ 2479:TCP:*:Enabled:Services

3389:TCP REG_SZ 3389:TCP:*:Enabled:Remote Desktop

And no, I did not knowingly configure my computer to use a proxy... I don't even know what that means.

[kahdah]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
  
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
  "65533:TCP"=-
  "52344:TCP"=-
  "3246:TCP"=-
  "2479:TCP"=-
  "3389:TCP"=-

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
  
• Please post that log in your next reply.
  

===========

After that let me know of any remaining issues and we will wrap it up.

[SteelBarracuda]

========== OTL ==========

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\65533:TCP deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\52344:TCP deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3246:TCP deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2479:TCP deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3389:TCP deleted successfully.

OTL by OldTimer - Version 3.1.30.1 log created on 02282010_184953

[SteelBarracuda]

Getting no pop-ups now

[kahdah]

=======Cleanup=======

• Click START then RUN
  
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

======Next======

• Double click on OTL to run it.
  
• Click on the Cleanup button at the top.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  
• This will remove itself and other tools we may have used.
  

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

[SteelBarracuda]

Once I turn off System Restore, should I turn it back on?

[kahdah]

Yes.

[SteelBarracuda]

All set then? Thanks for the help!

[kahdah]

Yes and you are welcome

Safe Surfing.

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.