rabizzle
2010-12-27, 09:12
Hi I really need help! I have been really struggling to get rid of a possible trojan or something of that ilk! Since yesterday when I use firefox (http://forums.spybot.info/vbglossar.php?do=showentry&item=firefox) or IE tabs keep opening by themselves going to random websites including ebay or google or other websites that are really obscure. I have ran Malwarebyte's Anti-Malware and it comes up with detecting a trojan horse and then it deletes it and asks me to reinstall but it is still there! Can anyone please help me? Thanks!
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by User at 8:07:10.35 on 27/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.597 [GMT 0:00]
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\User\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [TdlRazor] c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\tdlrazor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217846430062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2vwg638n.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-26 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-9-28 35968]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-9-28 5888]
S2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-9 3229728]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\TizerBruteForceEx.sys [?]
S2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
S2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-9-28 114688]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-9-28 435072]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-9-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-12-26 21:39:57 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2010-12-26 21:31:08 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-26 21:30:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-26 21:30:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-26 16:22:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-26 15:05:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-26 15:05:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-26 15:01:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Sunbelt Software
2010-12-26 15:00:28 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-26 14:59:13 -------- d-----w- c:\program files\Lavasoft
2010-12-26 12:07:30 -------- d-----w- C:\VundoFix Backups
2010-12-26 11:57:02 -------- d-----w- c:\documents and settings\user\Tracing
2010-12-26 11:55:11 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-12-26 11:53:41 -------- d-----w- c:\program files\Microsoft
2010-12-26 11:53:02 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-12-26 11:42:33 -------- d-----w- c:\program files\common files\Windows Live
2010-12-26 09:17:26 -------- d-----w- c:\program files\UPHClean
2010-12-26 09:09:42 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-12-26 09:09:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-26 09:09:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-26 09:06:11 -------- d-----w- c:\program files\SpywareBlaster
2010-12-26 09:00:23 -------- d-----w- c:\program files\Lunarsoft
2010-12-26 09:00:23 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Lunarsoft
2010-12-25 19:22:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 19:22:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-25 19:03:25 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-25 19:03:24 -------- d-----w- c:\program files\Trend Micro
2010-12-25 18:56:19 -------- d-----w- c:\program files\CCleaner
2010-12-25 17:45:50 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-12-25 17:45:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 17:45:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-25 17:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 17:45:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 14:42:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\PCHealth
2010-12-25 13:58:42 -------- d--h--w- C:\$AVG
2010-12-25 13:12:06 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2010-12-25 13:11:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-25 13:08:15 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 13:08:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-25 13:07:30 -------- d-----w- c:\program files\AVG
2010-12-25 12:18:46 -------- d-----w- c:\docume~1\user\applic~1\Windows Search
2010-12-25 11:57:11 -------- d-----w- c:\docume~1\user\applic~1\WinBatch
2010-12-25 11:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-25 10:58:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-12-23 10:55:39 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Temp
2010-12-22 21:19:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-12-22 21:19:44 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-22 21:04:55 3592192 ----a-w- c:\windows\system32\stacgui.cpl
2010-12-22 21:04:55 1052672 ----a-w- c:\windows\system32\stlang.dll
2010-12-22 21:04:48 112128 ----a-w- c:\windows\system32\staco.dll
2010-12-22 21:04:46 1106888 ----a-w- c:\windows\system32\drivers\sthda.sys
2010-12-22 21:04:44 200704 ----a-w- c:\windows\system32\stacapi.dll
2010-12-22 21:04:43 -------- d-----w- c:\program files\SigmaTel
2010-12-22 14:26:31 -------- d-----w- c:\windows\system32\winrm
2010-12-22 14:26:27 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-12-22 14:24:54 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Identities
2010-12-22 14:24:49 -------- d-----w- c:\docume~1\user\applic~1\Windows Desktop Search
2010-12-22 14:24:22 -------- d-----w- c:\program files\Windows Desktop Search
2010-12-22 14:24:21 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-22 14:23:14 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-12-22 14:23:14 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-12-22 14:23:14 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-12-22 14:22:59 -------- d-----w- c:\program files\IDT
2010-12-22 13:11:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-12-22 13:10:38 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-22 13:10:24 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-22 13:10:24 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-22 13:10:24 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-22 13:10:24 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-12-22 13:10:24 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-12-22 13:10:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-12-22 13:10:24 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-12-22 13:10:24 117760 ------w- c:\windows\system32\prntvpt.dll
2010-12-22 13:10:22 -------- d-----w- C:\f2edf5aa1db513bc7a562d
2010-12-22 11:04:56 -------- d-----w- c:\windows\pss
2010-12-17 11:05:44 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-12-17 09:59:18 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-17 09:59:18 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-17 09:59:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-12-17 07:33:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-17 07:29:52 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2010-12-17 07:29:44 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2010-12-17 07:20:05 -------- d-sh--w- c:\documents and settings\user\IETldCache
2010-12-17 06:45:13 -------- d-----w- c:\windows\ie8updates
2010-12-17 06:40:57 -------- dc-h--w- c:\windows\ie8
2010-12-17 06:37:52 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-12-17 06:37:24 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-17 06:37:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-17 06:37:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-17 06:37:22 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-17 06:37:22 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-17 06:37:21 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-12-17 06:37:19 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-16 14:34:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-16 14:31:44 -------- d-----w- c:\windows\system32\appmgmt
2010-12-16 14:27:48 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-16 14:27:48 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-12-16 14:27:48 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-16 14:27:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-16 14:26:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-16 14:26:09 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-16 14:25:53 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 14:25:41 -------- d-----w- c:\docume~1\user\applic~1\Juniper Networks
2010-12-16 14:25:29 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-12-16 14:25:29 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-12-16 14:25:17 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-12-16 14:23:23 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-16 14:21:52 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-12-16 14:20:35 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
==================== Find3M ====================
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 16:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS542512K9SA00 rev.BB2OC33P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x86EC3555]<<
c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86ec97b0]; MOV EAX, [0x86ec982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F84AB8]
3 CLASSPNP[0xF7577FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x86F67030]
5 thpdrv[0xF77B19DB] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008d[0x86F54910]
7 ACPI[0xF74CE620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F54D98]
\Driver\atapi[0x86F70B60] -> IRP_MJ_CREATE -> 0x86EC3555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC33P#38303330393042423230303042574144564c4144#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EC339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 8:08:36.46 ===============
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by User at 8:07:10.35 on 27/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.597 [GMT 0:00]
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\User\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [TdlRazor] c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\tdlrazor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217846430062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2vwg638n.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-26 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-9-28 35968]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-9-28 5888]
S2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-9 3229728]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\TizerBruteForceEx.sys [?]
S2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
S2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-9-28 114688]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-9-28 435072]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-9-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-12-26 21:39:57 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2010-12-26 21:31:08 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-26 21:30:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-26 21:30:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-26 16:22:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-26 15:05:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-26 15:05:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-26 15:01:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Sunbelt Software
2010-12-26 15:00:28 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-26 14:59:13 -------- d-----w- c:\program files\Lavasoft
2010-12-26 12:07:30 -------- d-----w- C:\VundoFix Backups
2010-12-26 11:57:02 -------- d-----w- c:\documents and settings\user\Tracing
2010-12-26 11:55:11 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-12-26 11:53:41 -------- d-----w- c:\program files\Microsoft
2010-12-26 11:53:02 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-12-26 11:42:33 -------- d-----w- c:\program files\common files\Windows Live
2010-12-26 09:17:26 -------- d-----w- c:\program files\UPHClean
2010-12-26 09:09:42 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-12-26 09:09:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-26 09:09:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-26 09:06:11 -------- d-----w- c:\program files\SpywareBlaster
2010-12-26 09:00:23 -------- d-----w- c:\program files\Lunarsoft
2010-12-26 09:00:23 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Lunarsoft
2010-12-25 19:22:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 19:22:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-25 19:03:25 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-25 19:03:24 -------- d-----w- c:\program files\Trend Micro
2010-12-25 18:56:19 -------- d-----w- c:\program files\CCleaner
2010-12-25 17:45:50 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-12-25 17:45:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 17:45:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-25 17:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 17:45:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 14:42:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\PCHealth
2010-12-25 13:58:42 -------- d--h--w- C:\$AVG
2010-12-25 13:12:06 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2010-12-25 13:11:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-25 13:08:15 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 13:08:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-25 13:07:30 -------- d-----w- c:\program files\AVG
2010-12-25 12:18:46 -------- d-----w- c:\docume~1\user\applic~1\Windows Search
2010-12-25 11:57:11 -------- d-----w- c:\docume~1\user\applic~1\WinBatch
2010-12-25 11:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-25 10:58:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-12-23 10:55:39 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Temp
2010-12-22 21:19:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-12-22 21:19:44 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-22 21:04:55 3592192 ----a-w- c:\windows\system32\stacgui.cpl
2010-12-22 21:04:55 1052672 ----a-w- c:\windows\system32\stlang.dll
2010-12-22 21:04:48 112128 ----a-w- c:\windows\system32\staco.dll
2010-12-22 21:04:46 1106888 ----a-w- c:\windows\system32\drivers\sthda.sys
2010-12-22 21:04:44 200704 ----a-w- c:\windows\system32\stacapi.dll
2010-12-22 21:04:43 -------- d-----w- c:\program files\SigmaTel
2010-12-22 14:26:31 -------- d-----w- c:\windows\system32\winrm
2010-12-22 14:26:27 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-12-22 14:24:54 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Identities
2010-12-22 14:24:49 -------- d-----w- c:\docume~1\user\applic~1\Windows Desktop Search
2010-12-22 14:24:22 -------- d-----w- c:\program files\Windows Desktop Search
2010-12-22 14:24:21 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-22 14:23:14 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-12-22 14:23:14 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-12-22 14:23:14 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-12-22 14:22:59 -------- d-----w- c:\program files\IDT
2010-12-22 13:11:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-12-22 13:10:38 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-22 13:10:24 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-22 13:10:24 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-22 13:10:24 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-22 13:10:24 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-12-22 13:10:24 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-12-22 13:10:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-12-22 13:10:24 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-12-22 13:10:24 117760 ------w- c:\windows\system32\prntvpt.dll
2010-12-22 13:10:22 -------- d-----w- C:\f2edf5aa1db513bc7a562d
2010-12-22 11:04:56 -------- d-----w- c:\windows\pss
2010-12-17 11:05:44 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-12-17 09:59:18 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-17 09:59:18 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-17 09:59:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-12-17 07:33:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-17 07:29:52 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2010-12-17 07:29:44 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2010-12-17 07:20:05 -------- d-sh--w- c:\documents and settings\user\IETldCache
2010-12-17 06:45:13 -------- d-----w- c:\windows\ie8updates
2010-12-17 06:40:57 -------- dc-h--w- c:\windows\ie8
2010-12-17 06:37:52 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-12-17 06:37:24 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-17 06:37:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-17 06:37:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-17 06:37:22 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-17 06:37:22 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-17 06:37:21 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-12-17 06:37:19 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-16 14:34:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-16 14:31:44 -------- d-----w- c:\windows\system32\appmgmt
2010-12-16 14:27:48 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-16 14:27:48 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-12-16 14:27:48 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-16 14:27:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-16 14:26:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-16 14:26:09 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-16 14:25:53 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 14:25:41 -------- d-----w- c:\docume~1\user\applic~1\Juniper Networks
2010-12-16 14:25:29 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-12-16 14:25:29 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-12-16 14:25:17 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-12-16 14:23:23 293376 ------w- c:\windows\system32\browserchoice.exe
2010-12-16 14:21:52 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-12-16 14:20:35 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
==================== Find3M ====================
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 16:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS542512K9SA00 rev.BB2OC33P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x86EC3555]<<
c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86ec97b0]; MOV EAX, [0x86ec982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F84AB8]
3 CLASSPNP[0xF7577FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x86F67030]
5 thpdrv[0xF77B19DB] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008d[0x86F54910]
7 ACPI[0xF74CE620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F54D98]
\Driver\atapi[0x86F70B60] -> IRP_MJ_CREATE -> 0x86EC3555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC33P#38303330393042423230303042574144564c4144#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EC339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 8:08:36.46 ===============