bango1976
2011-04-04, 10:45
I ran my own ca security suite spyware and anti virus ... but it would not quarantine the findings.
System restore has been disables and i cant enable it
Folder options have been effected
SBS and D will not run
I created a new user to open in safe mode and now my welcome screen does not show my original and mail user
can not swith user
can only access my original user when starting in safe mode
have followed the indtructions on the read first post but may have done to much damage before i did.
Steve DDL below
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 7:12:07.03 on 04/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.759 [GMT 1:00]
.
AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Starfield\offSyncService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snk.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\lxdmcoms.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\ais.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bell Mobility\Mobile Connect Basic\tscui.exe
C:\Program Files\Lexmark 5000 Series\lxdmmon.exe
C:\Program Files\Lexmark 5000 Series\lxdmamon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Topcom\Webtalker 211\WebTalker 211.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Spikia.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snm.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
uInternet Connection Wizard,ShellNext = hxxp://ibm.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [IBP]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Qgupeyuhasaju] rundll32.exe "c:\windows\molpc49.dll",Startup
uRun: [IKXGVMFZHI] c:\docume~1\admini~1\locals~1\temp\Snk.exe
uRun: [NtWqIVLZEWZU] c:\docume~1\admini~1\locals~1\temp\Snm.exe
uRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
uRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
uRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
uRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
uRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
uRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
uRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
uRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
uRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
uRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
uRun: [MKbuqc] c:\windows\iexplarer.exe
uRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
uRun: [MKeta] c:\windows\services.exe
uRun: [MKeta] c:\windows\services.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [lxdmmon.exe] "c:\program files\lexmark 5000 series\lxdmmon.exe"
mRun: [lxdmamon] "c:\program files\lexmark 5000 series\lxdmamon.exe"
mRun: [tscui] c:\program files\bell mobility\mobile connect basic\tscui.exe
mRun: [MCStart] "c:\program files\bell mobility\mobile connect basic\tscui.exe" /s
mRun: [QuickBooksDB18] c:\program files\intuit\quickbooks 2009\qbdbmgrn.exe -n qb_pc001_18 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "c:\documents and settings\administrator\local settings\application data\intuit\quickbooks\log\DBStartup.log" -y
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
mRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
mRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
mRun: [Shotedoxiyetuko] rundll32.exe "c:\windows\ezuwipiqowal.dll",Startup
mRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
mRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
mRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
mRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
mRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
mRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
mRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
mRun: [MKbuqc] c:\windows\iexplarer.exe
mRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
mRun: [MKeta] c:\windows\services.exe
dRun: [LClock] c:\program files\lclock\LClock.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uExplorerRun: [servises]
mExplorerRun: [servises]
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\webtal~1.lnk - c:\docume~1\admini~1\applic~1\microsoft\installer\{41e4ac12-f605-4a27-9643-c5eb95e7a6cc}\_49442e40.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\common files\intuit\quickbooks\QBServerUtilityMgr.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: adp.ca
Trusted Zone: bullhorn.com
Trusted Zone: bullhornstaffing.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4503BC07-768C-4872-9AE3-A5558E73C2FE} - hxxp://www.bullhornstaffing.com/BullhornHelp/Tools/bhconfigactivex.CAB
DPF: {5685BC20-FBE6-11D2-885F-00A0243C2C64} - hxxps://pay.adp.ca/payatwork/Common/SpectrumRDC.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://pay.adp.ca/payatwork/Common/iemenu.cab
DPF: {88D969C1-F192-11D4-A65F-0040963251E5} - hxxps://montcap.net/cabs/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A7A61128-0EAA-11D1-B22F-0000C08C00C4} - hxxps://pay.adp.ca/payatwork/Common/Ssdw3b32.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: NameServer = 93.188.165.114,93.188.160.154
TCP: {CEA9B191-C162-4A24-9A39-825E68A6A3FC} = 93.188.165.114,93.188.160.154
TCP: {DBD13321-6DF9-4A39-97D7-0C5C70AEFD8D} = 93.188.165.114,93.188.160.154
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5ughqpxx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5ughqpxx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {75BFBF8F-0ED6-43BF-92A4-C5203755F71F} - c:\documents and settings\administrator\local settings\application data\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-20 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-20 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-20 746216]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-20 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-20 161008]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-20 144696]
R2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-28 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-24 47640]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-3-2 40448]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-20 255312]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-1-20 185680]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-20 130280]
S1 a10faef6;a10faef6;c:\windows\system32\drivers\a10faef6.sys --> c:\windows\system32\drivers\a10faef6.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\system\cpl bonus\vcdrom.sys --> c:\program files\system\cpl bonus\Vcdrom.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-25 136176]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\easypdf 5\bepldr.exe [2007-8-23 151552]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\tswlan.sys --> c:\windows\system32\drivers\TsWlan.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
=============== Created Last 30 ================
.
2011-04-03 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-03 19:10:22 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-03 19:10:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2011-04-03 19:10:21 -------- d-----w- c:\program files\ParetoLogic
2011-04-03 18:38:03 -------- d-----w- C:\spoolerlogs
2011-04-03 18:32:46 1646592 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\ais.exe
2011-04-03 17:15:57 227205 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\qbq.exe
2011-04-03 17:14:04 0 ----a-w- c:\windows\Vhosacocuwuse.bin
2011-04-03 17:14:02 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\jzwd6z.dll
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\eu7owxzau.dll
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\emgj73.dll
2011-04-03 17:12:28 135168 --sha-r- c:\windows\system32\cpwmon2ka.dll
2011-04-03 17:12:18 164352 ----a-w- c:\windows\Spikia.exe
2011-03-28 20:21:24 -------- d-----w- c:\docume~1\admini~1\applic~1\EurekaLog
2011-03-23 14:46:41 -------- d-----w- c:\program files\IBP 11
2011-03-23 14:46:41 -------- d-----w- c:\docume~1\admini~1\applic~1\IBP
2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\JonathanLeger.com
2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\applic~1\JonathanLeger.com
2011-03-16 14:50:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\IsolatedStorage
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301E -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A768EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87a8b872; SUB DWORD [EBP-0x4], 0x87a8b12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7E5AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007b[0x8A7EC278]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A748D98]
[0x8A6FB030] -> IRP_MJ_CREATE -> 0x8A768EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301E__#5&2438d806&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A768AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:16:49.48 ===============
System restore has been disables and i cant enable it
Folder options have been effected
SBS and D will not run
I created a new user to open in safe mode and now my welcome screen does not show my original and mail user
can not swith user
can only access my original user when starting in safe mode
have followed the indtructions on the read first post but may have done to much damage before i did.
Steve DDL below
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 7:12:07.03 on 04/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.759 [GMT 1:00]
.
AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Starfield\offSyncService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snk.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\lxdmcoms.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\ais.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bell Mobility\Mobile Connect Basic\tscui.exe
C:\Program Files\Lexmark 5000 Series\lxdmmon.exe
C:\Program Files\Lexmark 5000 Series\lxdmamon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Topcom\Webtalker 211\WebTalker 211.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Spikia.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snm.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
uInternet Connection Wizard,ShellNext = hxxp://ibm.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [IBP]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Qgupeyuhasaju] rundll32.exe "c:\windows\molpc49.dll",Startup
uRun: [IKXGVMFZHI] c:\docume~1\admini~1\locals~1\temp\Snk.exe
uRun: [NtWqIVLZEWZU] c:\docume~1\admini~1\locals~1\temp\Snm.exe
uRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
uRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
uRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
uRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
uRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
uRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
uRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
uRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
uRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
uRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
uRun: [MKbuqc] c:\windows\iexplarer.exe
uRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
uRun: [MKeta] c:\windows\services.exe
uRun: [MKeta] c:\windows\services.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [lxdmmon.exe] "c:\program files\lexmark 5000 series\lxdmmon.exe"
mRun: [lxdmamon] "c:\program files\lexmark 5000 series\lxdmamon.exe"
mRun: [tscui] c:\program files\bell mobility\mobile connect basic\tscui.exe
mRun: [MCStart] "c:\program files\bell mobility\mobile connect basic\tscui.exe" /s
mRun: [QuickBooksDB18] c:\program files\intuit\quickbooks 2009\qbdbmgrn.exe -n qb_pc001_18 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "c:\documents and settings\administrator\local settings\application data\intuit\quickbooks\log\DBStartup.log" -y
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
mRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
mRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
mRun: [Shotedoxiyetuko] rundll32.exe "c:\windows\ezuwipiqowal.dll",Startup
mRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
mRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
mRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
mRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
mRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
mRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
mRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
mRun: [MKbuqc] c:\windows\iexplarer.exe
mRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
mRun: [MKeta] c:\windows\services.exe
dRun: [LClock] c:\program files\lclock\LClock.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uExplorerRun: [servises]
mExplorerRun: [servises]
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\webtal~1.lnk - c:\docume~1\admini~1\applic~1\microsoft\installer\{41e4ac12-f605-4a27-9643-c5eb95e7a6cc}\_49442e40.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\common files\intuit\quickbooks\QBServerUtilityMgr.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: adp.ca
Trusted Zone: bullhorn.com
Trusted Zone: bullhornstaffing.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4503BC07-768C-4872-9AE3-A5558E73C2FE} - hxxp://www.bullhornstaffing.com/BullhornHelp/Tools/bhconfigactivex.CAB
DPF: {5685BC20-FBE6-11D2-885F-00A0243C2C64} - hxxps://pay.adp.ca/payatwork/Common/SpectrumRDC.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://pay.adp.ca/payatwork/Common/iemenu.cab
DPF: {88D969C1-F192-11D4-A65F-0040963251E5} - hxxps://montcap.net/cabs/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A7A61128-0EAA-11D1-B22F-0000C08C00C4} - hxxps://pay.adp.ca/payatwork/Common/Ssdw3b32.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: NameServer = 93.188.165.114,93.188.160.154
TCP: {CEA9B191-C162-4A24-9A39-825E68A6A3FC} = 93.188.165.114,93.188.160.154
TCP: {DBD13321-6DF9-4A39-97D7-0C5C70AEFD8D} = 93.188.165.114,93.188.160.154
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5ughqpxx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5ughqpxx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {75BFBF8F-0ED6-43BF-92A4-C5203755F71F} - c:\documents and settings\administrator\local settings\application data\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-20 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-20 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-20 746216]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-20 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-20 161008]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-20 144696]
R2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-28 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-24 47640]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-3-2 40448]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-20 255312]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-1-20 185680]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-20 130280]
S1 a10faef6;a10faef6;c:\windows\system32\drivers\a10faef6.sys --> c:\windows\system32\drivers\a10faef6.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\system\cpl bonus\vcdrom.sys --> c:\program files\system\cpl bonus\Vcdrom.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-25 136176]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\easypdf 5\bepldr.exe [2007-8-23 151552]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\tswlan.sys --> c:\windows\system32\drivers\TsWlan.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
=============== Created Last 30 ================
.
2011-04-03 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-03 19:10:22 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-03 19:10:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2011-04-03 19:10:21 -------- d-----w- c:\program files\ParetoLogic
2011-04-03 18:38:03 -------- d-----w- C:\spoolerlogs
2011-04-03 18:32:46 1646592 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\ais.exe
2011-04-03 17:15:57 227205 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\qbq.exe
2011-04-03 17:14:04 0 ----a-w- c:\windows\Vhosacocuwuse.bin
2011-04-03 17:14:02 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\jzwd6z.dll
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\eu7owxzau.dll
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\emgj73.dll
2011-04-03 17:12:28 135168 --sha-r- c:\windows\system32\cpwmon2ka.dll
2011-04-03 17:12:18 164352 ----a-w- c:\windows\Spikia.exe
2011-03-28 20:21:24 -------- d-----w- c:\docume~1\admini~1\applic~1\EurekaLog
2011-03-23 14:46:41 -------- d-----w- c:\program files\IBP 11
2011-03-23 14:46:41 -------- d-----w- c:\docume~1\admini~1\applic~1\IBP
2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\JonathanLeger.com
2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\applic~1\JonathanLeger.com
2011-03-16 14:50:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\IsolatedStorage
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301E -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A768EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87a8b872; SUB DWORD [EBP-0x4], 0x87a8b12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7E5AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007b[0x8A7EC278]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A748D98]
[0x8A6FB030] -> IRP_MJ_CREATE -> 0x8A768EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301E__#5&2438d806&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A768AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:16:49.48 ===============