PDA

View Full Version : Help needed



bango1976
2011-04-04, 10:45
I ran my own ca security suite spyware and anti virus ... but it would not quarantine the findings.

System restore has been disables and i cant enable it

Folder options have been effected

SBS and D will not run

I created a new user to open in safe mode and now my welcome screen does not show my original and mail user

can not swith user

can only access my original user when starting in safe mode

have followed the indtructions on the read first post but may have done to much damage before i did.

Steve DDL below




.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 7:12:07.03 on 04/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.759 [GMT 1:00]
.
AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Starfield\offSyncService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snk.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\lxdmcoms.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\ais.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bell Mobility\Mobile Connect Basic\tscui.exe
C:\Program Files\Lexmark 5000 Series\lxdmmon.exe
C:\Program Files\Lexmark 5000 Series\lxdmamon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Topcom\Webtalker 211\WebTalker 211.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Spikia.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snm.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
uInternet Connection Wizard,ShellNext = hxxp://ibm.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [IBP]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Qgupeyuhasaju] rundll32.exe "c:\windows\molpc49.dll",Startup
uRun: [IKXGVMFZHI] c:\docume~1\admini~1\locals~1\temp\Snk.exe
uRun: [NtWqIVLZEWZU] c:\docume~1\admini~1\locals~1\temp\Snm.exe
uRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
uRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
uRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
uRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
uRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
uRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
uRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
uRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
uRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
uRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
uRun: [MKbuqc] c:\windows\iexplarer.exe
uRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
uRun: [MKeta] c:\windows\services.exe
uRun: [MKeta] c:\windows\services.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [lxdmmon.exe] "c:\program files\lexmark 5000 series\lxdmmon.exe"
mRun: [lxdmamon] "c:\program files\lexmark 5000 series\lxdmamon.exe"
mRun: [tscui] c:\program files\bell mobility\mobile connect basic\tscui.exe
mRun: [MCStart] "c:\program files\bell mobility\mobile connect basic\tscui.exe" /s
mRun: [QuickBooksDB18] c:\program files\intuit\quickbooks 2009\qbdbmgrn.exe -n qb_pc001_18 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "c:\documents and settings\administrator\local settings\application data\intuit\quickbooks\log\DBStartup.log" -y
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
mRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
mRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
mRun: [Shotedoxiyetuko] rundll32.exe "c:\windows\ezuwipiqowal.dll",Startup
mRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
mRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
mRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
mRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
mRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
mRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
mRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
mRun: [MKbuqc] c:\windows\iexplarer.exe
mRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
mRun: [MKeta] c:\windows\services.exe
dRun: [LClock] c:\program files\lclock\LClock.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uExplorerRun: [servises]
mExplorerRun: [servises]
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\webtal~1.lnk - c:\docume~1\admini~1\applic~1\microsoft\installer\{41e4ac12-f605-4a27-9643-c5eb95e7a6cc}\_49442e40.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\common files\intuit\quickbooks\QBServerUtilityMgr.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: adp.ca
Trusted Zone: bullhorn.com
Trusted Zone: bullhornstaffing.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4503BC07-768C-4872-9AE3-A5558E73C2FE} - hxxp://www.bullhornstaffing.com/BullhornHelp/Tools/bhconfigactivex.CAB
DPF: {5685BC20-FBE6-11D2-885F-00A0243C2C64} - hxxps://pay.adp.ca/payatwork/Common/SpectrumRDC.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://pay.adp.ca/payatwork/Common/iemenu.cab
DPF: {88D969C1-F192-11D4-A65F-0040963251E5} - hxxps://montcap.net/cabs/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A7A61128-0EAA-11D1-B22F-0000C08C00C4} - hxxps://pay.adp.ca/payatwork/Common/Ssdw3b32.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: NameServer = 93.188.165.114,93.188.160.154
TCP: {CEA9B191-C162-4A24-9A39-825E68A6A3FC} = 93.188.165.114,93.188.160.154
TCP: {DBD13321-6DF9-4A39-97D7-0C5C70AEFD8D} = 93.188.165.114,93.188.160.154
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5ughqpxx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5ughqpxx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {75BFBF8F-0ED6-43BF-92A4-C5203755F71F} - c:\documents and settings\administrator\local settings\application data\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-20 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-20 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-20 746216]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-20 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-20 161008]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-20 144696]
R2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-28 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-24 47640]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-3-2 40448]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-20 255312]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-1-20 185680]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-20 130280]
S1 a10faef6;a10faef6;c:\windows\system32\drivers\a10faef6.sys --> c:\windows\system32\drivers\a10faef6.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\system\cpl bonus\vcdrom.sys --> c:\program files\system\cpl bonus\Vcdrom.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-25 136176]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\easypdf 5\bepldr.exe [2007-8-23 151552]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\tswlan.sys --> c:\windows\system32\drivers\TsWlan.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
=============== Created Last 30 ================
.
2011-04-03 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-03 19:10:22 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-03 19:10:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2011-04-03 19:10:21 -------- d-----w- c:\program files\ParetoLogic
2011-04-03 18:38:03 -------- d-----w- C:\spoolerlogs
2011-04-03 18:32:46 1646592 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\ais.exe
2011-04-03 17:15:57 227205 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\qbq.exe
2011-04-03 17:14:04 0 ----a-w- c:\windows\Vhosacocuwuse.bin
2011-04-03 17:14:02 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\jzwd6z.dll
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\eu7owxzau.dll
2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\emgj73.dll
2011-04-03 17:12:28 135168 --sha-r- c:\windows\system32\cpwmon2ka.dll
2011-04-03 17:12:18 164352 ----a-w- c:\windows\Spikia.exe
2011-03-28 20:21:24 -------- d-----w- c:\docume~1\admini~1\applic~1\EurekaLog
2011-03-23 14:46:41 -------- d-----w- c:\program files\IBP 11
2011-03-23 14:46:41 -------- d-----w- c:\docume~1\admini~1\applic~1\IBP
2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\JonathanLeger.com
2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\applic~1\JonathanLeger.com
2011-03-16 14:50:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\IsolatedStorage
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301E -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A768EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87a8b872; SUB DWORD [EBP-0x4], 0x87a8b12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7E5AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007b[0x8A7EC278]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A748D98]
[0x8A6FB030] -> IRP_MJ_CREATE -> 0x8A768EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301E__#5&2438d806&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A768AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:16:49.48 ===============

vict0r
2011-04-06, 19:13
Hello and welcome to the forum.

My name is vict0r and I will help you with the malware issues on your computer.

Please read the following information carefully.

IMPORTANT: Whatever repairs we make, are for fixing this computer only and by no means should be used on another computer.

To make cleaning this machine easier:

Continue to respond to this thread until I I tell you that the logs are clean!
Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
Please follow all instructions in the order posted.
If you have any questions or do not understand instructions, please ask before continuing.
Please reply to this thread. Do not start a new topic.
Your security program(s) may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Download/run Rkill:

Please download Rkill from one of the following links and save it to your Desktop:

One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr), Four (http://download.bleepingcomputer.com/grinler/iExplore.exe) or Five (http://download.bleepingcomputer.com/grinler/eXplorer.exe)


Double click on Rkill.
A command window will open then disappear upon completion, this is normal.
A notepad window will open, please post the contents in your next reply
This log can also be found at C:\rkill.log
Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore/allow the download/execution to continue.


TDSSKiller

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract (unzip) it to your Desktop.

Double click on TDSSKiller.exe to launch it.
Click on Start Scan, the scan will run.
When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
Now click on Report to open the log file created by TDSSKiller in your root directory C:\
To find the log go to Start > Computer > C:
Post the contents of that log in your next reply please.
DO NOT TRY TO FIX ANYTHING AT THIS POINT

Run a Scan with OTL
Please download OTL.exe (http://oldtimer.geekstogo.com/OTL.exe) by OldTimer and save it to your desktop.
Double click on OTL.exe to run it.
Check the boxes labeled : Scan All Users
LOP check
Purity check
Click on the Run Scan button at the top left hand corner.
OTL will start running. When done, 2 Notepad files will open; OTL.txt and Extras.txt.
They will be saved on your desktop.


Please post the contents of these logs (in separate replies if you wish):
The rkill log.
The TDSSKiller log.
The OTL logs.
Describe any problems while following the instructions, if any. The exact wording of any error messages might be useful.

vict0r
2011-04-09, 23:21
This topic is now closed.

If you still require help, please start a new topic and include a fresh DDS log.