Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mbam cannot remove "Trojan.PWS"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » March 29th, 2010, 6:24 am

----------------------------------------------------------------------------------------
Step 1

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    MBR::
    File::
    C:\WINDOWS\system32\termsrv32.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "2479:TCP"=-
    "3246:TCP"=-
    "3389:TCP"=-
    "9416:TCP"=-
    "9417:TCP"=-
    "2618:TCP"=-
    "3736:TCP"=-
    "7435:TCP"=-
    "7436:TCP"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9416:TCP"=-
    "9417:TCP"=-
    "3736:TCP"=-
    "2618:TCP"=-
    "65533:TCP"=-
    "52344:TCP"=-
    "7435:TCP"=-
    "7436:TCP"=-
    ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



----------------------------------------------------------------------------------------
Step 2

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Combofix Log
  • Malwarebytes Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » March 29th, 2010, 11:44 pm

Well, there’s some good news and there’s some bad news. First the good news: This time Malwarebytes did not detect the “Trojan.PWS” infections that I started this topic with. Also, it looks like Combofix was able to successfully delete the termsrv32.dll file this time and also apparently did not detect rootkit activity as before.

Now the bad news: my computer froze during the Malwarebytes scan and I had to re-run it. My computer has been freezing with regularity since this all started and I won’t know until I’ve used it for a while whether this last effort solved that problem. Also, to test the outcome of this last run, I shut down and restarted my computer with an internet connection in place and the HelpAssistant problem resurfaced once again. It is definitely related to whether or not there is an internet connection during startup. So that problem persists. It occurred to me that maybe it also needed one of the startup programs running too, so I deleted the HelpAssistant folder and then restarted in Safe Mode (presumably without all the startup programs running), but left the internet connection in place. Again, even in safe mode, the HelpAssistant folder was recreated. Pesky little bugger...

Here are the logs:

COMBOFIX

ComboFix 10-03-28.03 - Steve 03/29/2010 10:22:38.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.553 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript 2.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:36 . 2010-03-06 02:38 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:35 . 2008-03-05 23:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-03-06 02:35 . 2008-02-06 07:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-03-06 02:35 . 2008-03-05 23:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-03-06 02:35 . 2010-03-06 02:35 -------- d-----w- c:\windows\Logs
2010-03-06 02:26 . 2010-03-06 02:26 -------- d-----w- C:\AutoCAD DWG converter
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 08:45 . 2010-02-28 08:46 -------- d-----w- C:\603644d01eabe75474
2010-02-28 04:21 . 2010-02-28 04:34 -------- d-----w- c:\windows\system32\NtmsData
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-28 02:34 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 17:33 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-03-26 22:26 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 22:25 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-03-17 16:01 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-16 16:14 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-13 05:11 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-02-11 04:44 . 2009-07-09 20:51 -------- d-----w- c:\documents and settings\Steve\Application Data\ZoomBrowser EX
2010-02-11 04:43 . 2009-07-09 20:50 -------- d-----w- c:\documents and settings\Steve\Application Data\CameraWindowDC
2009-12-31 16:14 . 2004-08-04 10:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-10 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-06-30 7218472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-04 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-05-10 11776]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-05 2502656]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-22 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-4 156784]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6434:TCP"= 6434:TCP:Services
"6435:TCP"= 6435:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4204)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
c:\program files\Windows Desktop Search\WindowsSearchFilter.exe
.
**************************************************************************
.
Completion time: 2010-03-29 10:43:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-29 17:43
ComboFix2.txt 2010-03-26 18:15
ComboFix3.txt 2010-03-22 02:14

Pre-Run: 79,454,703,616 bytes free
Post-Run: 79,541,551,104 bytes free

- - End Of File - - 8CA363940FCB5831A8E1FF7D4672DCF9

MALWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.44
Database version: 3927
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/29/2010 3:03:03 PM
mbam-log-2010-03-29 (15-03-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 295219
Time elapsed: 1 hour(s), 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » March 30th, 2010, 2:05 pm

I'm consulting a colleague that knows more about this infection, I will be back ASAP.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » March 31st, 2010, 2:49 am

OK. Thanks for your continuing efforts. By the way, do you know what the objective of this "HelpAssistant" infection is?
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » March 31st, 2010, 11:47 am

av8r wrote:By the way, do you know what the objective of this "HelpAssistant" infection is?

It depends on who packaged the particular "strain" that you have, they can use it to do different things.


----------------------------------------------------------------------------------------

Combofix installed Recovery Console on your machine, we will now need to use this.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start ( It won't display for long, so you need to be quick)
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

----------------------------------------------------------------------------------------

Close out all other open programs and windows.
Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » March 31st, 2010, 1:04 pm

I attempted to boot to the recovery console twice. Both times I got the BSOD with stop code: 0X0000007B (0XF7CAF524, OXC00000034, OX00000000, OX00000000) and a message to check for viruses. Gee whiz, why didn’t I think of that…

Well, anyway, I do have access to a Dell Windows XP reinstallation CD, but it is for someone else’s computer, not this one. I think I might be able to boot to the recovery console using that disk? Let me know if you think it is safe to do that and I’ll give it a try.
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » March 31st, 2010, 5:30 pm

av8r wrote:I think I might be able to boot to the recovery console using that disk?
According to the Dell site you should be able to.

When you boot from the disc, you should see a welcome screen that has three options .. Setup, Repair, quit
You should press R to enter the recovery console.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 1st, 2010, 12:26 am

OK. Booted to the Recovery Console using Windows CD. Executed "fixmbr" command. If it did anything, it did it instantaneously. No user feedback or messages or anything. Rebooted normally and executed commands per your instructions. Here is the log:

C:\Documents and Settings\Steve\Desktop\HelpAsst_mebroot_fix.exe
Wed 03/31/2010 at 21:04:59.45

HelpAssistant account was found to be Active ~ attempting to de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"6434:TCP"=-
"6435:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"5326:TCP"=-
"9152:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"6434:TCP"=-
"6435:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"5326:TCP"=-
"9152:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2033143763-3021469003-3136413673-1005
~ No profile directory exists for S-1-5-21-2033143763-3021469003-3136413673-1005 ~

~ All HelpAssistant profiles removed from registry ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 03/31/2010 at 21:14:08.10

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8698A6B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x8698a6b8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85fb8330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9152:TCP"=9152:TCP:*:Enabled:Services
"5326:TCP"=5326:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5326:TCP"=5326:TCP:*:Enabled:Services
"9152:TCP"=9152:TCP:*:Enabled:Services


~~ EOF ~~
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 1st, 2010, 2:01 pm

Please run Combofix again and post the new log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 1st, 2010, 5:31 pm

Done. Combofix Log follows. I don’t know if this is significant or not, but thought I’d report it to you just in case it is relevant. While Combofix was in its final phase of generating the log report, an error dialog box popped up, which read:

PEV.exe – Application error.
The instruction at “0x003892e8” referenced memory at “0x92184708”. The memory could not be “written.” Click on OK to terminate the program. Click on CANCEL to debug the program.

-----------------------

ComboFix 10-03-29.04 - Steve 04/01/2010 13:50:17.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.573 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:36 . 2010-03-06 02:38 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:35 . 2008-03-05 23:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-03-06 02:35 . 2008-02-06 07:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-03-06 02:35 . 2008-03-05 23:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-03-06 02:35 . 2010-03-06 02:35 -------- d-----w- c:\windows\Logs
2010-03-06 02:26 . 2010-03-06 02:26 -------- d-----w- C:\AutoCAD DWG converter
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 21:00 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-03-31 21:37 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-31 06:22 . 2009-08-17 03:12 -------- d-----w- c:\program files\Common Files\Motive
2010-03-30 05:14 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-26 23:46 . 2010-03-12 07:46 439816 ----a-w- c:\documents and settings\Steve\Application Data\Real\Update\setup3.10\setup.exe
2010-03-26 22:26 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 22:26 . 2010-03-26 22:26 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcp71.dll
2010-03-26 22:26 . 2010-03-26 22:26 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcr71.dll
2010-03-26 22:26 . 2010-03-26 22:26 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\jmc.dll
2010-03-26 22:26 . 2010-03-26 22:26 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-sse.dll
2010-03-26 22:26 . 2010-03-26 22:26 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-d3d.dll
2010-03-26 22:25 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-03-13 05:11 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:46 . 2010-03-06 03:46 36864 ----a-w- c:\documents and settings\Steve\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut2_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut1_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\ARPPRODUCTICON.exe
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-02-11 04:44 . 2009-07-09 20:51 -------- d-----w- c:\documents and settings\Steve\Application Data\ZoomBrowser EX
2010-02-11 04:43 . 2009-07-09 20:50 -------- d-----w- c:\documents and settings\Steve\Application Data\CameraWindowDC
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"UpdateFlow.Verizon"="c:\program files\Verizon\McciBrowser.exe" [2010-03-17 1048576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-10 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-06-30 7218472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-04 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-05-10 11776]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-05 2502656]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-22 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-4 156784]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5326:TCP"= 5326:TCP:Services
"9152:TCP"= 9152:TCP:Services
"5731:TCP"= 5731:TCP:Services
"9962:TCP"= 9962:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\sqlite_OfTH6UW0ySau5RK-journal 512 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8654DB98]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696fc3
\Driver\ACPI -> ACPI.sys @ 0xf74a9cb8
\Driver\atapi -> atapi.sys @ 0xf73d47b4
\Driver\iaStor -> 0x8654db98
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85fec330
PacketIndicateHandler -> NDIS.sys @ 0xf7275a0b
SendHandler -> NDIS.sys @ 0xf7289b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4576)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
.
**************************************************************************
.
Completion time: 2010-04-01 14:11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-01 21:11
ComboFix2.txt 2010-03-29 17:43
ComboFix3.txt 2010-03-26 18:15
ComboFix4.txt 2010-03-22 02:14

Pre-Run: 84,149,608,448 bytes free
Post-Run: 84,114,022,400 bytes free

- - End Of File - - EA0B24743F675602AA5FB475157BA3E9
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 2nd, 2010, 4:51 pm

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "5326:TCP"=-
    "9152:TCP"=-
    "5731:TCP"=-
    "9962:TCP"=-
    ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Please see if the problem still occurs when you restart with the internet connected.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 2nd, 2010, 8:31 pm

Some interesting developments. Bear with while I work through this. First of all, I got another error dialog box while Combofix was running, but different than the last one. This time the message read:

PEV.CFXXE-Application error
The exception unknown software exception (0x40000015) occurred in the application at location 0x0044fe8e.
Click OK to terminate program.
Click CANCEL to debug the program.

The funky wording is not a mistake. That’s what it said.

Other than that, it seemed to run and complete OK. After Combofix completed, I rebooted with an internet connection and no HelpAssistant profile was created. I did both a cold boot and warm boot with no HelpAssistant folder being created and thought we had made progress. Then, I decided to start checking to see if some of the other problems I was having had been cured. First I notice that my browser had become more peppy, which was a good sign.

When this all started I noticed that both Windows Media Player and RealPlayer would go into an endless loop when I attempted to play MP3 files on them, usually on the second song. However, MusicMatch did not have this problem. So I decided to try playing some music. I started with Windows Media Player and that is as far as I got. It played about 5 songs before going into a loop. More importantly, whenever it goes into a loop, the computer freezes and nothing works, requiring me to do a hard shut down and reboot, which I did. When I rebooted this time, the HelpAssistant profile was again created. So now I’m wondering if Media Player is somehow infected and launching the virus when I use it to play music. What do you think? Should I uninstall it and reinstall a newer version? And when I fired up my browser to come here to post my results, I noticed that my browser had slowed way down again.

Here’s the Combofix log:

------------------------------------------
ComboFix 10-03-29.04 - Steve 04/02/2010 16:05:40.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.574 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:36 . 2010-03-06 02:38 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:35 . 2008-03-05 23:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-03-06 02:35 . 2008-02-06 07:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-03-06 02:35 . 2008-03-05 23:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-03-06 02:35 . 2010-03-06 02:35 -------- d-----w- c:\windows\Logs
2010-03-06 02:26 . 2010-03-06 02:26 -------- d-----w- C:\AutoCAD DWG converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 23:16 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-03-31 21:37 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-31 06:22 . 2009-08-17 03:12 -------- d-----w- c:\program files\Common Files\Motive
2010-03-30 05:14 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-26 22:26 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 22:25 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-03-13 05:11 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-02-11 04:44 . 2009-07-09 20:51 -------- d-----w- c:\documents and settings\Steve\Application Data\ZoomBrowser EX
2010-02-11 04:43 . 2009-07-09 20:50 -------- d-----w- c:\documents and settings\Steve\Application Data\CameraWindowDC
2010-01-08 00:07 . 2010-03-02 22:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-03-02 22:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"UpdateFlow.Verizon"="c:\program files\Verizon\McciBrowser.exe" [2010-03-17 1048576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-10 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-06-30 7218472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-04 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-05-10 11776]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-05 2502656]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-22 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-4 156784]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8682:TCP"= 8682:TCP:Services
"8683:TCP"= 8683:TCP:Services
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5263:TCP"= 5263:TCP:Services
"9026:TCP"= 9026:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4140)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
.
**************************************************************************
.
Completion time: 2010-04-02 16:26:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 23:26
ComboFix2.txt 2010-04-01 21:11
ComboFix3.txt 2010-03-29 17:43
ComboFix4.txt 2010-03-26 18:15
ComboFix5.txt 2010-04-02 22:59

Pre-Run: 84,089,438,208 bytes free
Post-Run: 84,047,237,120 bytes free

- - End Of File - - 9A62C54C9818BD139E7904FFE8890D5A
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 4th, 2010, 5:34 pm

Two options ......

1) The MP3 files are infected and that is causing the problem.
2) A Windows Media Player file has been infected and is causing the problem.

Which of the above it is I have no idea as they should both have been picked up by the scans we have performed :(

Please do the following, but don't try playing any more music files for the moment.


1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start ( It won't display for long, so you need to be quick)
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

----------------------------------------------------------------------------------------

Close out all other open programs and windows.
Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.


----------------------------------------------------------------------------------------
Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KillAll::
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8682:TCP"=-
    "8683:TCP"=-
    "65533:TCP"=-
    "52344:TCP"=-
    "5263:TCP"=-
    "9026:TCP"=-
    ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




----------------------------------------------------------------------------------------
Eset Online AntiVirus

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.
(You may need to disable your resident Anti-Virus.)

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • HelpAssist Log
  • Combofix Log
  • ESET log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 5th, 2010, 12:09 pm

I was not able to run the ESET online scan to completion. My system froze after it had run for quite some time. It had detected two “threats” but gave no meaningful information about them and no log was generated that I am aware of. My virus scanner was disabled and I did not touch the mouse or keyboard while it ran. I tried to re-run it, but it would not run. It gave me the following message: Can not get update. Is proxy configured? So I tried uninstalling ESET and tried to start it fresh. It would not run and gave me the same message. The logs from the other two steps follow.

HELPASST LOG:

C:\Documents and Settings\Steve\Desktop\MalWare Tools\HelpAsst_mebroot_fix.exe
Sun 04/04/2010 at 22:16:09.34

HelpAssistant account was found to be Active ~ attempting to de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9152:TCP"=-
"5326:TCP"=-
"5731:TCP"=-
"9962:TCP"=-
"8682:TCP"=-
"8683:TCP"=-
"5263:TCP"=-
"9026:TCP"=-
"7921:TCP"=-
"7922:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"8682:TCP"=-
"8683:TCP"=-
"5263:TCP"=-
"9026:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7921:TCP"=-
"7922:TCP"=-
"3389:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2033143763-3021469003-3136413673-1005
~ No profile directory exists for S-1-5-21-2033143763-3021469003-3136413673-1005 ~

~ All HelpAssistant profiles removed from registry ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 04/04/2010 at 22:17:13.54

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86465EB8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x86465eb8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85fde330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

COMBOFIX LOG:

ComboFix 10-03-29.04 - Steve 04/04/2010 22:25:11.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.563 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 05:36 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-04-04 16:57 . 2010-03-12 07:46 439816 ----a-w- c:\documents and settings\Steve\Application Data\Real\Update\setup3.10\setup.exe
2010-04-03 00:05 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-31 21:37 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-31 06:22 . 2009-08-17 03:12 -------- d-----w- c:\program files\Common Files\Motive
2010-03-26 22:26 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 22:26 . 2010-03-26 22:26 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcp71.dll
2010-03-26 22:26 . 2010-03-26 22:26 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcr71.dll
2010-03-26 22:26 . 2010-03-26 22:26 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\jmc.dll
2010-03-26 22:26 . 2010-03-26 22:26 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-sse.dll
2010-03-26 22:26 . 2010-03-26 22:26 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-d3d.dll
2010-03-26 22:25 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-03-13 05:11 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:46 . 2010-03-06 03:46 36864 ----a-w- c:\documents and settings\Steve\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:38 . 2010-03-06 02:36 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut2_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut1_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\ARPPRODUCTICON.exe
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-02-11 04:44 . 2009-07-09 20:51 -------- d-----w- c:\documents and settings\Steve\Application Data\ZoomBrowser EX
2010-02-11 04:43 . 2009-07-09 20:50 -------- d-----w- c:\documents and settings\Steve\Application Data\CameraWindowDC
2010-01-08 00:07 . 2010-03-02 22:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-03-02 22:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"UpdateFlow.Verizon"="c:\program files\Verizon\McciBrowser.exe" [2010-03-17 1048576]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-10 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-06-30 7218472]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-04 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-05-10 11776]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-05 2502656]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-22 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-4 156784]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7921:TCP"= 7921:TCP:Services
"7922:TCP"= 7922:TCP:Services
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"4528:TCP"= 4528:TCP:Services
"7556:TCP"= 7556:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 22:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\sqlite_EXuXx5H3NfhX3MF 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86654DF0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696fc3
\Driver\ACPI -> ACPI.sys @ 0xf74a9cb8
\Driver\atapi -> atapi.sys @ 0xf73d47b4
\Driver\iaStor -> 0x86654df0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85fed330
PacketIndicateHandler -> NDIS.sys @ 0xf7275a0b
SendHandler -> NDIS.sys @ 0xf7289b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4256)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
c:\program files\Windows Desktop Search\WindowsSearchFilter.exe
.
**************************************************************************
.
Completion time: 2010-04-04 22:46:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 05:46
ComboFix2.txt 2010-04-02 23:26
ComboFix3.txt 2010-04-01 21:11
ComboFix4.txt 2010-03-29 17:43
ComboFix5.txt 2010-04-05 05:20

Pre-Run: 84,002,107,392 bytes free
Post-Run: 83,963,183,104 bytes free

- - End Of File - - EF7907625AE9FA67792682ED4FE13E07
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 6th, 2010, 5:13 pm

It looks like termsrv32.dll has been replaced :(

Let's try a different attack
Make sure you read all the steps before starting, as step #2 requires you to boot to Recovery Console

----------------------------------------------------------------------------------------
Step 1

OTL Script:
  • Download OTL.exe to your desktop.
  • Double-click OTL.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
    Code: Select all
    :Reg
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7921:TCP"=-
    "7922:TCP"=-
    "65533:TCP"=-
    "52344:TCP"=-
    "4528:TCP"=-
    "7556:TCP"=-
    :Files
    C:\WINDOWS\system32\termsrv32.dll
    :Commands
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • OTL will ask you to reboot your computer, allow it to do so.


----------------------------------------------------------------------------------------
Step 2

1. Restart your computer (OTL should do this for you)
2. Before Windows loads, you will be prompted to choose which Operating System to start ( It won't display for long, so you need to be quick)
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

----------------------------------------------------------------------------------------
Step 3

Close out all other open programs and windows.
Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.


----------------------------------------------------------------------------------------
Step 4

OTL

  • Double click on the OTL.exe icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.exe.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • Post both logs individually please.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • HelpAssist Log
  • OTL Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware