C:\Documents and Settings\Francine Fua\Desktop\HelpAsst_mebroot_fix.exe
Wed 03/17/2010 at 14:16:49.54
HelpAssistant account was found to be Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found
~~ Checking firewall ports ~~
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
HelpAssistant profile not found in registry
~~ Checking mbr ~~
user & kernel MBR OK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status check on Wed 03/17/2010 at 14:17:31.09
Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8A94373C]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0923CA09
malicious code @ sector 0x0923CA0C !
PE file found in sector at 0x0923CA22 !
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll
~~ Checking profile list ~~
No HelpAssistant profile in List
~~ Checking for HelpAssistant directories ~~
HelpAssistant
HelpAssistant.FRANCINE
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
~~ EOF ~~