Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant - Ebay Redirect - Computer Freezing Up


  • This topic is locked This topic is locked
27 replies to this topic

#1 Kendall 9711

Kendall 9711

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 24 February 2010 - 11:41 AM

OS: Windows XP Professional Version 5.1 Svc Pak 3

McAfee Security Center – computer protection services are enabled but not up to date. Subscription expired in December 2009.

A week ago, user signed on to EBay and was redirected to what appeared to be a phishing EBay site requesting personal and credit card data. It was also observed that a new “HelpAssistant” folder was created and copies of the user files were all found in the folder. User attempted to fix/find issues using Registry Patrol, Malware Bytes Anti-Malware (free version). Registry Patrol is still on computer, whereas user deleted the Anti-Malware software after running it. The redirect on the EBay page is not occurring anymore, but the HelpAssistant file has reappeared and there are definite problems with the computer (freezing up, running slow, ghostlike images of buttons sometime appear). The user has been instructed to stop any further finding/fixing without the help of someone with some expertise in this area.

We were able to back up and run DeFogger. DDS won't run properly as AutoCAD is installed. The dds.scr is recognized as an AutoCAD script. When it runs it generates a Notepad file with garble and I am not sure how to edit the file association (registry?). Searched and found where other users with this problem ran RIST but I will wait for instruction.

Ran Hijack this and finally was able to run GMER and save the file. Logs below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:01 AM, on 2/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061106
O1 - Hosts: 193.169.12.8 nosd.info
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\RegistryController.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.hendrickmotorsports.com
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://vs.mcafeeasap.com/MC/ENU/VS40/bin/m...60504175614.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1262893744125
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://67.158.46.233/activex/AMC.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
End of file - 9796 bytes


---- System - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-24 08:15:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Wetzel\LOCALS~1\Temp\uftdapob.sys


Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF109D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF109D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF109D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF109D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF109D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF109D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF109D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF109D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF109D7CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF109D7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\iaStor \Device\Ide\iaStor0 85FD5610
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 85FD5610

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B7D68D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


I am posting this from another computer since I am not comfortable leaving constant internet connection running. We will wait patiently for your much appreciated assistance before attempting anything further and are posting to only this forum.

Thank you!!!

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 26 February 2010 - 11:41 AM

Hello Kendall 9711 my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.



Before we start, please tell me... Is this your computer or your posting others log here to seek advice because your helping them elsewhere.


1. Download this tool and save it in your Root directory (C:\).: --> mbr.exe
Double click (Run as administrator for Vista) on mbr.exe & post the log it creates. (or find it at C:\mbr.log)




2. Download and save HelpAsst_mebroot_fix.exe
Double click (Run as administrator for Vista) to run the tool then tell me how it went.



3. Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan box. Do not include the word "Code"

    CODE

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 26 February 2010 - 02:23 PM

Hi Sempai -

Thanks for your reply!! This is one of our work station computers. We are a very small company and do not have a computer administrator, per se. The computer I am seeking advice for was accessible for others to use, but will now only be accessible by very few with a password. I will run the tools you suggest but will save the logs to a DVD and send them from another computer since I do not feel comfortable leaving the internet/server constantly connected to the infected computer.

No need for any apologies. I appreciate the time you are taking to help us with this problem.

I will attempt to run the tools (as the computer freezes up a lot) and post the logs and let you know if I encounter any problems.

Thank you!!

#4 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 26 February 2010 - 03:08 PM

Hi Semp -

I will stay with you until you give me a declaration of "clean" and also will not make any changes or run tools unless you have given me instruction.

As requested;

1. Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x86408398
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x860af330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


2. Message received after running the HelpAsst mebroot fix.exe

HelpAssistant removed
Press any key to continue

3A. OTL.Txt Log (Note: After OTL scans were completed computer froze; unplugged and it the logs were on the desktop and appear to be complete):

OTL logfile created on: 2/26/2010 1:37:53 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Wetzel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 500.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 50.68 Gb Free Space | 68.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DONNA2
Current User Name: Wetzel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/26 13:30:06 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wetzel\Desktop\OTL.exe
PRC - [2009/12/18 10:03:12 | 000,472,384 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
PRC - [2009/12/18 10:01:08 | 000,282,824 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
PRC - [2009/12/15 14:22:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
PRC - [2009/12/15 14:21:04 | 000,014,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
PRC - [2009/05/08 16:26:32 | 000,893,112 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2008/04/13 18:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/15 13:11:04 | 000,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/11/15 13:10:54 | 000,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2006/11/06 22:12:45 | 000,555,008 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
PRC - [2006/11/06 22:12:45 | 000,415,744 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
PRC - [2006/11/06 22:12:45 | 000,169,984 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2006/06/22 11:05:06 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxmiced.exe
PRC - [2006/06/12 10:01:14 | 000,180,224 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
PRC - [2006/06/09 12:47:52 | 000,047,104 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2006/05/16 12:35:08 | 000,102,400 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
PRC - [2006/05/15 19:19:00 | 000,315,392 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\common\DataServer.exe
PRC - [2006/04/26 07:39:18 | 000,143,360 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/04/26 07:38:50 | 000,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/03/21 10:12:52 | 000,143,427 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/03/17 17:25:16 | 000,065,536 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2006/01/30 17:11:48 | 000,192,512 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
PRC - [2005/12/09 20:29:52 | 000,049,152 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PRC - [2005/11/11 18:30:22 | 000,995,328 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2005/11/10 13:03:52 | 000,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PRC - [2005/09/30 18:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/09/08 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/08/11 15:30:30 | 000,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005/03/17 14:25:54 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2003/08/29 08:54:16 | 000,307,200 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2003/08/29 08:50:24 | 000,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/26 13:30:06 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wetzel\Desktop\OTL.exe
MOD - [2006/06/22 10:30:46 | 000,131,072 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxscrll.dll
MOD - [2006/06/15 18:40:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxcomm.dll
MOD - [2006/06/15 18:40:26 | 000,065,536 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxhooks.dll
MOD - [2006/05/16 12:34:22 | 000,286,720 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2006/05/16 12:33:06 | 000,004,096 | ---- | M] () -- C:\WINDOWS\system32\detoured.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/18 10:01:08 | 000,282,824 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe -- (myAgtSvc)
SRV - [2009/12/15 14:22:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe -- (McShield)
SRV - [2009/12/15 14:21:04 | 000,014,144 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe -- (EngineServer)
SRV - [2009/09/23 15:36:06 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/05/08 16:26:32 | 000,893,112 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/03/27 07:59:56 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/06/04 16:50:26 | 000,085,096 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2007/11/15 13:10:54 | 000,504,104 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/09/06 12:28:18 | 000,110,592 | ---- | M] (Apple, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2006/06/12 10:01:14 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2006/05/15 19:19:00 | 000,315,392 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr2)
SRV - [2006/04/26 07:38:50 | 000,081,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMon) Intel®
SRV - [2006/03/21 10:12:52 | 000,143,427 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/03/17 17:25:16 | 000,065,536 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2005/09/30 18:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/08/11 17:11:27 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2003/08/29 08:54:16 | 000,307,200 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061106
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061106

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/01/14 10:29:27 | 000,000,769 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 193.169.12.8 nosd.info
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PDF4 Registry Controller] C:\Program Files\ScanSoft\PDF Professional 4.0\RegistryController.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe (Wave Systems Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: hendrickmotorsports.com ([www] http in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} http://vs.mcafeeasap.com/MC/ENU/VS40/bin/m...60504175614.cab (SecureObjectFactory Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1262893744125 (MUWebControl Class)
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab (UnagiAx Class)
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} http://67.158.46.233/activex/AMC.cab (AxisMediaControl Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.705.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (wxvault.dll) - C:\WINDOWS\System32\wxvault.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Wetzel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Wetzel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/18 13:33:07 | 000,000,072 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{cf25cb0e-19b6-11dc-a310-00137235396e}\Shell - "" = AutoRun
O33 - MountPoints2\{cf25cb0e-19b6-11dc-a310-00137235396e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cf25cb0e-19b6-11dc-a310-00137235396e}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 17:02:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17736316556935168)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/26 13:29:58 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Wetzel\Desktop\OTL.exe
[2010/02/26 13:13:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/02/24 10:02:42 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/24 10:01:58 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Program Files\HJTInstall.exe
[2010/02/23 14:29:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wetzel\Desktop\GMER
[2010/02/23 13:36:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wetzel\Application Data\Macromedia
[2010/02/23 12:51:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wetzel\Desktop\New Folder
[2010/02/23 12:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wetzel\My Documents\New Folder
[2010/02/23 08:45:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/02/22 11:13:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wetzel\Application Data\Office Genuine Advantage
[2010/02/22 08:11:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/02/22 08:11:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/02/22 08:11:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/02/22 08:11:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/02/22 08:11:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/02/22 08:11:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/02/22 08:11:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/02/22 08:11:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/02/22 08:11:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/02/22 08:11:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/02/22 08:11:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/02/22 08:11:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/02/22 08:11:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/02/22 08:11:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/02/22 08:10:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/02/22 08:10:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/02/22 08:10:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/02/18 14:25:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/02/18 13:25:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Registry Patrol
[2010/02/18 13:25:33 | 000,086,016 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe
[2010/02/18 13:25:26 | 000,000,000 | ---D | C] -- C:\Program Files\Registry Patrol
[2010/02/17 12:58:07 | 000,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/02/17 10:55:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\eBay
[2010/02/17 08:47:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wetzel\Application Data\Malwarebytes
[2010/02/17 08:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/10 03:22:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/03 14:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/01/07 13:37:17 | 038,808,920 | ---- | C] (Microsoft Corporation) -- C:\Program Files\FileFormatConverters.exe
[2009/02/27 14:35:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/06 13:31:16 | 002,887,208 | ---- | C] (Microsoft Corporation) -- C:\Program Files\TasklineSetp.exe
[2008/10/01 17:59:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2008/10/01 17:59:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2007/10/18 21:45:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2007/09/27 21:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/08/22 14:52:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/05/29 15:32:46 | 011,407,704 | ---- | C] (FedEx Kinko's ) -- C:\Program Files\Setup_File_Print_FedEx_Kinkos.exe
[2007/05/29 15:30:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Kinko's
[2004/08/11 17:20:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/08/11 17:06:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/26 13:36:38 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Wetzel\My Documents\netsvcs.doc
[2010/02/26 13:34:11 | 000,021,286 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/02/26 13:30:06 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wetzel\Desktop\OTL.exe
[2010/02/26 13:29:15 | 000,412,056 | ---- | M] () -- C:\HelpAsst_mebroot_fix.exe
[2010/02/26 13:28:00 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/02/26 13:10:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/26 13:10:44 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/02/26 13:10:27 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010/02/26 13:09:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/26 13:09:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/26 13:09:56 | 1071,738,880 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/24 10:02:43 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Wetzel\Desktop\HijackThis.lnk
[2010/02/24 10:02:00 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\HJTInstall.exe
[2010/02/23 16:30:34 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Wetzel\Desktop\dds.scr
[2010/02/23 08:53:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Wetzel\defogger_reenable
[2010/02/19 15:39:00 | 014,680,064 | -H-- | M] () -- C:\Documents and Settings\Wetzel\NTUSER.DAT
[2010/02/19 15:38:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Wetzel\ntuser.ini
[2010/02/19 15:38:24 | 004,316,420 | -H-- | M] () -- C:\Documents and Settings\Wetzel\Local Settings\Application Data\IconCache.db
[2010/02/19 15:35:37 | 000,000,042 | ---- | M] () -- C:\WINDOWS\System32\RegistryPatrolUpdates.ini
[2010/02/19 15:24:24 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\Wetzel\Desktop\Registry Patrol.lnk
[2010/02/18 13:33:07 | 000,000,072 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/02/18 10:36:03 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/26 13:36:37 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Wetzel\My Documents\netsvcs.doc
[2010/02/26 13:29:14 | 000,412,056 | ---- | C] () -- C:\HelpAsst_mebroot_fix.exe
[2010/02/26 13:28:00 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/02/24 10:02:43 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Wetzel\Desktop\HijackThis.lnk
[2010/02/23 16:30:26 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Wetzel\Desktop\dds.scr
[2010/02/23 08:53:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Wetzel\defogger_reenable
[2010/02/19 15:25:04 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\RegistryPatrolUpdates.ini
[2010/02/18 13:25:30 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\Wetzel\Desktop\Registry Patrol.lnk
[2010/02/18 13:25:08 | 004,868,828 | ---- | C] () -- C:\Program Files\RegistryPatrol_Fullbeta7.exe
[2010/02/18 08:16:35 | 1071,738,880 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/31 14:00:22 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll
[2009/08/31 14:00:21 | 000,185,344 | ---- | C] () -- C:\WINDOWS\System32\MemWarp.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2007/08/20 09:45:34 | 000,001,378 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/18 07:56:42 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Wetzel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/03/19 16:16:21 | 009,448,614 | ---- | C] () -- C:\Program Files\MadgeTech_v2_00_63.zip
[2007/03/19 16:13:49 | 009,448,614 | ---- | C] () -- C:\Program Files\ERTCO
[2007/02/01 15:03:40 | 002,954,920 | ---- | C] () -- C:\Program Files\vmp_full_installer.exe
[2006/12/21 07:23:05 | 000,058,368 | ---- | C] () -- C:\Program Files\MFInstall.exe
[2006/12/13 19:28:49 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2006/12/06 08:53:40 | 000,140,800 | ---- | C] () -- C:\Program Files\Microsoft Office Install Data.doc
[2006/12/05 15:29:01 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2006/12/05 15:28:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2006/12/05 15:28:15 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2006/12/05 15:26:34 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/11/16 10:40:09 | 000,000,274 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/11/16 09:31:22 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Wetzel\Local Settings\Application Data\fusioncache.dat
[2006/11/06 22:17:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/06 22:14:10 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/06 22:12:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/06 22:10:16 | 000,131,002 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini
[2006/11/06 22:08:07 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/11/06 22:08:07 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2006/11/06 21:49:48 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/11/06 21:48:52 | 000,000,393 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2006/06/12 10:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2006/06/12 10:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2006/05/22 08:37:36 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2006/05/22 08:32:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2006/05/22 08:32:06 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2006/05/22 08:32:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2006/05/22 08:31:52 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2006/05/22 08:31:46 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2006/05/22 08:31:38 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2006/05/22 08:31:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2006/05/22 08:31:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2006/05/22 08:31:18 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2006/05/22 08:31:12 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2006/05/16 12:34:22 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2006/05/16 12:33:06 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2006/05/15 19:08:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_en.dll
[2006/05/15 18:52:12 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2006/05/15 18:52:02 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2006/05/15 18:51:52 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2006/05/15 18:51:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2006/05/15 18:51:34 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2006/05/15 18:51:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2006/05/15 18:51:16 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2006/05/15 18:51:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2006/05/15 18:50:56 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2006/05/15 18:50:46 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2005/12/01 14:41:20 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2005/11/10 01:38:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/09/20 13:36:06 | 000,798,720 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/07/21 15:03:14 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/07/20 14:27:52 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2004/03/18 18:01:20 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1999/01/04 13:25:00 | 000,375,296 | ---- | C] () -- C:\WINDOWS\System32\tx32.dll
[1998/11/04 02:20:00 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\Ic32.ini

========== LOP Check ==========

[2008/06/09 13:05:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2010/02/23 13:23:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eBay
[2007/01/18 08:45:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/03/27 08:01:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2010/02/18 10:39:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/11/06 22:07:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2006/12/03 13:01:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\zeon
[2008/06/17 07:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\Autodesk
[2007/05/29 15:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\Downloaded Installations
[2007/11/14 03:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\eBay
[2006/11/16 09:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\Leadertech
[2006/12/06 07:13:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\ScanSoft
[2007/11/26 11:53:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\Snapfish
[2010/02/26 13:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\Wave Systems Corp
[2007/11/06 14:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\WholeSecurity
[2006/12/04 09:18:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wetzel\Application Data\Zeon

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/02/26 13:29:15 | 000,412,056 | ---- | M] () -- C:\HelpAsst_mebroot_fix.exe
[2010/02/26 13:28:00 | 000,077,312 | ---- | M] () -- C:\mbr.exe


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/02/27 14:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/02/27 14:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/02/27 14:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/02/27 14:14:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/04/26 05:23:52 | 000,250,880 | ---- | M] (Intel Corporation) MD5=1C77A81756D4777CCB0425AE8107FE96 -- C:\drivers\storage\SATA\onboard\iastor.sys
[2006/04/26 05:23:52 | 000,250,880 | ---- | M] (Intel Corporation) MD5=1C77A81756D4777CCB0425AE8107FE96 -- C:\i386\iaStor.sys
[2006/04/26 05:23:52 | 000,250,880 | ---- | M] (Intel Corporation) MD5=1C77A81756D4777CCB0425AE8107FE96 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/11 17:06:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/11 17:06:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/11 17:06:14 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

3B. OTL Extrax.txt Log

OTL Extras logfile created on: 2/26/2010 1:37:53 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Wetzel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 500.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 50.68 Gb Free Space | 68.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DONNA2
Current User Name: Wetzel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.reg [@ = regfile] --

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [open] --
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"1649:TCP" = 1649:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"1649:TCP" = 1649:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- (McAfee, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}" = Broadcom ASF Management Applications
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}" = NTRU Hybrid TSS v2.0.25
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{4F5CE18C-D97D-48FF-A510-A0D90C918294}" = iTunes
"{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
"{5783F2D7-0065-0409-0000-0060B0CE6BBA}" = AutoCAD LT 2000i
"{5783F2D7-6001-0409-0002-0060B0CE6BBA}" = AutoCAD 2008 - English
"{63B8997E-EB2D-41D3-984C-C44D6D67A571}" = ArcSoft PhotoStudio 5.5
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69B02159-7624-4DBB-B9EE-F933039830AD}" = QuickBooks Premier Edition 2006
"{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72FECEA1-E87F-4192-89FA-D0FBF92885BB}" = ETS Upgrade
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}" = Visual C++ 8.0 x86 Runtime Setup Package
"{8CE90089-DCC9-4393-A535-802072333C35}" = Preboot Manager
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9211CCBB-BEFE-4A0C-9199-D7A535DBFE5F}" = Brother MFL-Pro Suite
"{9763E36A-08E9-4228-BBCE-12989A4EB1A8}" = QuickTime
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C209B1-8DDB-4642-A573-375B951514CB}" = Apple Mobile Device Support
"{B909BA86-4494-4778-BD8B-0AC060D650E4}" = ScanSoft PDF Professional 4
"{BBD6BA59-4593-43CC-BBC8-8E53D354AEA4}" = Atmel TPM Driver Installer 3.0.3.15
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"{D564B5E2-CCB5-4A5C-B35E-2FC30BBC9336}" = Adobe Premiere Elements 7.0
"{D648B20B-A789-407E-8CA4-9BDDBBE342C8}" = upekmsi
"{DD41AC25-61B2-4FC9-90AA-672F32139AC3}" = ETS Launch Pad
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{F1802FA6-54E9-4B24-BD2A-B50866819795}" = EMBASSY Trust Suite by Wave Systems
"{F2B8F8EE-4811-4A28-9305-6640CD007115}" = Wave Infrastructure Installer
"{F6234880-85BE-4DCB-8A45-1FF85A1A8552}" = SmartSound Quicktracks for Premiere Elements
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AnswerWorks" = AnswerWorks Runtime
"AutoCAD 2008 - English" = AutoCAD 2008 - English
"AXIS Media Control" = AXIS Media Control
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"Google Desktop" = Google Desktop
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"InstallShield_{72FECEA1-E87F-4192-89FA-D0FBF92885BB}" = ETS Upgrade
"InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"InstallShield_{DD41AC25-61B2-4FC9-90AA-672F32139AC3}" = ETS Launch Pad
"InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"InstallShield_{F6234880-85BE-4DCB-8A45-1FF85A1A8552}" = SmartSound Quicktracks for Premiere Elements
"Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
"MadgeTech 2.00.63" = MadgeTech 2.00.63
"McAfee Managed Firewall" = McAfee Firewall Protection Service
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MVS" = McAfee Virus and Spyware Protection Service
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"PremElem70" = Adobe Premiere Elements 7.0
"Rating Instrument" = Rating Instrument 1.3.5
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"Registry Patrol" = Registry Patrol
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SearchAssist" = SearchAssist
"SoftOrbits Flash Drive Recovery_is1" = SoftOrbits Flash Drive Recovery 1.2
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ResultsWare Taskline" = Taskline Outlook® Task Scheduler

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/26/2010 3:10:29 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:29 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:29 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:29 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:34 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 2/26/2010 3:10:34 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:34 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:34 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:34 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/26/2010 3:10:34 PM | Computer Name = DONNA2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 2/23/2010 3:13:03 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 2/23/2010 3:13:11 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 2/23/2010 3:28:54 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 2/23/2010 3:28:54 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 2/23/2010 4:18:31 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 2/23/2010 4:18:31 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 2/23/2010 4:30:11 PM | Computer Name = DONNA2 | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{372342A1-8764-4659-A497-8B545A9D04F2}. The
backup browser is stopping.

Error - 2/23/2010 6:15:29 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the AudioSrv service.

Error - 2/26/2010 3:11:10 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 2/26/2010 3:11:11 PM | Computer Name = DONNA2 | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053


< End of report >

Looking forward to your response!!



#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 27 February 2010 - 07:13 AM

Hi,

Thanks for clarifying things for me. Some issues I need to point out before we continue:

First: I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player



Second: You are using Registry Patrol...
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
*Registry tools can cause irreparable damage to your Operating System
*Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.

Registry Cleaners and System Tweaking Tools


Also please read this topic about Registry Patrol --> click HERE.


++++++++++++++++++++

Now let's continue smile.gif , MBR rootkit is present so please follow instructions in order I have posted them...


1. Click Start > Run > then copy/paste the text below > Press Enter.
c:\mbr -f
  • A logfile (mbr.log) will be created on your screen (or find it at C:\mbr.log), post that log when you reply.
  • Please restart your computer immediately.



2. Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (Right click on the file and choose extract all).
  • Double-Click (Run as administrator for Vista) TDSSKiller.exe to run it.
  • When it finished press any key to continue (Let reboot if needed).
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log.



3. Please download Profiles by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply.



4. Now please run this batch file.
  • Please copy the contents of the code box below, open notepad and paste it there.
  • On the top toolbar in notepad select file, then save as. In the box that opens type in help.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the help.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.
CODE
@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
cls




~Semp

Edited by sempai, 27 February 2010 - 07:59 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 01 March 2010 - 11:32 AM

Hi Semp -

Sorry about the delay in responding. I was out of the office this weekend. Thanks so much for your explicit instructions. They sure help!!

Logs as requested -

1.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x85fe3598
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x860a8330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


2.

09:27:17:328 1480 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25

09:27:17:328 1480 ================================================================================
09:27:17:328 1480 SystemInfo:

09:27:17:328 1480 OS Version: 5.1.2600 ServicePack: 3.0
09:27:17:328 1480 Product type: Workstation
09:27:17:328 1480 ComputerName: DONNA2
09:27:17:328 1480 UserName: Wetzel
09:27:17:328 1480 Windows directory: C:\WINDOWS
09:27:17:328 1480 Processor architecture: Intel x86
09:27:17:328 1480 Number of processors: 2
09:27:17:328 1480 Page size: 0x1000
09:27:17:328 1480 Boot type: Normal boot
09:27:17:328 1480 ================================================================================
09:27:17:328 1480 UnloadDriverW: NtUnloadDriver error 2
09:27:17:328 1480 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:27:17:406 1480 Initialize success
09:27:17:406 1480
09:27:17:406 1480 Scanning Services ...
09:27:17:406 1480 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:27:17:406 1480 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:27:17:406 1480 wfopen_ex: Trying to KLMD file open
09:27:17:406 1480 wfopen_ex: File opened ok (Flags 2)
09:27:17:406 1480 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:27:17:406 1480 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:27:17:406 1480 wfopen_ex: Trying to KLMD file open
09:27:17:406 1480 wfopen_ex: File opened ok (Flags 2)
09:27:17:828 1480 GetAdvancedServicesInfo: Raw services enum returned 354 services
09:27:17:828 1480 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:27:17:828 1480 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:27:17:828 1480
09:27:17:828 1480 Scanning Kernel memory ...
09:27:17:828 1480 Devices to scan: 3
09:27:17:828 1480
09:27:17:828 1480 Driver Name: Disk
09:27:17:828 1480 IRP_MJ_CREATE : F7518BB0
09:27:17:828 1480 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
09:27:17:828 1480 IRP_MJ_CLOSE : F7518BB0
09:27:17:828 1480 IRP_MJ_READ : F7512D1F
09:27:17:828 1480 IRP_MJ_WRITE : F7512D1F
09:27:17:828 1480 IRP_MJ_QUERY_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_SET_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_QUERY_EA : 804F4562
09:27:17:828 1480 IRP_MJ_SET_EA : 804F4562
09:27:17:828 1480 IRP_MJ_FLUSH_BUFFERS : F75132E2
09:27:17:828 1480 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_DIRECTORY_CONTROL : 804F4562
09:27:17:828 1480 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
09:27:17:828 1480 IRP_MJ_DEVICE_CONTROL : F75133BB
09:27:17:828 1480 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7516F28
09:27:17:828 1480 IRP_MJ_SHUTDOWN : F75132E2
09:27:17:828 1480 IRP_MJ_LOCK_CONTROL : 804F4562
09:27:17:828 1480 IRP_MJ_CLEANUP : 804F4562
09:27:17:828 1480 IRP_MJ_CREATE_MAILSLOT : 804F4562
09:27:17:828 1480 IRP_MJ_QUERY_SECURITY : 804F4562
09:27:17:828 1480 IRP_MJ_SET_SECURITY : 804F4562
09:27:17:828 1480 IRP_MJ_POWER : F7514C82
09:27:17:828 1480 IRP_MJ_SYSTEM_CONTROL : F751999E
09:27:17:828 1480 IRP_MJ_DEVICE_CHANGE : 804F4562
09:27:17:828 1480 IRP_MJ_QUERY_QUOTA : 804F4562
09:27:17:828 1480 IRP_MJ_SET_QUOTA : 804F4562
09:27:17:828 1480 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
09:27:17:828 1480 sion
09:27:17:828 1480 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:27:17:828 1480
09:27:17:828 1480 Driver Name: Disk
09:27:17:828 1480 IRP_MJ_CREATE : F7518BB0
09:27:17:828 1480 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
09:27:17:828 1480 IRP_MJ_CLOSE : F7518BB0
09:27:17:828 1480 IRP_MJ_READ : F7512D1F
09:27:17:828 1480 IRP_MJ_WRITE : F7512D1F
09:27:17:828 1480 IRP_MJ_QUERY_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_SET_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_QUERY_EA : 804F4562
09:27:17:828 1480 IRP_MJ_SET_EA : 804F4562
09:27:17:828 1480 IRP_MJ_FLUSH_BUFFERS : F75132E2
09:27:17:828 1480 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
09:27:17:828 1480 IRP_MJ_DIRECTORY_CONTROL : 804F4562
09:27:17:828 1480 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
09:27:17:828 1480 IRP_MJ_DEVICE_CONTROL : F75133BB
09:27:17:828 1480 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7516F28
09:27:17:828 1480 IRP_MJ_SHUTDOWN : F75132E2
09:27:17:828 1480 IRP_MJ_LOCK_CONTROL : 804F4562
09:27:17:828 1480 IRP_MJ_CLEANUP : 804F4562
09:27:17:828 1480 IRP_MJ_CREATE_MAILSLOT : 804F4562
09:27:17:828 1480 IRP_MJ_QUERY_SECURITY : 804F4562
09:27:17:828 1480 IRP_MJ_SET_SECURITY : 804F4562
09:27:17:828 1480 IRP_MJ_POWER : F7514C82
09:27:17:828 1480 IRP_MJ_SYSTEM_CONTROL : F751999E
09:27:17:828 1480 IRP_MJ_DEVICE_CHANGE : 804F4562
09:27:17:828 1480 IRP_MJ_QUERY_QUOTA : 804F4562
09:27:17:828 1480 IRP_MJ_SET_QUOTA : 804F4562
09:27:17:828 1480 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
09:27:17:828 1480 sion
09:27:17:843 1480 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:27:17:843 1480
09:27:17:843 1480 Driver Name: iaStor
09:27:17:843 1480 IRP_MJ_CREATE : F7279F9E
09:27:17:843 1480 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
09:27:17:843 1480 IRP_MJ_CLOSE : F7279F9E
09:27:17:843 1480 IRP_MJ_READ : 804F4562
09:27:17:843 1480 IRP_MJ_WRITE : 804F4562
09:27:17:843 1480 IRP_MJ_QUERY_INFORMATION : 804F4562
09:27:17:843 1480 IRP_MJ_SET_INFORMATION : 804F4562
09:27:17:843 1480 IRP_MJ_QUERY_EA : 804F4562
09:27:17:843 1480 IRP_MJ_SET_EA : 804F4562
09:27:17:843 1480 IRP_MJ_FLUSH_BUFFERS : 804F4562
09:27:17:843 1480 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
09:27:17:843 1480 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
09:27:17:843 1480 IRP_MJ_DIRECTORY_CONTROL : 804F4562
09:27:17:843 1480 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
09:27:17:843 1480 IRP_MJ_DEVICE_CONTROL : F727DC7C
09:27:17:843 1480 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86501E38
09:27:17:843 1480 IRP_MJ_SHUTDOWN : 804F4562
09:27:17:843 1480 IRP_MJ_LOCK_CONTROL : 804F4562
09:27:17:843 1480 IRP_MJ_CLEANUP : 804F4562
09:27:17:843 1480 IRP_MJ_CREATE_MAILSLOT : 804F4562
09:27:17:843 1480 IRP_MJ_QUERY_SECURITY : 804F4562
09:27:17:843 1480 IRP_MJ_SET_SECURITY : 804F4562
09:27:17:843 1480 IRP_MJ_POWER : F7282BC8
09:27:17:843 1480 IRP_MJ_SYSTEM_CONTROL : F7282D28
09:27:17:843 1480 IRP_MJ_DEVICE_CHANGE : 804F4562
09:27:17:843 1480 IRP_MJ_QUERY_QUOTA : 804F4562
09:27:17:843 1480 IRP_MJ_SET_QUOTA : 804F4562
09:27:17:843 1480 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
09:27:17:843 1480 sion
09:27:17:859 1480 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: Clean
09:27:17:859 1480
09:27:17:859 1480 Completed
09:27:17:859 1480
09:27:17:859 1480 Results:
09:27:17:859 1480 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:27:17:859 1480 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:27:17:859 1480 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:27:17:859 1480
09:27:17:859 1480 KLMD(ARK) unloaded successfully

3.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Wetzel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\McAfeeMVSUser

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

4. sad.gif

Problems with this run. Icon is on desktop, double clicked it and saw a quick flash of a black screen; notepad did not pop up. Ran a search of files modified today. Attached is a screen print of the files that were modifed from the time that help.bat was copied to the desktop and a few minutes after. There are a few .log and one .txt file but am not sure what, if any, you may need me to open and paste the contents of. Note: I hope the file is attached as I can not see it when I previewed this message prior to sending. I can manually type those in if you need them in a response if, in fact, the attachment is not included in this message.


Viewpoint: I was pretty sure that this was unistalled prior to posting to this forum. It does not show in the add/remove program list. Did find a folder icon with one file that and deleted those.

Registry Cleaner: Thanks for the great information. I am passing that along to the owner of the company as he was the one who had me install it on the computer just prior to posting to the forum.

Semp - I have been just clicking the "ADDREPLY" button. Is it your preference that I reply directly to your specific post, or, should I continue as my previous posts? Tnx again !

Attached Files


Edited by Kendall 9711, 01 March 2010 - 04:28 PM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 02 March 2010 - 10:33 AM

Hi there,

QUOTE
Semp - I have been just clicking the "ADDREPLY" button. Is it your preference that I reply directly to your specific post, or, should I continue as my previous posts?

Just reply directly to my post. thumbup2.gif


+++++++++++++++++++


1. Please do the following...
  • First, copy/paste (not cut and paste) the mbr.exe that you saved on the Root directory (C:\) to C:\WINDOWS folder.
  • Second, go to Start >Run > then copy/paste the text below > Press Enter
    C:\WINDOWS\mbr -f
  • Third, a logfile (mbr.log) will be created on your screen (or find it at C:\Windows\mbr.log), Please post that log when you reply.
  • Please reboot immediately.



2. Click Start > Run > then copy/paste the text below > Press Enter.
c:\mbr -t
  • A logfile (mbr.log) will be created on your screen (or find it at C:\mbr.log), post that log when you reply.



3. IMPORTANT! - Please delete the old copy of HelpAsst_mebroot_fix.exe on your desktop that you have downloaded earlier.
Now, please do the following...
Download and save HelpAsst_mebroot_fix.exe
Double click (Run as administrator for Vista) to run the tool then tell me how it went.



4. Please copy the contents of the code box below, open notepad and paste it there (Do not include the word Code).
  • On the top toolbar in notepad select file, then save as. In the box that opens type in look.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the look.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.

CODE
@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
cls




5. We need to download and run ComboFix (by sUBs)
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note**:
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix




List of logs that I need to see when you reply are:
  1. 2 mbr logs (Step 1 & 2)
  2. Log of the new HelpAsst_mebroot_fix.exe (Step 3)
  3. The result of look.bat (Step 4)
  4. C:\ComboFix.txt (Step 5)


~Semp









~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 02 March 2010 - 12:30 PM

Hi Semp -

Sorry for being redundant but appreciate your reply.

As requested:

1.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x85fc8240
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x860d1330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

2.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x85fd0d00
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x860c0330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

3. Message recevied after running:

HelpAssistant Removed
Press Any Key To Continue

4. Computer froze up; had to unplug before continuing with this step.

huh.gif When I double clicked on the desktop icon only saw a quick blip of the black screen again and notepad did not pop up. Tried again and the blip is so fast it is barely a glimpse. The only thing I can see is the top bar and am fairly certain it reads: C:\Windows\System32\cmd.exe. Sorry that is it. Did a search again of all the files but only saw files modified or created similar to the screen print I attached yesterday.

5. Would you like for me to proceed with this step now?

Thank you.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 02 March 2010 - 05:32 PM

Hi,


1. Click start > run> copy/paste the bolded text below > hit enter. A log file should open, post the contents for me please.
%userprofile%\desktop\log.txt



2. We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Open on your desktop.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.



3. Please proceed with ComboFix (Step 5 of my previous post).


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 02 March 2010 - 06:23 PM

Semp -

1. Cannot run; message received when trying to run:

Windows cannot find "C:\Documents". Make sure you typed the name correctly and try again. To search for a file click the start button and then click search.

Computer is really acting funky now. I have been connecting the line for internet access from the infected computer only when I have been instructed to download programs and/or copy/paste dialog. I immediately disconnect even before running anything and only reconnect to our server to post any logs to our shared drive.

Did notice another HelpAssistant file crazy.gif that has a creation time of exactly when I was on the internet to copy/paste the user profile run.

Let me know if I should proceed with the other items.

Appreciate your patience with this.....

What are your thoughts if I was to save any programs and/or copy/paste instructions to a flash drive so I do not keep running the risk of the HelpAssistant folder constantly reappearing?

Edited by Kendall 9711, 02 March 2010 - 07:18 PM.


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 03 March 2010 - 09:30 AM

Hi, please do ALL my instructions, I instructed you to do them because I'm planning to use them just in case some fix won't work.

Yes you can use flash drive to transfer tools.... please make sure to do all the following instructions.


1. Do this into your clean computer that you're planning to use.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



2. Please run HelpAsst_mebroot_fix.exe again by double clicking on it. Then...

Click Start > Run > then copy/paste the text below > Press Enter.
C:\mbr.exe -f
  • A logfile (mbr.log) will be created on your screen (or find it at C:\mbr.log), post that log when you reply.
  • Please restart your computer immediately.




3. We need to download and run ComboFix (by sUBs)
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**:
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Edited by sempai, 03 March 2010 - 09:36 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 04 March 2010 - 12:33 PM

Hi Semp -

Thanks for clarifying that I should do all the steps requested....my apologies for not doing so. Promise to be on track now.

2.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x865fbf30
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x86075330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


3.

ComboFix 10-03-03.03 - Wetzel 03/04/2010 10:01:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.539 [GMT -6:00]
Running from: c:\documents and settings\Wetzel\Desktop\ComboFix.exe
AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\fscd.txt
c:\windows\system32\idm.txt
c:\windows\system32\lkd.txt
c:\windows\system32\qs.txt
c:\windows\system32\Vb40032.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-03 21:54 . 2010-03-03 21:46 412056 ----a-w- c:\windows\HelpAsst_mebroot_fix.exe
2010-03-02 22:46 . 2010-03-02 22:49 -------- d-----w- c:\documents and settings\HelpAssistant\DONNAS FOLDER
2010-03-02 22:45 . 2010-03-02 22:45 -------- d-----w- c:\documents and settings\HelpAssistant\Avatars
2010-02-26 19:28 . 2010-02-26 19:28 77312 ----a-w- C:\mbr.exe
2010-02-24 16:02 . 2010-02-24 16:02 -------- d-----w- c:\program files\Trend Micro
2010-02-24 16:01 . 2010-02-24 16:02 812344 ----a-w- c:\program files\HJTInstall.exe
2010-02-23 14:45 . 2010-02-23 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-22 17:13 . 2010-02-22 17:13 -------- d-----w- c:\documents and settings\Wetzel\Application Data\Office Genuine Advantage
2010-02-22 14:10 . 2010-02-22 14:10 -------- d-----w- c:\windows\system32\da-DK
2010-02-22 14:10 . 2010-02-22 14:10 -------- d-----w- c:\windows\system32\ar-SA
2010-02-18 19:25 . 2010-02-18 19:25 -------- d-----w- c:\windows\system32\Registry Patrol
2010-02-18 19:25 . 1999-12-17 16:13 86016 ----a-w- c:\windows\unvise32.exe
2010-02-18 19:25 . 2010-02-19 21:23 -------- d-----w- c:\program files\Registry Patrol
2010-02-18 19:25 . 2009-12-05 08:07 4868828 ----a-w- c:\program files\RegistryPatrol_Fullbeta7.exe
2010-02-17 18:58 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-17 16:55 . 2010-02-23 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-02-17 14:47 . 2010-02-17 14:47 -------- d-----w- c:\documents and settings\Wetzel\Application Data\Malwarebytes
2010-02-17 14:46 . 2010-02-17 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 09:22 . 2010-02-10 09:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-03 20:20 . 2010-02-03 20:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-02 20:58 . 2010-02-02 20:58 -------- d-----w- c:\documents and settings\Wetzel\Local Settings\Application Data\MicroVision Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 14:07 . 2006-11-16 15:31 -------- d-----w- c:\documents and settings\Wetzel\Application Data\Wave Systems Corp
2010-02-19 16:27 . 2006-11-07 04:12 -------- d-----w- c:\program files\Google
2010-02-18 19:45 . 2006-12-13 22:36 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-02-18 16:39 . 2007-02-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-18 16:38 . 2007-07-06 14:02 -------- d-----w- c:\program files\Enigma Software Group
2010-02-18 16:37 . 2008-03-20 09:54 -------- d-----w- c:\program files\Norton Security Scan
2010-02-17 23:35 . 2010-02-17 23:39 184590 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-17 18:09 . 2007-10-12 12:57 -------- d-----w- c:\program files\eBay
2010-02-17 18:09 . 2006-11-07 04:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 18:08 . 2007-02-19 14:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 09:28 . 2006-11-16 16:11 101504 ----a-w- c:\documents and settings\Wetzel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-08 09:08 . 2010-01-08 09:08 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-07 19:37 . 2010-01-07 19:37 38808920 ----a-w- c:\program files\FileFormatConverters.exe
2010-01-05 10:00 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 23:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-11 23:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-08-11 23:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 20:29 . 2006-12-13 19:09 55304 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-12-15 20:29 . 2008-05-16 01:36 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-15 20:29 . 2006-12-13 19:09 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-15 20:29 . 2006-12-13 19:09 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-15 20:29 . 2006-12-13 19:09 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-14 07:08 . 2004-08-11 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-11 23:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-11 23:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-02-06 19:31 . 2009-02-06 19:31 2887208 ----a-w- c:\program files\TasklineSetp.exe
2007-05-29 21:32 . 2007-05-29 21:32 11407704 ----a-w- c:\program files\Setup_File_Print_FedEx_Kinkos.exe
2007-03-19 22:13 . 2007-03-19 22:16 9448614 ----a-w- c:\program files\MadgeTech_v2_00_63.zip
2007-03-19 22:13 . 2007-03-19 22:13 9448614 -c--a-w- c:\program files\ERTCO
2007-02-01 21:03 . 2007-02-01 21:03 2954920 ----a-w- c:\program files\vmp_full_installer.exe
2006-12-21 13:23 . 2006-12-21 13:23 58368 ----a-w- c:\program files\MFInstall.exe
2006-12-06 14:53 . 2006-12-06 14:53 140800 -c--a-w- c:\program files\Microsoft Office Install Data.doc
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7204864]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]
"PMX Daemon"="ICO.EXE" [2006-06-09 47104]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-07 169984]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2006-10-05 46664]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2009-12-18 472384]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-12 995328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-1-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1649:TCP"= 1649:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 5:25 PM 65536]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [5/15/2008 7:36 PM 14144]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [11/15/2006 3:34 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [11/15/2006 3:34 PM 14336]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [12/29/2009 4:18 PM 282824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
Trusted Zone: hendrickmotorsports.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{DDE03EA1-6BE6-4388-9045-F4C090909B3E} - bzhcwcio2.dll
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x85F7FEB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7516f28
\Driver\ACPI -> ACPI.sys @ 0xf73a9cb8
\Driver\atapi -> atapi.sys @ 0xf733b852
\Driver\iaStor -> 0x85f7feb0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85ec1330
PacketIndicateHandler -> NDIS.sys @ 0xf7160a0d
SendHandler -> NDIS.sys @ 0xf7174b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-03-04 10:09:05
ComboFix-quarantined-files.txt 2010-03-04 16:08

Pre-Run: 53,743,964,160 bytes free
Post-Run: 53,880,799,232 bytes free

- - End Of File - - 644BCB2194CDCA48C97129C02373BB76

Note: When running ComboFix it was noted that I did not have the Microsoft Recovery Console installed. Clicked "Yes" to install it and screen showed 100% (assuming that this was the download). Computer froze up and never received the 'What's next" screen indicating that the Recovery Console was successfully installed. Waited for about 1/2 hour and computer was still in the freeze mode. Unplugged and restarted computer. Opened ComboFix again and proceeded with running.

Thank you!!



#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 05 March 2010 - 07:23 AM

Hi,

QUOTE
Thanks for clarifying that I should do all the steps requested....my apologies for not doing so. Promise to be on track now.

No worries, I just want to fix MBR rootkit as soon as possible but it seems that tools are not working. We will try some other alternatives, please be patience.


++++++++++++++++++++++

1. Please delete your copy of HelpAsst_mebroot_fix.exe, then download and run a fresh copy.
Download and save HelpAsst_mebroot_fix.exe
Double click (Run as administrator for Vista) to run the tool then tell me how it went.



2. Disable McAfee and run CF script.
How to disable McAfee:
  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)
  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820



We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found
HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
MBR::

Domains::

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\Documents and Settings\HelpAssistant

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP"=-


FileLook::
C:\WINDOWS\system32\drivers\iaStor.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




3. Please locate and Double-click profiles.exe on your desktop. Post its log when you reply.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 Kendall 9711

Kendall 9711
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 05 March 2010 - 11:44 AM

Happy Friday-

1.
Ran fine. Screen blip indicated that folders would be deleted upon reboot. Rebooted computer as it was not responding and observed that there are 2 HelpAssistant folders. The server/internet line was disconnected before and after running this.


2.
To the best of my ability McAfee was disabled. Unfortunately, the infected computer has the "Total Protection Service" version of McAfee; the screens that appear are much different from any disabling instructions I have researched online. I disabled the scanning and the firewall and also stop about 5 running processes from the Task Bar, all McAfee related. I hope I got them all.

ComboFix 10-03-03.03 - Wetzel 03/05/2010 10:01:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -6:00]
Running from: c:\documents and settings\Wetzel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wetzel\Desktop\CFScript.txt
AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 15:14 . 2010-03-05 14:20 412056 ----a-w- c:\windows\HelpAsst_mebroot_fix.exe
2010-03-04 17:07 . 2010-03-05 15:25 -------- d-----w- c:\documents and settings\HelpAssistant.DONNA2
2010-03-02 22:46 . 2010-03-02 22:49 -------- d-----w- c:\documents and settings\HelpAssistant\DONNAS FOLDER
2010-03-02 22:45 . 2010-03-02 22:45 -------- d-----w- c:\documents and settings\HelpAssistant\Avatars
2010-02-26 19:28 . 2010-02-26 19:28 77312 ----a-w- C:\mbr.exe
2010-02-24 16:02 . 2010-02-24 16:02 -------- d-----w- c:\program files\Trend Micro
2010-02-24 16:01 . 2010-02-24 16:02 812344 ----a-w- c:\program files\HJTInstall.exe
2010-02-23 14:45 . 2010-02-23 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-22 17:13 . 2010-02-22 17:13 -------- d-----w- c:\documents and settings\Wetzel\Application Data\Office Genuine Advantage
2010-02-22 14:10 . 2010-02-22 14:10 -------- d-----w- c:\windows\system32\da-DK
2010-02-22 14:10 . 2010-02-22 14:10 -------- d-----w- c:\windows\system32\ar-SA
2010-02-18 19:25 . 2010-02-18 19:25 -------- d-----w- c:\windows\system32\Registry Patrol
2010-02-18 19:25 . 1999-12-17 16:13 86016 ----a-w- c:\windows\unvise32.exe
2010-02-18 19:25 . 2010-02-19 21:23 -------- d-----w- c:\program files\Registry Patrol
2010-02-18 19:25 . 2009-12-05 08:07 4868828 ----a-w- c:\program files\RegistryPatrol_Fullbeta7.exe
2010-02-17 18:58 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-17 16:55 . 2010-02-23 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-02-17 14:47 . 2010-02-17 14:47 -------- d-----w- c:\documents and settings\Wetzel\Application Data\Malwarebytes
2010-02-17 14:46 . 2010-02-17 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 09:22 . 2010-02-10 09:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-03 20:20 . 2010-02-03 20:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 14:07 . 2006-11-16 15:31 -------- d-----w- c:\documents and settings\Wetzel\Application Data\Wave Systems Corp
2010-02-19 16:27 . 2006-11-07 04:12 -------- d-----w- c:\program files\Google
2010-02-18 19:45 . 2006-12-13 22:36 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-02-18 16:38 . 2007-07-06 14:02 -------- d-----w- c:\program files\Enigma Software Group
2010-02-18 16:37 . 2008-03-20 09:54 -------- d-----w- c:\program files\Norton Security Scan
2010-02-17 23:35 . 2010-02-17 23:39 184590 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-17 18:09 . 2007-10-12 12:57 -------- d-----w- c:\program files\eBay
2010-02-17 18:09 . 2006-11-07 04:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 18:08 . 2007-02-19 14:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 09:28 . 2006-11-16 16:11 101504 ----a-w- c:\documents and settings\Wetzel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-08 09:08 . 2010-01-08 09:08 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-07 19:37 . 2010-01-07 19:37 38808920 ----a-w- c:\program files\FileFormatConverters.exe
2010-01-05 10:00 . 2004-08-11 23:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 23:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-11 23:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-08-11 23:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 20:29 . 2006-12-13 19:09 55304 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-12-15 20:29 . 2008-05-16 01:36 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-15 20:29 . 2006-12-13 19:09 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-15 20:29 . 2006-12-13 19:09 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-15 20:29 . 2006-12-13 19:09 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-14 07:08 . 2004-08-11 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-11 23:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-06 19:31 . 2009-02-06 19:31 2887208 ----a-w- c:\program files\TasklineSetp.exe
2007-05-29 21:32 . 2007-05-29 21:32 11407704 ----a-w- c:\program files\Setup_File_Print_FedEx_Kinkos.exe
2007-03-19 22:13 . 2007-03-19 22:16 9448614 ----a-w- c:\program files\MadgeTech_v2_00_63.zip
2007-03-19 22:13 . 2007-03-19 22:13 9448614 -c--a-w- c:\program files\ERTCO
2007-02-01 21:03 . 2007-02-01 21:03 2954920 ----a-w- c:\program files\vmp_full_installer.exe
2006-12-21 13:23 . 2006-12-21 13:23 58368 ----a-w- c:\program files\MFInstall.exe
2006-12-06 14:53 . 2006-12-06 14:53 140800 -c--a-w- c:\program files\Microsoft Office Install Data.doc
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\iaStor.sys ---
Company: Intel Corporation
File Description: Intel Matrix Storage Manager driver
File Version: 5.7.2.1003
Product Name: Intel Matrix Storage Manager driver
Copyright: Copyright© Intel Corporation 1994-2006
Original Filename: iaStor.sys
File size: 250880
Created time: 2006-11-07 03:49
Modified time: 2006-04-26 11:23
MD5: 1C77A81756D4777CCB0425AE8107FE96
SHA1: F6CA5441A93B0EC2966AD5FF0A317C0F6A611C5F


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7204864]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]
"PMX Daemon"="ICO.EXE" [2006-06-09 47104]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-07 169984]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2006-10-05 46664]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2009-12-18 472384]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-12 995328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-1-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1649:TCP"= 1649:TCP:Services
"3246:TCP"= 3246:TCP:Services

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 5:25 PM 65536]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [5/15/2008 7:36 PM 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [12/29/2009 4:18 PM 282824]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [11/15/2006 3:34 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [11/15/2006 3:34 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 10:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x865D4A40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7516f28
\Driver\ACPI -> ACPI.sys @ 0xf73a9cb8
\Driver\atapi -> atapi.sys @ 0xf733b852
\Driver\iaStor -> 0x865d4a40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x860ce330
PacketIndicateHandler -> NDIS.sys @ 0xf7160a0d
SendHandler -> NDIS.sys @ 0xf7174b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(2764)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pmxscrll.dll
c:\windows\system32\PMXCOMM.dll
c:\windows\system32\PMXHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\ICO.EXE
c:\windows\system32\Pmxmiced.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-05 10:17:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 16:17
ComboFix2.txt 2010-03-04 16:09

Pre-Run: 53,613,617,152 bytes free
Post-Run: 53,570,326,528 bytes free

- - End Of File - - 523F585376DA19BFB1791B26A32DFDFC

3.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Wetzel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\McAfeeMVSUser

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2214100531-1791001368-3453408930-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS


Thanks Semp!!!

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:52 PM

Posted 05 March 2010 - 05:34 PM

1. Go to Start > Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • mbr.log will pop up, please post the contents in your reply.


2. We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Open on your desktop.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users