.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Lord at 12:59:52.81 on Sat 04/23/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1467 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Lord\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uLocal Page =
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\lord\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} -
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lord\applic~1\mozilla\firefox\profiles\ns2o3ouy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55273
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-3-3 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-3-3 15856]
S1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-6-29 244608]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
S1 MpKsl2367828d;MpKsl2367828d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d425190-4599-4da0-8e2e-4ee5ec030ba3}\mpksl2367828d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d425190-4599-4da0-8e2e-4ee5ec030ba3}\MpKsl2367828d.sys [?]
S1 MpKsla5c5fa87;MpKsla5c5fa87;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d169990f-bc33-4b6b-82b7-63fd0528929b}\mpksla5c5fa87.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d169990f-bc33-4b6b-82b7-63fd0528929b}\MpKsla5c5fa87.sys [?]
S1 MpKslb0fe2e80;MpKslb0fe2e80;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0e98532-b5d7-4909-99d2-d34b8a22cbb6}\mpkslb0fe2e80.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0e98532-b5d7-4909-99d2-d34b8a22cbb6}\MpKslb0fe2e80.sys [?]
S1 MpKslbf8fe406;MpKslbf8fe406;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca88cd10-8669-4943-beff-1157a933ca7c}\mpkslbf8fe406.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca88cd10-8669-4943-beff-1157a933ca7c}\MpKslbf8fe406.sys [?]
S1 MpKslcefc53da;MpKslcefc53da;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dc3ca08-2d57-46e5-8955-c1f1cb43d965}\mpkslcefc53da.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dc3ca08-2d57-46e5-8955-c1f1cb43d965}\MpKslcefc53da.sys [?]
S1 MpKsldf37030e;MpKsldf37030e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6c30763-7f6c-421b-b864-daa92d8cf64b}\mpksldf37030e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6c30763-7f6c-421b-b864-daa92d8cf64b}\MpKsldf37030e.sys [?]
S1 MpKsle49a001f;MpKsle49a001f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ef5287b-a0b5-4213-8ccc-4d7dc910ca46}\mpksle49a001f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ef5287b-a0b5-4213-8ccc-4d7dc910ca46}\MpKsle49a001f.sys [?]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-3-3 25584]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\saibsvc.exe --> c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [?]
S2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-9-27 8192]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnpservice11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUpnpService11.exe [?]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxliveshare11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [?]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxwatch11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxmediadb11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-04-23 02:25:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-23 02:11:38 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4f3fb5b8-33ba-46f8-8e0b-f95003a87ed9}\MpKsl3697d962.sys
2011-04-23 00:49:50 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4f3fb5b8-33ba-46f8-8e0b-f95003a87ed9}\mpengine.dll
2011-04-23 00:10:59 -------- d-sha-r- C:\cmdcons
2011-04-22 17:01:58 -------- d-----w- c:\program files\CP-Autos
2011-04-21 21:44:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-21 21:44:47 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-04-21 21:39:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-21 16:27:15 -------- d-----w- c:\docume~1\lord\applic~1\Malwarebytes
2011-04-21 16:27:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 16:27:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-21 16:27:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 16:27:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 16:04:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-21 16:04:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-21 03:43:28 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\Microsoft Help
2011-04-20 18:04:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-20 18:04:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 16:00:25 -------- d-----w- c:\windows\Sonic
2011-04-18 21:39:12 -------- d-----w- c:\program files\Bonjour
2011-04-15 22:01:01 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-04-15 22:00:47 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-04-15 21:59:45 -------- d-----w- c:\windows\system32\RsFx
2011-04-15 21:56:37 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-15 19:18:21 -------- d-----w- c:\docume~1\lord\applic~1\TweakNow RegCleaner 2011
2011-04-12 17:05:13 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\Adobe
2011-04-10 03:34:22 112832 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vcexpress\10.0\1033\ResourceCache.dll
2011-04-08 22:19:49 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 02:45:25 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\PCTeX
2011-04-05 02:44:54 -------- d-----w- c:\program files\PCTeX
2011-04-01 16:36:42 -------- d-----w- c:\program files\Ghostgum
2011-04-01 16:32:30 -------- d-----w- c:\program files\gs
2011-04-01 15:50:08 -------- d-----w- c:\program files\common files\Adobe-BackupByPhotoshopCS5Portable
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ------w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ------w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ------w- c:\windows\system32\mfc42u.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500AAJS-75VWA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8B94F0]<<
c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8bf7d0]; MOV EAX, [0x8a8bf84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A8C9AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A912918]
5 SahdIa32[0xF7658939] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000066[0x8A8CC098]
7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A93FD98]
\Driver\atapi[0x8A90FEB8] -> IRP_MJ_CREATE -> 0x8A8B94F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8B933B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:00:56.87 ===============