PDA

View Full Version : Can't open Spybot S&D nor MS Security Essentials & other problems.



colo303
2011-09-07, 13:24
There seems to be so much wrong, I will include all the info I know in case it has any bearing.

I am running Windows XP Home Edition version 2002 (SP3)
and Internet Explorer 8.0.6001.18702

Computer first started running slow (off and on) around the first of the year. Around that time, my router failed and was replaced with a new one. Also, the anti-virus I was using (AVG) did an up-date that I discovered after reading forums slowed down things considerably. Lived with that for a while, but things gradually got slower and slower. Switched to MS Security Essentials and for a while, things seemed better but gradually became slower and slower and things would just freeze up. Task Master would say that the program/file was not responding. Sometimes if I waited a few minutes, it would straighten itself out but other times I would have to try to end the programs and several times reboot to clear things out. Neither MS Sec.Essentials nor Spybot found any problems.

But then on Monday (9/5) MSSE reported a threat and successfully removed: TrojanDownloader:Win32/Karagany.E About 2/3 hours later after a reboot, I noticed a new shortcut icon on the desktop Called "Security Protection" that I have no idea where it came from. Clicking on its properties revealed that it started at C:\Documents & Settings\All Users\Application Data\defender.exe

Then within a couple minutes all sorts of new cookies started loading (I was not even on line) and continued for the next couple hours - all total, it was over 400, some with curious names and some that seemed legitimate like toshiba, ebay, facebook.

MSSE detected another security threat that was then removed:
Trojan - Win32/Wimpixo.E "C:\Windows\Temp\v30901.exe"

I ran Spybot S&D which had several new items (8) in the start up menu - two of which just kept coming back over and over after disabling:
Aviqafaripe rundll32.exe "C:\Windows\hikbuidy.dll" Startup
Ksihunuzehobi " " " " \iteteroyowuy.dll" Startup

A Spybot Scan also found 11 problems - the major issues below:
Trojan - Virtumonde.pix w/ 2 entries relating to the two items above
Trojan - Win32.Sasfis
Malware - Win32.Agent.chk
Spyware - Ad Rotator

Fixed these problems, but kept getting various pop-up messages; eg
"Found new Hardware": HP Officejet that I've had for years
Rundll error loading the specified module cannot be found.
Winlogon.exe encountered a problem and needs to close hpqtra08.exe - Application error "The memory could not be read

Task Master was now showing a process that was new:
441006001:1321776869.exe and there were no less the nine (9) listings for svchost.exe Is this normal?

Something else that keeps popping up is a "Windows Security Alert" saying that Windows Firewall has blocked some features of xxxxx program and asking if I want to keep it blocked or unblock it.

Then a red icon in the system tray for MSSE saying that it isn't monitoring the computer because the program's service stopped. Couldn't start it again - popup saying that "Access is denied "
Error code: 0x80070005

About that time Spybot shut down and wouldn't reopen saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

I did some other maintenance type thing hoping something would help. The only thing was when I did a System Restore to Sun 9/4, I could see some improvement. The desktop icon "Security Portection" was gone along with its defender.exe file. Also those two startup files mentioned above (rundll32.exe) were gone.

Also, in trying to search for some of these items, when I clicked on a google search result I was redirected somewhere else. This was true also for the spybot site. To actually get here, I had to type the name in the address bar.

I uninstalled MSSE and reinstalled it thinking that might at least let me do a scan but the same problems exist. And with Spybot, there are two versions installed (1.4 and 1.6.2). I thought when there were updates that they just installed over the older version. Does this present problems having the two versions?

Trying Spybot via its .scr files brought success at first but after checking on a few things inside the program, it froze up and wouldn't restart. Also downloaded and ran ERUNT.
I've probably forgotten a lot of things, but I hope this can get us started along with the DSS.txt below.

Thanks ~~ colo303

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:41:28 on 2011-09-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.169 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\441006001:1321776869.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SecureBackupShare\ComcastSecureBackupSharestat.exe
C:\PROGRA~1\Webshots\Webshots.scr
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://www.google.com/
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CookieWall] c:\program files\analogx\cookiewall\cookie.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secure~1.lnk - c:\program files\securebackupshare\ComcastSecureBackupSharestat.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186501509171
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39301.3823148148
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2ED207EF-DFA5-4274-92D1-33BD791CF63D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EE0B692C-CF35-4B18-8471-31C8DBBCFDEB} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\8x94uw5h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-dlink-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://profiles.google.com/u/0/?edit=sa&hl=en&tab=wr|https://www.google.com/dashboard/?hl=en&pli=1|http://www.google.com/ig?authuser=0
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-dlink-ab-en-us&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-9-2 21656]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-2 13696]
R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [2011-1-18 54776]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl21c2e329;MpKsl21c2e329;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\MpKsl21c2e329.sys [2011-9-6 28752]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\securebackupshare\ComcastSecureBackupSharebackup.exe [2010-12-14 15592]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-1-11 1050112]
S1 MpKsl11864cbb;MpKsl11864cbb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\mpksl11864cbb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\MpKsl11864cbb.sys [?]
S1 MpKsl1d6c627e;MpKsl1d6c627e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6556d04-11be-4768-a28f-72e47f004680}\mpksl1d6c627e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6556d04-11be-4768-a28f-72e47f004680}\MpKsl1d6c627e.sys [?]
S1 MpKsl23051344;MpKsl23051344;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpksl23051344.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKsl23051344.sys [?]
S1 MpKsl3dd3dcf0;MpKsl3dd3dcf0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e388d761-40d1-42fa-b923-c8a00d2d9472}\mpksl3dd3dcf0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e388d761-40d1-42fa-b923-c8a00d2d9472}\MpKsl3dd3dcf0.sys [?]
S1 MpKsl5ae31908;MpKsl5ae31908;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bdddd78-0208-4ff6-a73c-c74a094a5d5b}\mpksl5ae31908.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bdddd78-0208-4ff6-a73c-c74a094a5d5b}\MpKsl5ae31908.sys [?]
S1 MpKsl5bd0c5a0;MpKsl5bd0c5a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17f05a4-4814-4b08-abb5-0236791128f3}\mpksl5bd0c5a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17f05a4-4814-4b08-abb5-0236791128f3}\MpKsl5bd0c5a0.sys [?]
S1 MpKsl60f4d3ff;MpKsl60f4d3ff;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\mpksl60f4d3ff.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\MpKsl60f4d3ff.sys [?]
S1 MpKsl69ab5d8c;MpKsl69ab5d8c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{74334783-5d37-4044-94e1-635e8ff246a9}\mpksl69ab5d8c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{74334783-5d37-4044-94e1-635e8ff246a9}\MpKsl69ab5d8c.sys [?]
S1 MpKsl752e1b5a;MpKsl752e1b5a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47a1f8a2-afb7-4a91-9d97-45b526d3ce3b}\mpksl752e1b5a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47a1f8a2-afb7-4a91-9d97-45b526d3ce3b}\MpKsl752e1b5a.sys [?]
S1 MpKsl9bd914b0;MpKsl9bd914b0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpksl9bd914b0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKsl9bd914b0.sys [?]
S1 MpKsla1024e33;MpKsla1024e33;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ca4395c-f219-43eb-b69f-a6ad24aca8b8}\mpksla1024e33.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ca4395c-f219-43eb-b69f-a6ad24aca8b8}\MpKsla1024e33.sys [?]
S1 MpKsla58db966;MpKsla58db966;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acad5eae-1ffb-48d1-b8fa-5aecaa30e897}\mpksla58db966.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acad5eae-1ffb-48d1-b8fa-5aecaa30e897}\MpKsla58db966.sys [?]
S1 MpKsla5f531c4;MpKsla5f531c4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa11008-cf62-44c0-9aab-3a26f0826033}\mpksla5f531c4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa11008-cf62-44c0-9aab-3a26f0826033}\MpKsla5f531c4.sys [?]
S1 MpKslbace8e13;MpKslbace8e13;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c925dc2-edca-432b-a014-e68df9506ef6}\mpkslbace8e13.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c925dc2-edca-432b-a014-e68df9506ef6}\MpKslbace8e13.sys [?]
S1 MpKslc570dc5e;MpKslc570dc5e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpkslc570dc5e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKslc570dc5e.sys [?]
S1 MpKsldc592609;MpKsldc592609;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\mpksldc592609.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\MpKsldc592609.sys [?]
S1 MpKsled00760e;MpKsled00760e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{63504e19-850a-498a-bef4-d9cf40c4715f}\mpksled00760e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{63504e19-850a-498a-bef4-d9cf40c4715f}\MpKsled00760e.sys [?]
S1 MpKslf437815f;MpKslf437815f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\mpkslf437815f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\MpKslf437815f.sys [?]
S1 MpKslfe45f4f9;MpKslfe45f4f9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8b157a-4e65-4448-a615-4d34cb12f402}\mpkslfe45f4f9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8b157a-4e65-4448-a615-4d34cb12f402}\MpKslfe45f4f9.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-2-3 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 UXDCMN;UXDCMN;\??\c:\documents and settings\owner\desktop\winstress_test\uxdcmn.sys --> c:\documents and settings\owner\desktop\winstress_test\UXDCMN.SYS [?]
.
=============== Created Last 30 ================
.
2011-09-07 01:04:53 -------- d-----w- c:\program files\KRtech
2011-09-06 22:58:25 7152464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-09-06 22:56:00 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\MpKsl21c2e329.sys
2011-09-06 22:55:18 7152464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\mpengine.dll
2011-09-06 22:52:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-06 22:40:05 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
2011-09-06 20:20:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-06 20:20:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-06 07:34:10 -------- d-----w- C:\Webshots Data
2011-09-06 04:45:18 -------- d-----w- c:\documents and settings\owner\application data\Remote
2011-09-06 00:31:27 0 ----a-w- c:\windows\Tdowodulipo.bin
2011-09-06 00:31:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\{88DE7012-FF0A-4561-8B59-9DA83E06DD92}
2011-09-06 00:29:31 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-09-02 03:35:18 6144 ------w- c:\windows\CRLSCSI.SYS
2011-09-02 03:35:03 151552 ------w- c:\windows\CRLLYRNT.DLL
2011-09-02 03:35:03 150016 ------w- c:\windows\CRLASP95.DLL
2011-09-02 03:34:59 -------- d-----w- C:\Font Navigator
2011-09-02 03:34:49 -------- d-----w- c:\program files\Sounds
2011-09-02 03:34:23 68096 ------w- c:\windows\system32\QPAUTO8.DLL
2011-09-02 03:33:58 117760 ------w- c:\windows\system32\NCSPI8EN.DLL
2011-09-02 03:33:57 274432 ------w- c:\windows\system32\NCSPI832.DLL
2011-09-02 03:33:49 90112 ------w- c:\windows\system32\Evysh7en.dll
2011-09-02 03:33:45 960512 ------w- c:\windows\system32\EVYSH7.DLL
2011-09-02 03:33:38 22480 ------w- c:\windows\system32\PFMAPI16.DLL
2011-09-02 03:33:38 20992 ------w- c:\windows\system32\PFMAPI32.DLL
2011-09-02 03:33:26 64000 ------w- c:\windows\system32\PFAUTO8.DLL
2011-09-02 03:33:21 7680 ------w- c:\windows\system32\SHLWP8EN.DLL
2011-09-02 03:33:21 125952 ------w- c:\windows\system32\SHELLWP.DLL
2011-09-02 03:33:17 -------- d-----w- c:\program files\Samples
2011-09-02 03:33:05 68096 ------w- c:\windows\system32\PRAUTO8.DLL
2011-09-02 03:32:49 -------- d-----w- c:\program files\Graphics
2011-09-02 03:32:48 72192 ------w- c:\windows\system32\WPAUTO8.DLL
2011-09-02 03:32:45 -------- d-----w- C:\Versions
2011-09-02 03:32:45 -------- d-----w- c:\program files\Template
2011-09-02 03:32:45 -------- d-----w- c:\program files\Shared
2011-09-02 03:32:45 -------- d-----w- c:\program files\Programs
2011-09-02 03:32:45 -------- d-----w- c:\program files\PhotoHse
2011-09-02 03:32:45 -------- d-----w- c:\program files\Macros
2011-09-02 03:32:45 -------- d-----w- c:\program files\Envoy
2011-09-02 03:32:44 -------- d-----w- c:\program files\Dad
2011-09-02 03:32:44 -------- d-----w- c:\program files\AppMan
2011-09-01 19:55:15 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2011-09-01 18:51:56 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2011-09-01 10:04:11 -------- d-----w- c:\documents and settings\owner\application data\EurekaLog
2011-09-01 08:32:15 -------- d-----w- c:\documents and settings\owner\application data\Pointstone
2011-09-01 07:34:20 -------- d-----w- c:\program files\Pointstone
2011-09-01 07:34:19 -------- d-----w- c:\program files\common files\Pointstone
2011-08-20 03:23:01 -------- d-----w- c:\windows\system32\Adobe
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-15 00:28:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 06:06:26 1409 ----a-w- c:\windows\QTFont.for
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 07:41:46 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-14 04:09:22 65328 ----a-w- c:\windows\apppatch\matsshim.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380817AS rev.3.42 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84DA4790]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x84F7D780]
3 CLASSPNP[0xF778FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x84E16F08]
\Driver\00000812[0x84EE83C8] -> IRP_MJ_CREATE -> 0x84DA4790
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x84E7D31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:42:33.76 ===============

Dakeyras
2011-09-09, 15:09
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
Hi and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Scan with TDSSKiller:

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract (unzip) it to your Desktop.


Double click on TDSSKiller.exe to launch it.
Click on Start Scan, the scan will run.
When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
Now click on Report to open the log file created by TDSSKiller in your root directory C:\
To find the log go to Start > Computer > C:
Post the contents of that log in your next reply please.
Note: Do not have TDSSKiller remove anything if found at this point in time!

Re-scan with DDS:

Please delete your current copy if still present then download a new version of DDS and save it to your Desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr).

Alternate downloads are here (http://download.bleepingcomputer.com/sUBs/dds.com) or here (http://www.infospyware.net/sUBs/dds/).

Disable any script blocker, and then double click on DDS to run the tool.
When done, DDS will open two logs:
DDS.txt <-- Will be opened
Attach.txt <-- Will be minimized
Save both reports to your desktop.
Please post the contents of these two Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:


How is you computer performing now, any further symptoms and or problems encountered?
TDSSKiller Log.
Both DDS Logs. <-- Post them individually please, IE: one Log per post/reply.

colo303
2011-09-11, 16:46
Hi Dakeyras, thanks for offering to help me out, but now I’m not sure if you still can (I hope so).

My computer seems to now be in a loop of trying to reboot. It gets to the Windows logo and seems to be about to start then does a restart … over and over. But just before this it seemed to be running better than ever. I wonder if this was because the anti-virus wasn’t running using up a lot of resources??

Right now I am using another computer but it’s having some issues too. I think maybe these guys don’t like me very much. I hope there is something you can do.

Dakeyras
2011-09-12, 11:38
Hi. :)


thanks for offering to help me out, but now I’m not sure if you still can (I hope so).
You're welcome and I will try my best on your behalf.


My computer seems to now be in a loop of trying to reboot. It gets to the Windows logo and seems to be about to start then does a restart … over and over. But just before this it seemed to be running better than ever. I wonder if this was because the anti-virus wasn’t running using up a lot of resources??
Most likely caused by the Malware on-board your machine.


Right now I am using another computer but it’s having some issues too. I think maybe these guys don’t like me very much. I hope there is something you can do.
Is this your machine also? If so it may be infected also and we can deal with that one once finished with the first machine. Are you using a Router at all? Also what Operating System is in use on the machine you used to post this reply please.

Next:

Going back to the first machine having the problems...do you have a XP Installation CD-ROM? If not can you inform myself the exact make and modal of the aforementioned machine please.

Now lets try a few basics as follows...

Reboot into Safe Mode:

How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial. (http://www.malwareremoval.com/tutorials/safemodeboot.php)

Next:

In Safe Mode when the Windows Advanced Options menu appears use the Arrow(On the number pad part of the keyboard)keys to select Last Known Good Configuration (your most recent settings that worked), and then press the Enter/Return key.

Let myself know the outcome of the above as in did the Last Known Good Configuration work and or were you able to boot the machine into Safe Mode at all?

Dakeyras
2011-09-15, 12:59
Due to the lack of feedback this Topic is closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.