Results 1 to 3 of 3

Thread: Help needed

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    1

    Default Help needed

    I ran my own ca security suite spyware and anti virus ... but it would not quarantine the findings.

    System restore has been disables and i cant enable it

    Folder options have been effected

    SBS and D will not run

    I created a new user to open in safe mode and now my welcome screen does not show my original and mail user

    can not swith user

    can only access my original user when starting in safe mode

    have followed the indtructions on the read first post but may have done to much damage before i did.

    Steve DDL below




    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Administrator at 7:12:07.03 on 04/04/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.759 [GMT 1:00]
    .
    AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\Program Files\Starfield\offSyncService.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snk.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\WINDOWS\system32\lxdmcoms.exe
    C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\VistaDrive\VistaDrive.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\ais.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\vsnp2std.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Bell Mobility\Mobile Connect Basic\tscui.exe
    C:\Program Files\Lexmark 5000 Series\lxdmmon.exe
    C:\Program Files\Lexmark 5000 Series\lxdmamon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\e4n66g.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\moaltz.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ld8vd9np.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Topcom\Webtalker 211\WebTalker 211.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\Spikia.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Snm.exe
    C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uWindow Title = Internet Explorer Provided By Sky Broadband
    uDefault_Page_URL = hxxp://www.skybroadband.com
    uInternet Connection Wizard,ShellNext = hxxp://ibm.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [IBP]
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Qgupeyuhasaju] rundll32.exe "c:\windows\molpc49.dll",Startup
    uRun: [IKXGVMFZHI] c:\docume~1\admini~1\locals~1\temp\Snk.exe
    uRun: [NtWqIVLZEWZU] c:\docume~1\admini~1\locals~1\temp\Snm.exe
    uRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
    uRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
    uRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
    uRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
    uRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
    uRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
    uRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
    uRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
    uRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
    uRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
    uRun: [MKbuqc] c:\windows\iexplarer.exe
    uRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
    uRun: [MKeta] c:\windows\services.exe
    uRun: [MKeta] c:\windows\services.exe
    mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [snp2std] c:\windows\vsnp2std.exe
    mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
    mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
    mRun: [lxdmmon.exe] "c:\program files\lexmark 5000 series\lxdmmon.exe"
    mRun: [lxdmamon] "c:\program files\lexmark 5000 series\lxdmamon.exe"
    mRun: [tscui] c:\program files\bell mobility\mobile connect basic\tscui.exe
    mRun: [MCStart] "c:\program files\bell mobility\mobile connect basic\tscui.exe" /s
    mRun: [QuickBooksDB18] c:\program files\intuit\quickbooks 2009\qbdbmgrn.exe -n qb_pc001_18 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "c:\documents and settings\administrator\local settings\application data\intuit\quickbooks\log\DBStartup.log" -y
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [HNUGROXRnDc] c:\docume~1\admini~1\locals~1\temp\e4n66g.exe
    mRun: [HNUGROXRpsh] c:\docume~1\admini~1\locals~1\temp\moaltz.exe
    mRun: [HNUGROXRpdR] c:\docume~1\admini~1\locals~1\temp\ld8vd9np.exe
    mRun: [Shotedoxiyetuko] rundll32.exe "c:\windows\ezuwipiqowal.dll",Startup
    mRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
    mRun: [HNUGROXRotc] c:\docume~1\admini~1\locals~1\temp\hexdump.exe
    mRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
    mRun: [HNUGROXRrtc] c:\docume~1\admini~1\locals~1\temp\sysedit.exe
    mRun: [HNUGROXRruf] c:\docume~1\admini~1\locals~1\temp\spoolsv.exe
    mRun: [HNUGROXRrwe] c:\docume~1\admini~1\locals~1\temp\sysmgm.exe
    mRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
    mRun: [MKbuqc] c:\windows\iexplarer.exe
    mRun: [HNUGROXRprc] c:\docume~1\admini~1\locals~1\temp\login.exe
    mRun: [MKeta] c:\windows\services.exe
    dRun: [LClock] c:\program files\lclock\LClock.exe
    dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
    dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uExplorerRun: [servises]
    mExplorerRun: [servises]
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\webtal~1.lnk - c:\docume~1\admini~1\applic~1\microsoft\installer\{41e4ac12-f605-4a27-9643-c5eb95e7a6cc}\_49442e40.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\common files\intuit\quickbooks\QBServerUtilityMgr.exe
    uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    uPolicies-explorer: NoFolderOptions = 1 (0x1)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: c:\windows\system32\VetRedir.dll
    Trusted Zone: adp.ca
    Trusted Zone: bullhorn.com
    Trusted Zone: bullhornstaffing.com
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4503BC07-768C-4872-9AE3-A5558E73C2FE} - hxxp://www.bullhornstaffing.com/BullhornHelp/Tools/bhconfigactivex.CAB
    DPF: {5685BC20-FBE6-11D2-885F-00A0243C2C64} - hxxps://pay.adp.ca/payatwork/Common/SpectrumRDC.cab
    DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://pay.adp.ca/payatwork/Common/iemenu.cab
    DPF: {88D969C1-F192-11D4-A65F-0040963251E5} - hxxps://montcap.net/cabs/msxml4.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {A7A61128-0EAA-11D1-B22F-0000C08C00C4} - hxxps://pay.adp.ca/payatwork/Common/Ssdw3b32.cab
    DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    TCP: NameServer = 93.188.165.114,93.188.160.154
    TCP: {CEA9B191-C162-4A24-9A39-825E68A6A3FC} = 93.188.165.114,93.188.160.154
    TCP: {DBD13321-6DF9-4A39-97D7-0C5C70AEFD8D} = 93.188.165.114,93.188.160.154
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: LMIinit - LMIinit.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    STS: c:\windows\system32\jzwd6z.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\jzwd6z.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5ughqpxx.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5ughqpxx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npoff.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npwbe.dll
    FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: XULRunner: {75BFBF8F-0ED6-43BF-92A4-C5203755F71F} - c:\documents and settings\administrator\local settings\application data\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-20 26352]
    R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-20 21104]
    R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-20 746216]
    R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-20 21488]
    R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-20 161008]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
    R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-20 144696]
    R2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-28 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-24 47640]
    R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-3-2 40448]
    R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-20 255312]
    R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-1-20 185680]
    R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-20 130280]
    S1 a10faef6;a10faef6;c:\windows\system32\drivers\a10faef6.sys --> c:\windows\system32\drivers\a10faef6.sys [?]
    S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\system\cpl bonus\vcdrom.sys --> c:\program files\system\cpl bonus\Vcdrom.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-25 136176]
    S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\easypdf 5\bepldr.exe [2007-8-23 151552]
    S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\tswlan.sys --> c:\windows\system32\drivers\TsWlan.sys [?]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
    .
    =============== Created Last 30 ================
    .
    2011-04-03 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
    2011-04-03 19:10:22 -------- d-----w- c:\program files\common files\ParetoLogic
    2011-04-03 19:10:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\FileCure
    2011-04-03 19:10:21 -------- d-----w- c:\program files\ParetoLogic
    2011-04-03 18:38:03 -------- d-----w- C:\spoolerlogs
    2011-04-03 18:32:46 1646592 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\ais.exe
    2011-04-03 17:15:57 227205 --sha-w- c:\docume~1\admini~1\locals~1\applic~1\qbq.exe
    2011-04-03 17:14:04 0 ----a-w- c:\windows\Vhosacocuwuse.bin
    2011-04-03 17:14:02 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{75BFBF8F-0ED6-43BF-92A4-C5203755F71F}
    2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\jzwd6z.dll
    2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\eu7owxzau.dll
    2011-04-03 17:12:52 50000 ----a-w- c:\windows\system32\emgj73.dll
    2011-04-03 17:12:28 135168 --sha-r- c:\windows\system32\cpwmon2ka.dll
    2011-04-03 17:12:18 164352 ----a-w- c:\windows\Spikia.exe
    2011-03-28 20:21:24 -------- d-----w- c:\docume~1\admini~1\applic~1\EurekaLog
    2011-03-23 14:46:41 -------- d-----w- c:\program files\IBP 11
    2011-03-23 14:46:41 -------- d-----w- c:\docume~1\admini~1\applic~1\IBP
    2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\JonathanLeger.com
    2011-03-16 14:51:01 -------- d-----w- c:\docume~1\admini~1\applic~1\JonathanLeger.com
    2011-03-16 14:50:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\IsolatedStorage
    .
    ==================== Find3M ====================
    .
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301E -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A768EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87a8b872; SUB DWORD [EBP-0x4], 0x87a8b12e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7E5AB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007b[0x8A7EC278]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A748D98]
    [0x8A6FB030] -> IRP_MJ_CREATE -> 0x8A768EC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301E__#5&2438d806&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A768AEA
    user & kernel MBR OK
    sectors 156301486 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 7:16:49.48 ===============

  2. #2
    Malware Team-Emeritus
    Join Date
    May 2010
    Posts
    212

    Default

    Hello and welcome to the forum.

    My name is vict0r and I will help you with the malware issues on your computer.

    Please read the following information carefully.

    IMPORTANT: Whatever repairs we make, are for fixing this computer only and by no means should be used on another computer.

    To make cleaning this machine easier:

    • Continue to respond to this thread until I I tell you that the logs are clean!
    • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
    • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
    • Please follow all instructions in the order posted.
    • If you have any questions or do not understand instructions, please ask before continuing.
    • Please reply to this thread. Do not start a new topic.
    • Your security program(s) may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.



    Download/run Rkill:

    Please download Rkill from one of the following links and save it to your Desktop:

    One, Two,Three, Four or Five

    • Double click on Rkill.
    • A command window will open then disappear upon completion, this is normal.
    • A notepad window will open, please post the contents in your next reply
    • This log can also be found at C:\rkill.log
    • Please leave Rkill on the Desktop until otherwise advised.

    Note: If your security software warns about Rkill, please ignore/allow the download/execution to continue.


    TDSSKiller

    Please download TDSSKiller.zip and extract (unzip) it to your Desktop.
    • Double click on TDSSKiller.exe to launch it.
    • Click on Start Scan, the scan will run.
    • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
    • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
    • To find the log go to Start > Computer > C:
    • Post the contents of that log in your next reply please.
    • DO NOT TRY TO FIX ANYTHING AT THIS POINT


    Run a Scan with OTL
    1. Please download OTL.exe by OldTimer and save it to your desktop.
    2. Double click on OTL.exe to run it.
    3. Check the boxes labeled :
      • Scan All Users
      • LOP check
      • Purity check
    4. Click on the Run Scan button at the top left hand corner.
    5. OTL will start running. When done, 2 Notepad files will open; OTL.txt and Extras.txt.
      They will be saved on your desktop.



    Please post the contents of these logs (in separate replies if you wish):
    • The rkill log.
    • The TDSSKiller log.
    • The OTL logs.
    • Describe any problems while following the instructions, if any. The exact wording of any error messages might be useful.

  3. #3
    Malware Team-Emeritus
    Join Date
    May 2010
    Posts
    212

    Default

    This topic is now closed.

    If you still require help, please start a new topic and include a fresh DDS log.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •