Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mbam cannot remove "Trojan.PWS"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 7th, 2010, 2:35 am

Hi Katana. The OTL tool produced 3 logs, not two. The first was produced during your Step 1 and the other two during Step 4. I posted all 3 and separated them with a line and some bold text to hopefully make it easier for you to find them. Hope this helps...

-------------------- HELPASSIST LOG --------------------------

C:\Documents and Settings\Steve\Desktop\HelpAsst_mebroot_fix.exe
Tue 04/06/2010 at 22:35:42.20

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list


HelpAssistant profile not found in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 04/06/2010 at 22:36:34.57

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864C5E18]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x864c5e18
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x86009330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


-------------------- OTL LOG FROM "RUN FIX" STEP 1 --------------------------

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
========== FILES ==========
C:\WINDOWS\system32\termsrv32.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Initial Setup
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner

User: Steve
->Temp folder emptied: 2101830 bytes
->Temporary Internet Files folder emptied: 15960645 bytes
->Java cache emptied: 26973901 bytes
->FireFox cache emptied: 30973419 bytes
->Google Chrome cache emptied: 20210039 bytes
->Flash cache emptied: 1568135 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1032 bytes
%systemroot%\System32 .tmp files removed: 328398 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1495775 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 95.00 mb


OTL by OldTimer - Version 3.2.1.0 log created on 04062010_222532

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.

Registry entries deleted on Reboot...

-------------------- 1ST OTL LOG FROM "RUN SCAN" STEP 4 --------------------------

OTL logfile created on: 4/6/2010 10:46:45 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 506.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.25 Gb Total Space | 81.56 Gb Free Space | 56.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D61JTM71
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Steve\Local Settings\temp\SolidWorksLicTemp.0001 (Macrovision Europe Ltd.)
PRC - C:\Documents and Settings\Steve\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Verizon\McciTrayApp.exe (Alcatel-Lucent)
PRC - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSK\msksrver.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe (Dassault Systèmes SolidWorks Corp.)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
PRC - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe (Dassault Systèmes SolidWorks Corp.)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
PRC - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe (Sonic Solutions)
PRC - C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SYSTEM32\CtHelper.exe (Creative Technology Ltd)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe (Microsoft Corporation)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe (Musicmatch, Inc.)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe (Musicmatch, Inc.)
PRC - C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
PRC - C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe (D-Link)
PRC - C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe (Alpha Networks Inc.)
PRC - C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
PRC - C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Steve\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll (Alcatel-Lucent)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\WINDOWS\SYSTEM32\ctagent.dll (Creative Technology Ltd)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (SolidWorks Licensing Service) -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (MBackMonitor) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
SRV - (MSK80Service) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (CoordinatorServiceHost) -- C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe (Dassault Systèmes SolidWorks Corp.)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (EPSON_EB_RPCV4_01) EPSON V5 Service4(01) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE (SEIKO EPSON CORPORATION)
SRV - (Roxio Upnp Server 10) -- C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe (Sonic Solutions)
SRV - (Roxio UPnP Renderer 10) -- C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe (Sonic Solutions)
SRV - (RoxLiveShare10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (Sonic Solutions)
SRV - (RoxWatch10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe (Sonic Solutions)
SRV - (RoxMediaDB10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe (Sonic Solutions)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (EPSON_PM_RPCV4_01) EPSON V3 Service4(01) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE (SEIKO EPSON CORPORATION)
SRV - (msvsmon80) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)
SRV - (IAANTMon) -- C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe (Intel Corporation)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)


========== Driver Services (SafeList) ==========

DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (mfehidk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys (McAfee, Inc.)
DRV - (RxFilter) -- C:\WINDOWS\SYSTEM32\DRIVERS\RxFilter.sys (Sonic Solutions)
DRV - (Cdralw2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys (Sonic Solutions)
DRV - (Cdr4_xp) -- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys (Sonic Solutions)
DRV - (COMMONFX.DLL) -- C:\WINDOWS\SYSTEM32\COMMONFX.DLL (Creative Technology Ltd)
DRV - (CT20XUT.DLL) -- C:\WINDOWS\SYSTEM32\CT20XUT.DLL (Creative Technology Ltd.)
DRV - (CTHWIUT.DLL) -- C:\WINDOWS\SYSTEM32\CTHWIUT.DLL (Creative Technology Ltd.)
DRV - (CTEXFIFX.DLL) -- C:\WINDOWS\SYSTEM32\CTEXFIFX.DLL (Creative Technology Ltd.)
DRV - (CTEDSPSY.DLL) -- C:\WINDOWS\SYSTEM32\CTEDSPSY.DLL (Creative Technology Ltd)
DRV - (CTEDSPIO.DLL) -- C:\WINDOWS\SYSTEM32\CTEDSPIO.DLL (Creative Technology Ltd)
DRV - (CTEDSPFX.DLL) -- C:\WINDOWS\SYSTEM32\CTEDSPFX.DLL (Creative Technology Ltd)
DRV - (CTERFXFX.DLL) -- C:\WINDOWS\SYSTEM32\CTERFXFX.DLL (Creative Technology Ltd)
DRV - (CTEAPSFX.DLL) -- C:\WINDOWS\SYSTEM32\CTEAPSFX.DLL (Creative Technology Ltd)
DRV - (CTSBLFX.DLL) -- C:\WINDOWS\SYSTEM32\CTSBLFX.DLL (Creative Technology Ltd)
DRV - (CTAUDFX.DLL) -- C:\WINDOWS\SYSTEM32\CTAUDFX.DLL (Creative Technology Ltd)
DRV - (ctsfm2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PfModNT) -- C:\WINDOWS\SYSTEM32\DRIVERS\pfmodnt.sys (Creative Technology Ltd.)
DRV - (hap17v2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\haP17v2k.sys (Creative Technology Ltd)
DRV - (hap16v2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\haP16v2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\ha10kx2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\SYSTEM32\DRIVERS\emupia2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctdvda2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctdvda2k.sys (Creative Technology Ltd)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\SYSTEM32\DRIVERS\ctac32k.sys (Creative Technology Ltd)
DRV - (dsunidrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (tfsnudfa) -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys (Sonic Solutions)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm) -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (61883) -- C:\WINDOWS\SYSTEM32\DRIVERS\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\SYSTEM32\DRIVERS\avc.sys (Microsoft Corporation)
DRV - (MSDV) -- C:\WINDOWS\SYSTEM32\DRIVERS\msdv.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (nv) -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS (NVIDIA Corporation)
DRV - (sscdbhk5) -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys (Sonic Solutions)
DRV - (iaStor) -- C:\WINDOWS\system32\drivers\iaStor.sys (Intel Corporation)
DRV - (IntelC53) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys (Intel Corporation)
DRV - (b57w2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys (Broadcom Corporation)
DRV - (IntelC52) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys (Intel Corporation)
DRV - (A3AB) D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) -- C:\WINDOWS\SYSTEM32\DRIVERS\A3AB.sys (D-Link Corporation)
DRV - (ANIO) -- C:\WINDOWS\SYSTEM32\ANIO.sys (Alpha Networks Inc.)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (EMATCORE) -- C:\WINDOWS\SYSTEM32\DRIVERS\AtlsVid.sys (Dell Computer Corporation)
DRV - (AtlsAud) -- C:\WINDOWS\SYSTEM32\DRIVERS\AtlsAud.sys (Dell Computer Corporation)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (MODEMCSA) -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys (Microsoft Corporation)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/02/10 14:13:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/17 22:21:25 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/04/04 22:35:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (dsWebAllowBHO Class) - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll (Microsoft Corporation)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [BuildBU] c:\DELL\BLDBUBG.EXE ()
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe (D-Link)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe ()
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MimBoot] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O4 - HKLM..\Run: [SolidWorks_CheckForUpdates] C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe (Dassault Systèmes SolidWorks Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [UpdateFlow.Verizon] C:\Program Files\Verizon\McciBrowser.exe (Alcatel-Lucent)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe (Autodesk, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Steve\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe (Dassault Systèmes SolidWorks Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/share ... insctl.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microso ... 0671407390 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/05 19:26:48 | 000,000,000 | ---D | M] - C:\AutoCAD DWG converter -- [ NTFS ]
O32 - AutoRun File - [2004/08/10 11:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/06 22:25:32 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/06 16:26:12 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/04/04 23:22:48 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/04 23:05:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/26 15:26:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/26 15:26:17 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/26 15:26:16 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/26 15:26:16 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/26 15:26:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/26 15:26:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/21 18:34:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/21 18:32:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/21 18:32:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/21 18:32:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/21 18:32:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/21 18:31:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/20 13:05:43 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/03/20 13:05:40 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010/03/12 00:46:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/12/01 15:47:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/11/24 10:31:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/02/15 15:39:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2008/03/14 13:30:37 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/01/28 13:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/02/25 17:31:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/06/04 16:04:22 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2005/06/04 15:35:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[1979/12/31 22:00:00 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll

========== Files - Modified Within 30 Days ==========

[2010/04/06 22:40:18 | 010,485,760 | ---- | M] () -- C:\Documents and Settings\Steve\ntuser.dat
[2010/04/06 22:30:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/04/06 22:30:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 22:29:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/04/06 22:29:57 | 1071,812,608 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/06 22:26:58 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.rfx
[2010/04/06 22:26:58 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000002-00001102-00000004-20061102}.rfx
[2010/04/06 22:26:58 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000004-20061102}.rfx
[2010/04/06 22:26:58 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000004-20061102}.rfx
[2010/04/06 22:26:58 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.rfx
[2010/04/06 22:26:47 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Steve\NTUSER.INI
[2010/04/06 22:20:15 | 000,022,837 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/04/06 22:13:50 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Microsoft Office Outlook 2003.lnk
[2010/04/06 16:31:15 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000005-00000000-00000002-00001102-00000004-20061102}.CDF
[2010/04/06 16:31:15 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000005-00000000-00000002-00001102-00000004-20061102}.BAK
[2010/04/06 16:26:28 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/04/05 21:45:23 | 000,002,385 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SolidWorks 2009 SP0.0.lnk
[2010/04/04 22:36:11 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/04 22:35:49 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2010/04/04 14:57:25 | 000,144,896 | ---- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/03 23:29:47 | 000,000,819 | ---- | M] () -- C:\WINDOWS\EntPack.ini
[2010/04/02 17:00:29 | 000,000,987 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/04/02 17:00:29 | 000,000,281 | RHS- | M] () -- C:\BOOT.INI
[2010/04/01 13:41:09 | 003,906,159 | R--- | M] () -- C:\Documents and Settings\Steve\Desktop\ComboFix.exe
[2010/03/31 10:09:33 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Vz In-Home Agent.lnk
[2010/03/26 15:25:50 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/26 15:25:50 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/26 15:25:50 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/26 15:25:50 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/26 15:25:49 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/24 15:57:39 | 000,001,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Install Jukebox.lnk
[2010/03/21 19:25:46 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Windows Explorer.lnk
[2010/03/20 12:07:37 | 000,488,240 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\HelpAsst_mebroot_fix.exe
[2010/03/19 22:23:51 | 000,435,466 | ---- | M] () -- C:\Documents and Settings\Steve\My Documents\USC parking.pdf
[2010/03/17 22:38:32 | 000,202,502 | ---- | M] () -- C:\Documents and Settings\Steve\My Documents\USC 2010 Invite Entries.pdf
[2010/03/14 11:13:52 | 000,445,370 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/03/14 11:13:52 | 000,072,576 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/03/14 11:13:48 | 000,528,752 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/13 13:05:49 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/09 12:23:14 | 000,284,260 | ---- | M] () -- C:\Documents and Settings\Steve\My Documents\W9 for Manulife-Steve .pdf
[2010/03/08 16:24:41 | 000,001,519 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Notepad.lnk
[2010/03/08 01:01:24 | 000,002,467 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\ABBYY FineReader 6.0 Sprint.lnk

========== Files Created - No Company Name ==========

[2010/04/02 17:00:27 | 000,002,109 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2010/04/02 17:00:27 | 000,000,831 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
[2010/04/01 13:42:50 | 003,906,159 | R--- | C] () -- C:\Documents and Settings\Steve\Desktop\ComboFix.exe
[2010/03/29 15:58:42 | 1071,812,608 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/24 15:57:39 | 000,001,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Install Jukebox.lnk
[2010/03/23 23:21:39 | 000,000,446 | ---- | C] () -- C:\Documents and Settings\Steve\mbr.log
[2010/03/23 10:32:31 | 000,488,240 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\HelpAsst_mebroot_fix.exe
[2010/03/21 18:34:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/21 18:34:19 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/21 18:32:58 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/21 18:32:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/21 18:32:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/20 13:05:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/20 13:05:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\mbr.exe
[2010/03/19 22:23:51 | 000,435,466 | ---- | C] () -- C:\Documents and Settings\Steve\My Documents\USC parking.pdf
[2010/03/18 12:07:09 | 000,000,003 | ---- | C] () -- C:\Documents and Settings\Steve\dxva_sig.txt
[2010/03/17 22:38:32 | 000,202,502 | ---- | C] () -- C:\Documents and Settings\Steve\My Documents\USC 2010 Invite Entries.pdf
[2010/03/13 13:05:46 | 000,002,002 | ---- | C] () -- C:\Documents and Settings\Steve\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk
[2010/03/13 13:05:46 | 000,001,949 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
[2010/03/13 13:05:46 | 000,001,781 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
[2010/03/09 12:23:14 | 000,284,260 | ---- | C] () -- C:\Documents and Settings\Steve\My Documents\W9 for Manulife-Steve .pdf
[2010/03/08 16:24:41 | 000,001,519 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Notepad.lnk
[2010/03/08 01:42:04 | 004,958,588 | ---- | C] () -- C:\WINDOWS\{00000005-00000000-00000002-00001102-00000004-20061102}.BAK
[2010/03/05 19:51:52 | 000,311,888 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/08/17 23:34:51 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/08/17 23:33:00 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF500.ini
[2009/08/16 20:40:17 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2009/02/15 23:12:45 | 000,021,080 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\rx_audio.Cache
[2009/02/15 16:58:43 | 003,166,508 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\rx_image.Cache
[2009/02/15 16:51:00 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\DMX.bmk
[2008/03/05 16:43:34 | 010,485,760 | ---- | C] () -- C:\Documents and Settings\Steve\ntuser.dat
[2007/09/09 14:41:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2007/08/21 21:46:34 | 000,059,160 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2007/08/21 12:22:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/05/20 12:29:49 | 000,027,240 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\Personal Address Book.ADR
[2007/04/12 09:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
[2007/04/09 13:55:14 | 000,097,785 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2007/04/09 13:33:50 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2007/04/05 21:24:45 | 000,003,650 | ---- | C] () -- C:\Documents and Settings\Steve\temp address book
[2007/04/03 14:21:35 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2007/02/13 17:19:10 | 000,000,171 | ---- | C] () -- C:\WINDOWS\CustomPalette.ini
[2006/04/29 19:56:33 | 000,000,819 | ---- | C] () -- C:\WINDOWS\EntPack.ini
[2005/08/03 06:58:01 | 000,000,297 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/06/26 19:22:42 | 000,144,896 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/06/25 11:33:41 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\fusioncache.dat
[2005/06/24 13:11:23 | 000,000,737 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/24 11:17:29 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Steve\ntuser.dat.LOG
[2005/06/24 11:17:29 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Steve\NTUSER.INI
[2005/06/24 11:16:43 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/06/24 11:16:43 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/06/16 11:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2005/06/04 16:18:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/04 16:13:48 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/04 16:04:44 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2005/06/04 16:04:24 | 000,014,424 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini
[2005/06/04 16:04:24 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2005/06/04 16:04:22 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2005/06/04 16:04:02 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2005/06/04 15:36:52 | 000,000,367 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 11:13:12 | 000,000,839 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/04 03:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/12/09 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/12/09 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1996/12/04 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1979/12/31 22:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve\My Documents\MCRDVisitorMapSlice3.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve\My Documents\MCRDVisitorMapSlice2.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve\My Documents\MCRD Visitor Map.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve\My Documents\MCRD Map B&W.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve\My Documents\Delano 2007.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve\My Documents\3D RC Benoit.wmv:Roxio EMC Stream
< End of report >


-------------------- 2ND OTL LOG (EXTRAS) FROM "RUN SCAN" STEP 4 --------------------------

OTL Extras logfile created on: 4/6/2010 10:46:45 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 506.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.25 Gb Total Space | 81.56 Gb Free Space | 56.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D61JTM71
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL -- (America Online, Inc)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL -- (America Online, Inc.)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL -- (America Online, Inc.)
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" = C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE" = C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE:*:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01A1A019-E1D8-482A-BE17-5E118D17C0A0}" = ArcSoft Print Creations - Brochure
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{06379784-4648-46BF-9426-0B10817F0AF5}" = PhotoView 360
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{15D7ECFC-B252-4990-A6BC-1C550A046FE5}" = SolidWorks eDrawings 2009
"{1B683082-8791-4D00-8ADE-6C8986FCCC68}" = Roxio CinePlayer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{2266312B-3502-41EE-82CD-8DC62276D87B}" = Vz In Home Agent
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{325CC540-F105-4074-BFC0-B8E26BFFE1D5}" = SolidWorks Explorer 2009 sp0
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{3499A6DB-7D6D-4F17-9AF1-CFB5CAF7BF6E}" = SolidWorks 2009 SP0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3E67A8DA-FE7B-4160-8465-F5571EA18753}" = Roxio Disc Gallery
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5783F2D7-5001-0409-0002-0060B0CE6BBA}" = AutoCAD 2007 - English
"{5783F2D7-8028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2010
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{63D0588C-2740-459D-AFB4-6B03461B7891}" = SolidWorks Simulation 2009 SP0
"{65BD9AB2-696E-4598-91E6-C3EE77E64460}" = SolidWorks Motion 2009 SP0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{74FCFEA6-7447-4BDB-BFEC-FF195AA62A13}" = ANIWZCS Service
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{79B92240-9C65-4DD7-B1AD-59910D2C1353}" = AirPlus Xtreme G
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
"{90120000-00A4-0409-0000-0000000FF1CE}" = Microsoft Office 2003 Web Components
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Application Accelerator
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A9A1828-31D1-4590-A99F-022B7237AFAE}" = Roxio MediaShare
"{9E2514D9-DC24-4634-B348-61F3EF0F1628}" = Sound Blaster Audigy 2 ZS
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB46245B-CECA-406F-8790-3ABA0D01012F}" = Roxio VideoWave Movie Creator
"{BF83EFE2-C9F0-40D4-841C-2066668C1D7A}" = Roxio Easy Media Creator 10 Suite
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D481EA96-2313-4A7C-98EE-710D1AF884AC}" = Microsoft Visual Studio 2005 Tools for Applications - ENU
"{E2ADD9C8-8530-477E-AB7C-4E6B7C59CDAE}" = TurboCAD Professional v11.2
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{EE1671E1-ECB2-446B-A278-E8C56CFC839E}" = DWGeditor
"{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}" = Microsoft Plus! for Windows XP
"{F626E006-C06C-466A-B133-92C1991385CA}" = ArcSoft Print Creations
"{F9198F2C-7B5E-4ED2-BB76-0F18A9B7FAB6}" = TurboCAD Symbols
"{FDB46DE7-9045-47BB-970A-3E4ED5369E03}" = EMC 10 Content
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"America Online us" = America Online (Choose which version to remove)
"AOL Connectivity Services" = AOL Connectivity Services
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"CSCLIB" = Canon Camera Support Core Library
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DWG TrueView 2010" = DWG TrueView 2010
"EOS Utility" = Canon Utilities EOS Utility
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 500 Series" = EPSON WorkForce 500 Series Printer Uninstall
"ESET Online Scanner" = ESET Online Scanner v3
"HijackThis" = HijackThis 2.0.2
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{79B92240-9C65-4DD7-B1AD-59910D2C1353}" = AirPlus Xtreme G
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Applications - ENU" = Microsoft Visual Studio 2005 Tools for Applications - ENU
"MPEG4ASF Component" = Canon MPEG4ASF Component
"MSC" = McAfee SecurityCenter
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"QuickTime" = QuickTime
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.5.24
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SolidWorks Installation Manager 20090-40000-1100-200" = SolidWorks 2009 SP0
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TruboCAD112D" = Learning TurboCAD 11 3D Modeling
"Verizon Help and Support" = Verizon Help and Support Tool
"Verizon High Speed Internet_is1" = Verizon High Speed Internet
"Verizon Yahoo! Applications" = Verizon Yahoo! Applications
"WIC" = Windows Imaging Component
"Windows CE Services" = Microsoft ActiveSync 3.7
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/17/2010 7:01:18 PM | Computer Name = D61JTM71 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/17/2010 7:03:36 PM | Computer Name = D61JTM71 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 3/17/2010 7:03:36 PM | Computer Name = D61JTM71 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/17/2010 7:03:36 PM | Computer Name = D61JTM71 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/17/2010 7:03:36 PM | Computer Name = D61JTM71 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/21/2010 1:04:24 AM | Computer Name = D61JTM71 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module mcctxmnu.dll, version 13.15.102.0, fault address 0x00015e22.

Error - 3/24/2010 11:59:32 PM | Computer Name = D61JTM71 | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/26/2010 1:00:29 AM | Computer Name = D61JTM71 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 3/28/2010 12:01:16 AM | Computer Name = D61JTM71 | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/28/2010 10:10:57 PM | Computer Name = D61JTM71 | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 4/7/2010 1:25:33 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7034
Description = The McciCMService service terminated unexpectedly. It has done this
1 time(s).

Error - 4/7/2010 1:25:33 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7031
Description = The McAfee Services service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/7/2010 1:25:33 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7031
Description = The McAfee Network Agent service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/7/2010 1:25:33 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7031
Description = The McAfee Proxy Service service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/7/2010 1:25:33 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 4/7/2010 1:25:34 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Run the configured recovery program.

Error - 4/7/2010 1:25:34 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Sprocket Service (dellsupportcenter) service terminated
unexpectedly. It has done this 1 time(s).

Error - 4/7/2010 1:25:34 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7034
Description = The McAfee Anti-Spam Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 4/7/2010 1:25:34 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7034
Description = The Canon Camera Access Library 8 service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/7/2010 1:25:37 AM | Computer Name = D61JTM71 | Source = Service Control Manager | ID = 7034
Description = The SolidWorks Licensing Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm
Advertisement
Register to Remove

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 7th, 2010, 5:46 pm

OK, that looks like it has stopped the infection.

Right then let's see if we can find out what was causing the re-infection all the time.

What music file were you trying to play, I will need the full file path and name.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 7th, 2010, 7:13 pm

I really hate to be the bearer of bad tidings, but our little “friend” is alive and well. I'm really sorry for all the frustration Katana. Rest assured I do appreciate all your time and effort and I'm sure we'll find and kill this bugger sooner or later. Anyway, after I read your note I decided I better reboot with an internet connection in place to be sure it was gone. When I did, the HelpAssistant profile came right back. It definitely has something to do with the start up sequence and must have an internet connection before it will launch. I have not done anything since I posted the results of the last series of steps and that includes playing music.

And based on what I have observed, I really don’t think it has anything to do with the music files. I play the songs with “shuffle on” so they play randomly. The player always goes into a loop within a few songs of starting it up no matter which file is playing, so I really doubt that the mp3 files are the problem. Both Windows Media Player and RealPlayer started acting funny immediately after the infection began, but Music Match continued to behave normally. So this made me think the sound device driver is OK and that it must have something to do with the players themselves. Interestingly, my printer also stopped printing black ink immediately after the infection. At first I thought it was out of ink, but not so. When I reinstalled the drivers for the printer, it started working properly again. So, I'm thinking that an audio codec or some other driver, perhaps shared by Media Player and Real Player, had been damaged by the infection. Anyway, if you still want to run a special scan just on the music files, the full path to the parent folder that contains all of my music subfolders and files is as follows:

C:\Documents and Settings\Steve\My Documents\My Music
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 10th, 2010, 4:53 pm

I apologise for the delay, I have been ill.

Let's try removing all the programs from startup and see if the helps us.


----------------------------------------------------------------------------------------
Step 1

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KilAll::
    MBR::
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"=-
    "DellSupport"=-
    "AdobeUpdater"=-
    "ctfmon.exe"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Verizon_McciTrayApp"=-
    "VerizonServicepoint.exe"=-
    "UpdReg"=-
    "TkBellExe"=-
    "SunJavaUpdateSched"=-
    "SolidWorks_CheckForUpdates"=-
    "RoxWatchTray"=-
    "QuickTime Task"=-
    "MMTray"=-
    "MimBoot"=-
    "McENUI"=-
    "mcagent_exe"=-
    "ISUSScheduler"=-
    "IntelMeM"=-
    "IAAnotif"=-
    "DVDLauncher"=-
    "dscactivate"=-
    "DMXLauncher"=-
    "dla"=-
    "DellSupportCenter"=-
    "D-Link AirPlus Xtreme G"=-
    "CTSysVol"=-
    "CTHelper"=-
    "CTDVDDET"=-
    "BuildBU"=-
    "ATIPTA"=-
    "ArcSoft Connection Service"=-
    "ANIWZCSService"=-
    "Adobe Reader Speed Launcher"=-
    File::
    C:\WINDOWS\system32\termsrv32.dll
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


----------------------------------------------------------------------------------------
Step 2

Boot to Recovery Console and run the Fixmbr command as before.


----------------------------------------------------------------------------------------
Step 3

Close out all other open programs and windows.
Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Combofix log
  • HelpAssist log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 11th, 2010, 1:45 pm

Hello Katana. Sorry to hear about your illness. Perhaps my virus was able to spread to you through the keyboard and your fingertips. :roll:

Seriously, thanks for your perseverance. I hope you’re feeling better now. The logs you requested are posted below. The HelpAssit tool did not open a log upon completion, but I found it at C:\helpassit.log. It’s too early to say whether this has fixed the problem as I just finished running the tools and I have to leave now for the rest of the day. I will try to exercise the machine this evening when I return to check its behavior and will post an update.

----------------- COMBOFIX LOG --------------------------

ComboFix 10-04-10.02 - Steve 04/11/2010 9:36.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.565 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steve\Recent\??????????????????????
c:\windows\system32\cthelper.exe
c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-07 05:25 . 2010-04-07 05:25 -------- d-----w- C:\_OTL
2010-04-05 06:22 . 2010-04-05 06:22 -------- d-----w- c:\program files\ESET
2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 15:46 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-04-06 04:45 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-04-04 16:57 . 2010-03-12 07:46 439816 ----a-w- c:\documents and settings\Steve\Application Data\Real\Update\setup3.10\setup.exe
2010-04-03 00:05 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-31 21:37 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-31 06:22 . 2009-08-17 03:12 -------- d-----w- c:\program files\Common Files\Motive
2010-03-26 22:26 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 22:26 . 2010-03-26 22:26 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcp71.dll
2010-03-26 22:26 . 2010-03-26 22:26 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcr71.dll
2010-03-26 22:26 . 2010-03-26 22:26 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\jmc.dll
2010-03-26 22:26 . 2010-03-26 22:26 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-sse.dll
2010-03-26 22:26 . 2010-03-26 22:26 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-d3d.dll
2010-03-26 22:25 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:46 . 2010-03-06 03:46 36864 ----a-w- c:\documents and settings\Steve\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:38 . 2010-03-06 02:36 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut2_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut1_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\ARPPRODUCTICON.exe
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-02-11 04:44 . 2009-07-09 20:51 -------- d-----w- c:\documents and settings\Steve\Application Data\ZoomBrowser EX
2010-02-11 04:43 . 2009-07-09 20:50 -------- d-----w- c:\documents and settings\Steve\Application Data\CameraWindowDC
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateFlow.Verizon"="c:\program files\Verizon\McciBrowser.exe" [2010-03-17 1048576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-4 156784]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9620:TCP"= 9620:TCP:Services
"5560:TCP"= 5560:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7699:TCP"= 7699:TCP:Services
"7700:TCP"= 7700:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 09:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8621BCE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696fc3
\Driver\ACPI -> ACPI.sys @ 0xf74a9cb8
\Driver\atapi -> atapi.sys @ 0xf73d47b4
\Driver\iaStor -> 0x8621bce8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85f5a330
PacketIndicateHandler -> NDIS.sys @ 0xf7275a0b
SendHandler -> NDIS.sys @ 0xf7289b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3992)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
.
**************************************************************************
.
Completion time: 2010-04-11 09:55:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 16:55
ComboFix2.txt 2010-04-05 05:47
ComboFix3.txt 2010-04-02 23:26
ComboFix4.txt 2010-04-01 21:11
ComboFix5.txt 2010-04-11 16:30

Pre-Run: 87,105,904,640 bytes free
Post-Run: 87,076,831,232 bytes free

- - End Of File - - 9A7628040B182691F047B6E25E7C7420

----------------- HELPASSIT LOG --------------------------

C:\Documents and Settings\Steve\Desktop\HelpAsst_mebroot_fix.exe
Sun 04/11/2010 at 10:15:15.43

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list


HelpAssistant profile not found in registry

~~ Checking mbr ~~

user & kernel MBR OK
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 11th, 2010, 4:53 pm

Please run the following script and let me know if the infection has returned or not.



Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "9620:TCP"=-
    "5560:TCP"=-
    "3389:TCP"=-
    "7699:TCP"=-
    "7700:TCP"=-
    ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 11th, 2010, 9:57 pm

Ok, I ran the script as requested. The ComboFix log follows. After Combofix ran, I shut down and rebooted with an internet connection and the HelpAssistant infection came right back.

I’m wondering…in all the Combofix logs there is a section with the following hearder:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

It seems to always detect rootkit hooks and they seem to be related to several drivers. Is that the problem? Are those drivers infected? Can they be replaced/overlayed? Just wondering…

---------------- COMBOFIX LOG ---------------------------

ComboFix 10-04-10.02 - Steve 04/11/2010 17:29:23.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.565 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-07 05:25 . 2010-04-07 05:25 -------- d-----w- C:\_OTL
2010-04-05 06:22 . 2010-04-05 06:22 -------- d-----w- c:\program files\ESET
2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 15:46 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-04-06 04:45 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-04-04 16:57 . 2010-03-12 07:46 439816 ----a-w- c:\documents and settings\Steve\Application Data\Real\Update\setup3.10\setup.exe
2010-04-03 00:05 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-31 21:37 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-31 06:22 . 2009-08-17 03:12 -------- d-----w- c:\program files\Common Files\Motive
2010-03-26 22:26 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 22:26 . 2010-03-26 22:26 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcp71.dll
2010-03-26 22:26 . 2010-03-26 22:26 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcr71.dll
2010-03-26 22:26 . 2010-03-26 22:26 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\jmc.dll
2010-03-26 22:26 . 2010-03-26 22:26 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-sse.dll
2010-03-26 22:26 . 2010-03-26 22:26 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-d3d.dll
2010-03-26 22:25 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:46 . 2010-03-06 03:46 36864 ----a-w- c:\documents and settings\Steve\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:38 . 2010-03-06 02:36 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut2_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut1_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\ARPPRODUCTICON.exe
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-02-11 04:44 . 2009-07-09 20:51 -------- d-----w- c:\documents and settings\Steve\Application Data\ZoomBrowser EX
2010-02-11 04:43 . 2009-07-09 20:50 -------- d-----w- c:\documents and settings\Steve\Application Data\CameraWindowDC
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateFlow.Verizon"="c:\program files\Verizon\McciBrowser.exe" [2010-03-17 1048576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-4 156784]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1653:TCP"= 1653:TCP:Services
"1806:TCP"= 1806:TCP:Services
"2464:TCP"= 2464:TCP:Services
"3428:TCP"= 3428:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x866EDB58]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696fc3
\Driver\ACPI -> ACPI.sys @ 0xf74a9cb8
\Driver\atapi -> atapi.sys @ 0xf73d47b4
\Driver\iaStor -> 0x866edb58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85fb9330
PacketIndicateHandler -> NDIS.sys @ 0xf7275a0b
SendHandler -> NDIS.sys @ 0xf7289b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2004)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
c:\program files\Windows Desktop Search\WindowsSearchFilter.exe
.
**************************************************************************
.
Completion time: 2010-04-11 17:53:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 00:53
ComboFix2.txt 2010-04-11 16:55
ComboFix3.txt 2010-04-05 05:47
ComboFix4.txt 2010-04-02 23:26
ComboFix5.txt 2010-04-12 00:23

Pre-Run: 87,077,584,896 bytes free
Post-Run: 87,046,148,096 bytes free

- - End Of File - - B6C6F261DF0AFCC3FF47EF0FF6F6CEF5
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 13th, 2010, 6:27 pm

av8r wrote:I’m wondering…in all the Combofix logs there is a section with the following hearder:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

It seems to always detect rootkit hooks and they seem to be related to several drivers. Is that the problem? Are those drivers infected? Can they be replaced/overlayed? Just wondering…

I suspect that they are safe to be honest, but it won't hurt to check.

The part that interests me, is that Combofix is showing the Microsoft installer file running all the time. ??????

Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.

Double-click TDSSKiller.exe and follow the prompts to run it.

When finished, it will prompt you to press any key.

It will produce a log here > C:\TDSSKiller.2.2.7_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 13th, 2010, 11:53 pm

Ok, done. The TDSS Log follows. What would you like to try next?

20:45:03:617 1412 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
20:45:03:617 1412 ================================================================================
20:45:03:617 1412 SystemInfo:

20:45:03:617 1412 OS Version: 5.1.2600 ServicePack: 2.0
20:45:03:617 1412 Product type: Workstation
20:45:03:617 1412 ComputerName: D61JTM71
20:45:03:617 1412 UserName: Steve
20:45:03:617 1412 Windows directory: C:\WINDOWS
20:45:03:617 1412 Processor architecture: Intel x86
20:45:03:617 1412 Number of processors: 2
20:45:03:617 1412 Page size: 0x1000
20:45:03:617 1412 Boot type: Normal boot
20:45:03:617 1412 ================================================================================
20:45:03:633 1412 UnloadDriverW: NtUnloadDriver error 2
20:45:03:633 1412 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:45:03:679 1412 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:45:03:679 1412 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:45:03:679 1412 wfopen_ex: Trying to KLMD file open
20:45:03:679 1412 wfopen_ex: File opened ok (Flags 2)
20:45:03:679 1412 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:45:03:679 1412 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:45:03:679 1412 wfopen_ex: Trying to KLMD file open
20:45:03:679 1412 wfopen_ex: File opened ok (Flags 2)
20:45:03:695 1412 Initialize success
20:45:03:695 1412
20:45:03:695 1412 Scanning Services ...
20:45:03:789 1412 Raw services enum returned 414 services
20:45:03:804 1412
20:45:03:804 1412 Scanning Kernel memory ...
20:45:03:804 1412 Devices to scan: 6
20:45:03:804 1412
20:45:03:804 1412 Driver Name: Disk
20:45:03:804 1412 IRP_MJ_CREATE : F7698C30
20:45:03:804 1412 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
20:45:03:804 1412 IRP_MJ_CLOSE : F7698C30
20:45:03:804 1412 IRP_MJ_READ : F7692D9B
20:45:03:804 1412 IRP_MJ_WRITE : F7692D9B
20:45:03:804 1412 IRP_MJ_QUERY_INFORMATION : 804F4544
20:45:03:804 1412 IRP_MJ_SET_INFORMATION : 804F4544
20:45:03:804 1412 IRP_MJ_QUERY_EA : 804F4544
20:45:03:804 1412 IRP_MJ_SET_EA : 804F4544
20:45:03:804 1412 IRP_MJ_FLUSH_BUFFERS : F7693366
20:45:03:804 1412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
20:45:03:804 1412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
20:45:03:804 1412 IRP_MJ_DIRECTORY_CONTROL : 804F4544
20:45:03:804 1412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
20:45:03:804 1412 IRP_MJ_DEVICE_CONTROL : F769344D
20:45:03:804 1412 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7696FC3
20:45:03:804 1412 IRP_MJ_SHUTDOWN : F7693366
20:45:03:804 1412 IRP_MJ_LOCK_CONTROL : 804F4544
20:45:03:804 1412 IRP_MJ_CLEANUP : 804F4544
20:45:03:804 1412 IRP_MJ_CREATE_MAILSLOT : 804F4544
20:45:03:804 1412 IRP_MJ_QUERY_SECURITY : 804F4544
20:45:03:804 1412 IRP_MJ_SET_SECURITY : 804F4544
20:45:03:804 1412 IRP_MJ_POWER : F7694EF3
20:45:03:804 1412 IRP_MJ_SYSTEM_CONTROL : F7699A24
20:45:03:804 1412 IRP_MJ_DEVICE_CHANGE : 804F4544
20:45:03:804 1412 IRP_MJ_QUERY_QUOTA : 804F4544
20:45:03:804 1412 IRP_MJ_SET_QUOTA : 804F4544
20:45:03:851 1412 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:45:03:851 1412
20:45:03:851 1412 Driver Name: USBSTOR
20:45:03:867 1412 IRP_MJ_CREATE : EDDD4218
20:45:03:867 1412 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
20:45:03:867 1412 IRP_MJ_CLOSE : EDDD4218
20:45:03:867 1412 IRP_MJ_READ : EDDD423C
20:45:03:867 1412 IRP_MJ_WRITE : EDDD423C
20:45:03:867 1412 IRP_MJ_QUERY_INFORMATION : 804F4544
20:45:03:867 1412 IRP_MJ_SET_INFORMATION : 804F4544
20:45:03:867 1412 IRP_MJ_QUERY_EA : 804F4544
20:45:03:867 1412 IRP_MJ_SET_EA : 804F4544
20:45:03:867 1412 IRP_MJ_FLUSH_BUFFERS : 804F4544
20:45:03:867 1412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
20:45:03:867 1412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
20:45:03:867 1412 IRP_MJ_DIRECTORY_CONTROL : 804F4544
20:45:03:867 1412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
20:45:03:867 1412 IRP_MJ_DEVICE_CONTROL : EDDD4180
20:45:03:867 1412 IRP_MJ_INTERNAL_DEVICE_CONTROL : EDDCF9E6
20:45:03:867 1412 IRP_MJ_SHUTDOWN : 804F4544
20:45:03:867 1412 IRP_MJ_LOCK_CONTROL : 804F4544
20:45:03:867 1412 IRP_MJ_CLEANUP : 804F4544
20:45:03:867 1412 IRP_MJ_CREATE_MAILSLOT : 804F4544
20:45:03:867 1412 IRP_MJ_QUERY_SECURITY : 804F4544
20:45:03:867 1412 IRP_MJ_SET_SECURITY : 804F4544
20:45:03:867 1412 IRP_MJ_POWER : EDDD35F0
20:45:03:867 1412 IRP_MJ_SYSTEM_CONTROL : EDDD1A6E
20:45:03:867 1412 IRP_MJ_DEVICE_CHANGE : 804F4544
20:45:03:867 1412 IRP_MJ_QUERY_QUOTA : 804F4544
20:45:03:867 1412 IRP_MJ_SET_QUOTA : 804F4544
20:45:03:898 1412 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:45:03:898 1412
20:45:03:898 1412 Driver Name: Disk
20:45:03:898 1412 IRP_MJ_CREATE : F7698C30
20:45:03:898 1412 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
20:45:03:898 1412 IRP_MJ_CLOSE : F7698C30
20:45:03:898 1412 IRP_MJ_READ : F7692D9B
20:45:03:898 1412 IRP_MJ_WRITE : F7692D9B
20:45:03:898 1412 IRP_MJ_QUERY_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_EA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_EA : 804F4544
20:45:03:898 1412 IRP_MJ_FLUSH_BUFFERS : F7693366
20:45:03:898 1412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_DIRECTORY_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_DEVICE_CONTROL : F769344D
20:45:03:898 1412 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7696FC3
20:45:03:898 1412 IRP_MJ_SHUTDOWN : F7693366
20:45:03:898 1412 IRP_MJ_LOCK_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_CLEANUP : 804F4544
20:45:03:898 1412 IRP_MJ_CREATE_MAILSLOT : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_SET_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_POWER : F7694EF3
20:45:03:898 1412 IRP_MJ_SYSTEM_CONTROL : F7699A24
20:45:03:898 1412 IRP_MJ_DEVICE_CHANGE : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_QUOTA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_QUOTA : 804F4544
20:45:03:898 1412 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:45:03:898 1412
20:45:03:898 1412 Driver Name: Disk
20:45:03:898 1412 IRP_MJ_CREATE : F7698C30
20:45:03:898 1412 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
20:45:03:898 1412 IRP_MJ_CLOSE : F7698C30
20:45:03:898 1412 IRP_MJ_READ : F7692D9B
20:45:03:898 1412 IRP_MJ_WRITE : F7692D9B
20:45:03:898 1412 IRP_MJ_QUERY_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_EA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_EA : 804F4544
20:45:03:898 1412 IRP_MJ_FLUSH_BUFFERS : F7693366
20:45:03:898 1412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_DIRECTORY_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_DEVICE_CONTROL : F769344D
20:45:03:898 1412 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7696FC3
20:45:03:898 1412 IRP_MJ_SHUTDOWN : F7693366
20:45:03:898 1412 IRP_MJ_LOCK_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_CLEANUP : 804F4544
20:45:03:898 1412 IRP_MJ_CREATE_MAILSLOT : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_SET_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_POWER : F7694EF3
20:45:03:898 1412 IRP_MJ_SYSTEM_CONTROL : F7699A24
20:45:03:898 1412 IRP_MJ_DEVICE_CHANGE : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_QUOTA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_QUOTA : 804F4544
20:45:03:898 1412 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:45:03:898 1412
20:45:03:898 1412 Driver Name: Disk
20:45:03:898 1412 IRP_MJ_CREATE : F7698C30
20:45:03:898 1412 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
20:45:03:898 1412 IRP_MJ_CLOSE : F7698C30
20:45:03:898 1412 IRP_MJ_READ : F7692D9B
20:45:03:898 1412 IRP_MJ_WRITE : F7692D9B
20:45:03:898 1412 IRP_MJ_QUERY_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_EA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_EA : 804F4544
20:45:03:898 1412 IRP_MJ_FLUSH_BUFFERS : F7693366
20:45:03:898 1412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_DIRECTORY_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_DEVICE_CONTROL : F769344D
20:45:03:898 1412 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7696FC3
20:45:03:898 1412 IRP_MJ_SHUTDOWN : F7693366
20:45:03:898 1412 IRP_MJ_LOCK_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_CLEANUP : 804F4544
20:45:03:898 1412 IRP_MJ_CREATE_MAILSLOT : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_SET_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_POWER : F7694EF3
20:45:03:898 1412 IRP_MJ_SYSTEM_CONTROL : F7699A24
20:45:03:898 1412 IRP_MJ_DEVICE_CHANGE : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_QUOTA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_QUOTA : 804F4544
20:45:03:898 1412 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:45:03:898 1412
20:45:03:898 1412 Driver Name: iaStor
20:45:03:898 1412 IRP_MJ_CREATE : F73F5094
20:45:03:898 1412 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
20:45:03:898 1412 IRP_MJ_CLOSE : F73F5094
20:45:03:898 1412 IRP_MJ_READ : 804F4544
20:45:03:898 1412 IRP_MJ_WRITE : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_EA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_EA : 804F4544
20:45:03:898 1412 IRP_MJ_FLUSH_BUFFERS : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
20:45:03:898 1412 IRP_MJ_DIRECTORY_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_DEVICE_CONTROL : F73F87E8
20:45:03:898 1412 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86B36C18
20:45:03:898 1412 IRP_MJ_SHUTDOWN : 804F4544
20:45:03:898 1412 IRP_MJ_LOCK_CONTROL : 804F4544
20:45:03:898 1412 IRP_MJ_CLEANUP : 804F4544
20:45:03:898 1412 IRP_MJ_CREATE_MAILSLOT : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_SET_SECURITY : 804F4544
20:45:03:898 1412 IRP_MJ_POWER : F73FD118
20:45:03:898 1412 IRP_MJ_SYSTEM_CONTROL : F73FD1A4
20:45:03:898 1412 IRP_MJ_DEVICE_CHANGE : 804F4544
20:45:03:898 1412 IRP_MJ_QUERY_QUOTA : 804F4544
20:45:03:898 1412 IRP_MJ_SET_QUOTA : 804F4544
20:45:03:914 1412 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
20:45:03:914 1412
20:45:03:914 1412 Completed
20:45:03:914 1412
20:45:03:914 1412 Results:
20:45:03:914 1412 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:45:03:914 1412 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:45:03:914 1412 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:45:03:914 1412
20:45:03:914 1412 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:45:03:914 1412 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:45:03:929 1412 KLMD(ARK) unloaded successfully
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 15th, 2010, 4:57 pm

What would you like to try next?
There is obviously an infected file on your system that keeps respawning the infection, but since we haven't been able to find it there may be no option other than a reformat/reinstall :(

Let's see if can stop the infection, and then get an online scan whilst it is inactive.
Disconnect from the internet untill the step that contains the online scan.


----------------------------------------------------------------------------------------
Step 1

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    MBR::
    File::
    c:\windows\system32\termsrv32.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1653:TCP"=-
    "1806:TCP"=-
    "2464:TCP"=-
    "3428:TCP"=-
    ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



----------------------------------------------------------------------------------------
Step 2

Boot to Recovery Console and run the Fixmbr command


----------------------------------------------------------------------------------------
Step 3

Close out all other open programs and windows.
Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

----------------------------------------------------------------------------------------
Step 4

Eset Online AntiVirus

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.
(You may need to disable your resident Anti-Virus.)

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!



----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Combofix Log
  • Eset Log




If Eset still doesn't run, please try the following scan instead

  1. Download Dr. Web CureIt and save it to your desktop.
  2. Double click on cureit.exe to run it.
  3. Click on Start to start the scan.
  4. Dr Web CureIt will prompt you. Click OK.
  5. This will start an express scan. It shouldn't take too long.
  6. When done, click on Options > Change settings.
  7. Select the Scan tab. Uncheck (untick) Heuristics analysis box.
  8. Select the Log file tab. Uncheck (untick) Maximum log file size box.
  9. Click OK to apply the settings.
  10. Select the Complete scan radio button, then click on the green triangle button on the right hand side.
  11. It will start scanning. Please be patient as this scan can be long.
  12. During the scan, if it finds any infected items, it will prompt you. Click Yes to all to cure the files.
  13. Click on File > Save report list. Save this report to a convenient location.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 17th, 2010, 1:30 am

Hi Katana. I was able to run the ESET scan all the way to completion this time, but it did not detect anything. It ran for a long time and I ending up going to bed while it ran. Interestingly, the HelpAssistant profile was created again. Based on the time stamp on the HelpAssistant folder, it looks like it was created shortly after the scan completed. I’m not surprised since I left the internet connection in place for this online scan.

Since I had already downloaded Dr. Web as a contingency in case ESET didn’t run, I decided to leave the HelpAssistant profile on the computer and run Dr. Web to see if it would detect anything. It did not detect anything on the express scan. So I ran a complete scan and it detected one item related to the NetZero installation stuff that came with my computer, but which I have never used. It was labeled “Trojan.click.487,” and asked me if I wanted to “cure it”. I selected “yes to all” and the scan continued. Since it was clear that the scan was going to run for a LONG time, I left for a while to take care of other obligations. When I came back, the machine had frozen only about an hour into the scan. So I ran it again. This time it ran to completion (5-1/2 hours) and detected the same item, but this time in one of the system restore files. As soon as the scan completed I tried to save the Report List, but it froze during the save operation. A 1KB file called “DrWeb.csv” was saved, but Excel couldn’t open it because it appeared to be damaged. I changed the extension to “.xls” but still couldn’t open it. Changed the extension to “.txt” and opened it with Notepad to see if there was any contents. It appears to be an empty file. So I cannot post anything related to the Dr Web scan.

I was thinking maybe I should leave the HelpAssistant profile on my computer and re-run the HelpAssisant tool to see if it behaves any differently. What do you think?

In closing, I’m a little concerned about the reformatting my hard drive. My computer came with a lot of software, but no installation disks, and that includes Windows, so I fear I would lose too much. Also, I have heard that reformatting does not affect the boot sector. Is that true? If so, I’m not sure reformatting will cure the problem if that is where it is located. Lastly, I have accumulated 5 years worth of very important stuff on this computer, which I have diligently backed up. What if one or more of those files is infected? At this point I think it’s clear that “scanning” them is useless since this infection is so good at hiding itself. It’s almost imperative that I find the infection so that I do not keep re-infecting the computer. I think you see my dilemma.

Well, onward. Here are the logs:

COMBOFIX

ComboFix 10-04-15.02 - Steve 04/15/2010 22:00:05.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.571 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-07 05:25 . 2010-04-07 05:25 -------- d-----w- C:\_OTL
2010-03-26 22:26 . 2010-03-26 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 20:05 . 2010-03-20 20:05 -------- d-----w- C:\HelpAsst_backup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 17:11 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\Steve\Application Data\IM
2010-04-12 17:10 . 2007-09-09 21:42 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks
2010-04-12 05:44 . 2005-06-04 23:13 -------- d-----w- c:\program files\Common Files\Intuit
2010-04-12 05:40 . 2005-06-04 23:11 -------- d-----w- c:\program files\Common Files\AOL
2010-04-12 05:40 . 2005-06-04 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-04-12 05:29 . 2005-06-04 23:02 -------- d-----w- c:\program files\Java
2010-04-12 05:29 . 2005-06-04 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 16:57 . 2010-03-12 07:46 439816 ----a-w- c:\documents and settings\Steve\Application Data\Real\Update\setup3.10\setup.exe
2010-04-03 00:05 . 2009-08-17 02:56 -------- d-----w- c:\program files\Verizon
2010-03-31 21:37 . 2009-09-21 03:07 -------- d-----w- c:\program files\McAfee
2010-03-31 06:22 . 2009-08-17 03:12 -------- d-----w- c:\program files\Common Files\Motive
2010-03-26 22:26 . 2010-03-26 22:26 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcp71.dll
2010-03-26 22:26 . 2010-03-26 22:26 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\msvcr71.dll
2010-03-26 22:26 . 2010-03-26 22:26 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6014ee1b-n\jmc.dll
2010-03-26 22:26 . 2010-03-26 22:26 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-sse.dll
2010-03-26 22:26 . 2010-03-26 22:26 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14b6677d-n\decora-d3d.dll
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-07 08:40 . 2005-06-27 02:04 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20061102}.dat
2010-03-06 05:35 . 2005-06-25 18:33 180608 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 03:46 . 2010-03-06 03:46 36864 ----a-w- c:\documents and settings\Steve\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-03-06 02:51 . 2010-03-06 02:51 311888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-06 02:38 . 2010-03-06 02:36 -------- d-----w- c:\program files\DWG TrueView 2010
2010-03-06 02:38 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\Steve\Application Data\Autodesk
2010-03-06 02:38 . 2008-03-21 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-06 02:36 . 2008-03-21 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 22:31 . 2010-03-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 03:31 . 2007-04-06 03:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-28 03:27 . 2010-02-28 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 03:26 . 2010-02-28 03:26 -------- d-----w- c:\program files\MSXML 6.0
2010-02-25 01:09 . 2010-02-25 01:09 -------- d-----w- c:\documents and settings\Steve\Application Data\SolidWorks 2009
2010-02-25 00:36 . 2010-02-24 23:35 -------- d-----w- c:\program files\SolidWorks Corp
2010-02-25 00:35 . 2010-02-24 23:36 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut2_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\NewShortcut1_5135BE5531E34696827B50FE43E48CC2_1.exe
2010-02-25 00:34 . 2010-02-25 00:34 335872 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{06379784-4648-46BF-9426-0B10817F0AF5}\ARPPRODUCTICON.exe
2010-02-24 23:35 . 2008-03-21 22:54 -------- d-----w- c:\program files\AutoCAD 2007
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-24 23:35 . 2010-02-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidWorks
2010-02-24 23:30 . 2009-09-27 04:17 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateFlow.Verizon"="c:\program files\Verizon\McciBrowser.exe" [2010-03-17 1048576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-04 98304]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-4 11000]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5935:TCP"= 5935:TCP:Services
"5936:TCP"= 5936:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7418:TCP"= 7418:TCP:Services
"7417:TCP"= 7417:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2009 8:09 PM 93320]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [6/26/2005 9:33 AM 344800]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 7:01 AM 79144]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-21 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 22:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864E9CE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696fc3
\Driver\ACPI -> ACPI.sys @ 0xf74a9cb8
\Driver\atapi -> atapi.sys @ 0xf73d47b4
\Driver\iaStor -> 0x864e9ce8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85fae8f0
PacketIndicateHandler -> NDIS.sys @ 0xf7275a0b
SendHandler -> NDIS.sys @ 0xf7289b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1152)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\CTsvcCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\docume~1\Steve\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
.
**************************************************************************
.
Completion time: 2010-04-15 22:19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 05:19
ComboFix2.txt 2010-04-12 00:53
ComboFix3.txt 2010-04-11 16:55
ComboFix4.txt 2010-04-05 05:47
ComboFix5.txt 2010-04-16 04:55

Pre-Run: 87,577,071,616 bytes free
Post-Run: 87,546,925,056 bytes free

- - End Of File - - 97C60B41F2BD55DB3478F6031E989291


ESET

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9fa38b412e5056478e0cfeffc51c060c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-16 08:17:51
# local_time=2010-04-16 01:17:51 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776869 100 96 420757 24229780 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=149735
# found=0
# cleaned=0
# scan_time=9217
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 18th, 2010, 4:56 pm

We need to see this infection active for now, so please leave the machine connected to the internet during these steps.

Hopefully, this should tell us which the problem file is.

----------------------------------------------------------------------------------------
Step 1
Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the C:\windows> prompt

batch look.bat

Image

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Click Start >> Run and then type the following in the run box

maxlook -sig

(note the space before the - sign)
It will produce looklog.txt on the desktop and open it.
Please post the results here.


----------------------------------------------------------------------------------------
Step 2

HelpAsst_mebroot_fix has been updated, please delete the copy you have

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 19th, 2010, 1:00 pm

Ran into a little hitch in the getalong. I was not able to execute the "batch look.bat" command. When I type in the command, I receive the following message: "There is no floppy disk or CD in the drive." I suspect that it is because I have to boot to the recovery console from a Windows Installation CD. I tried to reboot to the recovery console that is on my C: drive (which ComboFix installed), but once again got the BSOD. When I execute the directory command on the C: drive, it gives me the same message that there is no floppy or CD in the drive. The dir command executed on the drive with the installation CD will list the root folders on the CD. So, I conclude that when I boot to the CD, the recovery console just sees the C: drive as a valid drive, but empty. Is there a way to uninstall the recovery console from my c: drive and reinstall it using the installation CD? That might be worth a try...

p.s. While I’ve been typing this response I noticed that my computer started to exhibit the viral behavior. I just went and checked the HelpAssistant profile (which I left on the computer) and, sure enough, it has been added to during this boot cycle.
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm

Re: Mbam cannot remove "Trojan.PWS"

Unread postby Katana » April 19th, 2010, 4:30 pm

That's odd, it should give you access to the C:\windows folder ??

Did you try the dir command on C:\ or C:\Windows ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mbam cannot remove "Trojan.PWS"

Unread postby av8r » April 19th, 2010, 9:19 pm

Yes. I tried both paths and got the same message. I tried to do a directory command on all drives and the only one that listed folders/files was the D: drive where the CD was located and from which I booted the Recovery Console.
av8r
Regular Member
 
Posts: 35
Joined: March 13th, 2010, 8:30 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 493 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware