jonny404
2010-12-14, 23:12
Hi, my browser(s) are getting redirected to wepprotectionmicrosoft.com, unable to access microsoft update or update microsoft security essentials. Most websites I try to access are being blocked. eg "wepprotectionmicrosoft.com/block.php?teletext2010=1&url=http://www.larshederer.homepage.t-online.de/erunt/index.htm&z1=1291837075"
Hence I cannot backup registry with erunt, I have backed the registry up with Spybot's native tool though.
DDS (Ver_10-12-12.02) - NTFSx86
Run by User 1 at 21:22:46.76 on 14/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.145 [GMT 0:00]
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\User 1\My Documents\Downloads\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216749833875
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, motbuouf.dll
LSA: Authentication Packages = msv1_0 nwprovau
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\user1~1\applic~1\mozilla\firefox\profiles\moob66t9.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
============= SERVICES / DRIVERS ===============
R?2 fooxpycn;Microsoft USB Generic Parent Controller;c:\windows\system32\svchost.exe -k netsvcs [2007-11-22 14336]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-15 363344]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-11-16 9216]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-6-20 36352]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-15 20952]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-6-20 808448]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-14 136176]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\blkwgu.sys --> c:\windows\system32\drivers\BLKWGU.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-1-19 113280]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-1-19 100480]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-11-22 100736]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-11-30 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-11-30 15264]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-1-19 18432]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-11-22 37040]
=============== Created Last 30 ================
2010-12-14 21:22:20 -------- d--h--w- c:\windows\PIF
2010-12-14 20:14:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-14 19:32:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-14 19:27:15 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Sunbelt Software
2010-12-14 19:24:11 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Temp
2010-12-14 19:23:27 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Google
2010-12-14 19:23:03 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{4C199BD2-7EF4-41DD-A9F3-FDB1302724DF}
2010-12-14 19:21:27 -------- d-----w- c:\program files\Lavasoft
2010-12-14 18:54:54 -------- d-----w- c:\docume~1\user1~1\applic~1\ElevatedDiagnostics
2010-12-13 23:45:16 388096 ----a-r- c:\docume~1\user1~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-13 23:45:15 -------- d-----w- c:\program files\Trend Micro
2010-12-13 20:32:47 0 ----a-w- c:\windows\system32\tmp.tmp
2010-12-13 20:30:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-13 20:30:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-13 18:22:41 733184 ----a-w- c:\windows\system32\alk7.dll
2010-12-13 18:22:41 0 ----a-w- c:\windows\system32\alk7.tmp
2010-12-08 19:43:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\bKbNa01803
2010-12-07 18:39:10 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4b24d3e5-2535-44d3-a3b5-bd04fb5375cd}\mpengine.dll
2010-12-04 09:34:56 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\PCHealth
2010-11-22 18:36:08 100736 ----a-r- c:\windows\system32\drivers\ewusbfake.sys
2010-11-22 18:13:28 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-22 18:13:06 -------- d-----w- c:\docume~1\user1~1\applic~1\FLEXnet
2010-11-22 18:06:11 -------- d-----w- c:\docume~1\user1~1\applic~1\Vodafone
2010-11-22 18:05:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Vodafone
2010-11-22 18:05:25 -------- d-----w- c:\program files\Vodafone
2010-11-22 18:05:09 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\{BFFB4DAD-9151-42DB-86FA-4F90FA6F699F}
2010-11-16 20:46:08 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-11-16 14:52:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-16 14:52:30 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-16 14:52:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-15 22:54:31 -------- d-----w- c:\program files\iPod
2010-11-15 22:54:24 -------- d-----w- c:\program files\iTunes
2010-11-15 22:54:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-15 22:49:17 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-11-15 22:48:51 -------- d-----w- c:\program files\Bonjour
2010-11-15 22:22:27 -------- d-----w- c:\docume~1\user1~1\applic~1\Malwarebytes
2010-11-15 22:22:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-15 22:22:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 22:22:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-15 22:22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-15 22:15:47 250496 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2010-11-15 22:11:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2010-11-15 21:20:57 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-15 21:17:02 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-15 20:48:32 -------- d-----w- c:\program files\CCleaner
==================== Find3M ====================
2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 12:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-28 15:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHY2120BH rev.0000000B -> Harddisk0\DR0 -> \Device\00000091
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D02735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d08990]; MOV EAX, [0x86d08a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D48AB8]
3 CLASSPNP[0xF75DDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008e[0x86D4B9E8]
5 ACPI[0xF7454620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CCBB00]
\Driver\atapi[0x86CD8268] -> IRP_MJ_CREATE -> 0x86D02735
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-9 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0000000B#5&1a838039&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86D0257B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 21:24:34.42 ===============
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-14 21:36:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 FUJITSU_MHY2120BH rev.0000000B
Running: gmer.exe; Driver: C:\DOCUME~1\USER1~1\LOCALS~1\Temp\ugtoaaob.sys
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\USER1~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D7000A
.text C:\WINDOWS\System32\svchost.exe[1268] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2576] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2576] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2836] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1840] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2156] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86D0257B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86D0257B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 86D0257B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 86D0257B
Device \Device\Ide\IdeDeviceP2T0L0-9 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0000000B#5&1a838039&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3948
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@LeaseObtainedTime 1292360395
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@T1 1292362195
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@T2 1292363545
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@LeaseTerminatesTime 1292363995
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@LeaseObtainedTime 1292360395
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@T1 1292362195
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@T2 1292363545
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@LeaseTerminatesTime 1292363995
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
Hence I cannot backup registry with erunt, I have backed the registry up with Spybot's native tool though.
DDS (Ver_10-12-12.02) - NTFSx86
Run by User 1 at 21:22:46.76 on 14/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.145 [GMT 0:00]
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\User 1\My Documents\Downloads\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216749833875
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, motbuouf.dll
LSA: Authentication Packages = msv1_0 nwprovau
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\user1~1\applic~1\mozilla\firefox\profiles\moob66t9.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
============= SERVICES / DRIVERS ===============
R?2 fooxpycn;Microsoft USB Generic Parent Controller;c:\windows\system32\svchost.exe -k netsvcs [2007-11-22 14336]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-15 363344]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-11-16 9216]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-6-20 36352]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-15 20952]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-6-20 808448]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-14 136176]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\blkwgu.sys --> c:\windows\system32\drivers\BLKWGU.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-1-19 113280]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-1-19 100480]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-11-22 100736]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-11-30 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-11-30 15264]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-1-19 18432]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-11-22 37040]
=============== Created Last 30 ================
2010-12-14 21:22:20 -------- d--h--w- c:\windows\PIF
2010-12-14 20:14:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-14 19:32:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-14 19:27:15 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Sunbelt Software
2010-12-14 19:24:11 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Temp
2010-12-14 19:23:27 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Google
2010-12-14 19:23:03 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{4C199BD2-7EF4-41DD-A9F3-FDB1302724DF}
2010-12-14 19:21:27 -------- d-----w- c:\program files\Lavasoft
2010-12-14 18:54:54 -------- d-----w- c:\docume~1\user1~1\applic~1\ElevatedDiagnostics
2010-12-13 23:45:16 388096 ----a-r- c:\docume~1\user1~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-13 23:45:15 -------- d-----w- c:\program files\Trend Micro
2010-12-13 20:32:47 0 ----a-w- c:\windows\system32\tmp.tmp
2010-12-13 20:30:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-13 20:30:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-13 18:22:41 733184 ----a-w- c:\windows\system32\alk7.dll
2010-12-13 18:22:41 0 ----a-w- c:\windows\system32\alk7.tmp
2010-12-08 19:43:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\bKbNa01803
2010-12-07 18:39:10 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4b24d3e5-2535-44d3-a3b5-bd04fb5375cd}\mpengine.dll
2010-12-04 09:34:56 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\PCHealth
2010-11-22 18:36:08 100736 ----a-r- c:\windows\system32\drivers\ewusbfake.sys
2010-11-22 18:13:28 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-22 18:13:06 -------- d-----w- c:\docume~1\user1~1\applic~1\FLEXnet
2010-11-22 18:06:11 -------- d-----w- c:\docume~1\user1~1\applic~1\Vodafone
2010-11-22 18:05:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Vodafone
2010-11-22 18:05:25 -------- d-----w- c:\program files\Vodafone
2010-11-22 18:05:09 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\{BFFB4DAD-9151-42DB-86FA-4F90FA6F699F}
2010-11-16 20:46:08 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-11-16 14:52:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-16 14:52:30 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-16 14:52:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-15 22:54:31 -------- d-----w- c:\program files\iPod
2010-11-15 22:54:24 -------- d-----w- c:\program files\iTunes
2010-11-15 22:54:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-15 22:49:17 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-11-15 22:48:51 -------- d-----w- c:\program files\Bonjour
2010-11-15 22:22:27 -------- d-----w- c:\docume~1\user1~1\applic~1\Malwarebytes
2010-11-15 22:22:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-15 22:22:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 22:22:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-15 22:22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-15 22:15:47 250496 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2010-11-15 22:11:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2010-11-15 21:20:57 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-15 21:17:02 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-15 20:48:32 -------- d-----w- c:\program files\CCleaner
==================== Find3M ====================
2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 12:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-28 15:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHY2120BH rev.0000000B -> Harddisk0\DR0 -> \Device\00000091
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D02735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d08990]; MOV EAX, [0x86d08a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D48AB8]
3 CLASSPNP[0xF75DDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008e[0x86D4B9E8]
5 ACPI[0xF7454620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CCBB00]
\Driver\atapi[0x86CD8268] -> IRP_MJ_CREATE -> 0x86D02735
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-9 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0000000B#5&1a838039&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86D0257B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 21:24:34.42 ===============
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-14 21:36:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 FUJITSU_MHY2120BH rev.0000000B
Running: gmer.exe; Driver: C:\DOCUME~1\USER1~1\LOCALS~1\Temp\ugtoaaob.sys
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\USER1~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D7000A
.text C:\WINDOWS\System32\svchost.exe[1268] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2576] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2576] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2836] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1840] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2156] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86D0257B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86D0257B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 86D0257B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 86D0257B
Device \Device\Ide\IdeDeviceP2T0L0-9 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0000000B#5&1a838039&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3948
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@LeaseObtainedTime 1292360395
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@T1 1292362195
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@T2 1292363545
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@LeaseTerminatesTime 1292363995
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@LeaseObtainedTime 1292360395
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@T1 1292362195
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@T2 1292363545
Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@LeaseTerminatesTime 1292363995
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- EOF - GMER 1.0.15 ----