Hi, i think my sisters laptop is infected with something.
I've installed and ran Spybot S&D, Malwarebytes Anti-Malware and SUPERAnti-spyware. These all found various things and removed them, they're all coming back clean now. She has AVG free on it and i updated it from version 9 to version 11 and updated it. AVG kept on finding trojans and removing them. I then noticed that Windows Defender was turned off. I turned it on and updated it and ran it. It found 2 trojan downloaders and removed them.
Despite all of this i suspect that there is still something lurking in the background. On boot up it says that the windows HOSTS service can't run and Windows Defender once again if off and won't run.
Thanks in advance.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Kadie Jo at 14:55:19.69 on 16/02/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3001.1447 [GMT 0:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WeFi\WeFi.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Windows\system32\igfxext.exe
C:\Users\KADIEJ~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\WeFi\WefiEngSvc.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\spoolsv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kadie Jo\Desktop\Clean up folder\DDS\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=0709&m=e525
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=0709&m=e525
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=0709&m=e525
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
uURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
mURLSearchHooks: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
mURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
mURLSearchHooks: H - No File
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
TB: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [WarReg_PopUp] c:\program files\emachines\wr_popup\WarReg_PopUp.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MobileBroadband] c:\program files\vodafone\vodafone mobile broadband\bin\MobileBroadband.exe /silent
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acer ePower Management] c:\program files\emachines\emachines power management\ePowerTray.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANQAxADQAOAA4ADcANwA3ADUALQBGAFAAOQAyACsANgAtAEIAQQBSADkARwArADEALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADIA"&"prod=90"&"ver=9.0.872
StartupFolder: c:\users\kadiej~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\web'n'~1.lnk - c:\program files\t-mobile\web'n'walk manager\web'n'walk Manager.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100203085505
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 ePowerSvc;Acer ePower Service;c:\program files\emachines\emachines power management\ePowerSvc.exe [2009-7-11 723488]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 GtDetectSc;GtDetectSc;c:\program files\t-mobile\web'n'walk manager\GtDetectSc.exe [2008-4-30 200704]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\vodafone\vodafone mobile broadband\bin\VmbService.exe [2010-4-28 9216]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-3-11 49664]
R3 WefiEngSvc;WeFi Engine Service;c:\program files\wefi\WefiEngSvc.exe [2010-2-24 133976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca6403c0a161cc;Google Update Service (gupdate1ca6403c0a161cc);c:\program files\google\update\GoogleUpdate.exe [2009-11-13 133104]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2008-11-7 62592]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2008-11-7 105984]
S3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [2008-11-7 20352]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2008-11-7 8064]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-12-16 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2010-12-16 105856]
=============== Created Last 30 ================
2011-02-15 15:55:16 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{671da89d-4cf3-4048-90b5-48e3ae049b90}\mpengine.dll
2011-02-14 15:23:18 -------- d-----w- c:\windows\en
2011-02-14 15:17:30 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-02-14 15:17:30 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-02-14 15:17:30 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-02-14 15:16:11 94040 ----a-w- c:\program files\common files\windows live\.cache\1c72fd131cbcc5a05\DSETUP.dll
2011-02-14 15:16:11 525656 ----a-w- c:\program files\common files\windows live\.cache\1c72fd131cbcc5a05\DXSETUP.exe
2011-02-14 15:16:11 1691480 ----a-w- c:\program files\common files\windows live\.cache\1c72fd131cbcc5a05\dsetup32.dll
2011-02-14 15:16:08 94040 ----a-w- c:\program files\common files\windows live\.cache\19a67f331cbcc5a04\DSETUP.dll
2011-02-14 15:16:08 525656 ----a-w- c:\program files\common files\windows live\.cache\19a67f331cbcc5a04\DXSETUP.exe
2011-02-14 15:16:08 1691480 ----a-w- c:\program files\common files\windows live\.cache\19a67f331cbcc5a04\dsetup32.dll
2011-02-14 15:15:45 -------- d-----w- c:\users\kadiej~1\appdata\local\Windows Live
2011-02-14 15:11:58 754688 ----a-w- c:\windows\system32\webservices.dll
2011-02-14 14:57:50 -------- d-----w- C:\AVG10
2011-02-14 14:57:31 -------- d-----w- C:\Vodafone
2011-02-13 21:14:25 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-02-13 15:53:32 -------- d-----w- c:\users\kadiej~1\appdata\roaming\AVG10
2011-02-13 15:52:01 -------- d--h--w- c:\progra~2\Common Files
2011-02-13 15:50:38 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-13 15:50:38 -------- d-----w- c:\progra~2\AVG10
2011-02-13 15:44:58 -------- d-----w- c:\progra~2\MFAData
2011-02-13 15:40:57 135 ----a-w- c:\users\kadiej~1\appdata\roaming\2939.bat
2011-02-12 22:00:52 -------- d-----w- c:\program files\ESET
2011-02-12 21:33:04 -------- d-----w- c:\windows\pss
2011-02-12 19:00:36 -------- d-----w- c:\users\kadiej~1\appdata\roaming\SUPERAntiSpyware.com
2011-02-12 19:00:36 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-02-12 18:59:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-12 18:01:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-12 18:01:00 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-12 17:57:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-12 13:24:55 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-07 03:02:51 -------- d-----w- c:\windows\system32\x64
2011-01-18 12:24:21 256 ----a-w- c:\windows\system32\pool.bin
2011-01-18 12:24:17 -------- d-----w- c:\users\kadiej~1\appdata\roaming\Research In Motion
2011-01-18 12:22:17 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-01-18 12:20:16 -------- d-----w- c:\program files\common files\Research In Motion
==================== Find3M ====================
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS545050B9A300 rev.PB4OC60F -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86B95EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85aa1872; SUB DWORD [EBP-0x4], 0x85aa112e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82645912] -> \Device\Harddisk0\DR0[0x8586F898]
3 CLASSPNP[0x8A7A28B3] -> ntkrnlpa!IofCallDriver[0x82645912] -> [0x856C5AA0]
5 acpi[0x806926BC] -> ntkrnlpa!IofCallDriver[0x82645912] -> [0x84D05B98]
[0x86C4AF38] -> IRP_MJ_CREATE -> 0x86B95EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS545050B9A300_________________PB4OC60F#5&19ff1653&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B95AEA
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 14:58:37.65 ===============
I've installed and ran Spybot S&D, Malwarebytes Anti-Malware and SUPERAnti-spyware. These all found various things and removed them, they're all coming back clean now. She has AVG free on it and i updated it from version 9 to version 11 and updated it. AVG kept on finding trojans and removing them. I then noticed that Windows Defender was turned off. I turned it on and updated it and ran it. It found 2 trojan downloaders and removed them.
Despite all of this i suspect that there is still something lurking in the background. On boot up it says that the windows HOSTS service can't run and Windows Defender once again if off and won't run.
Thanks in advance.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Kadie Jo at 14:55:19.69 on 16/02/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3001.1447 [GMT 0:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files\T-Mobile\web'n'walk Manager\GtDetectSc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WeFi\WeFi.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Windows\system32\igfxext.exe
C:\Users\KADIEJ~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\WeFi\WefiEngSvc.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\spoolsv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kadie Jo\Desktop\Clean up folder\DDS\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=0709&m=e525
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=0709&m=e525
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=0709&m=e525
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
uURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
mURLSearchHooks: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
mURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
mURLSearchHooks: H - No File
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
TB: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [WarReg_PopUp] c:\program files\emachines\wr_popup\WarReg_PopUp.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MobileBroadband] c:\program files\vodafone\vodafone mobile broadband\bin\MobileBroadband.exe /silent
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acer ePower Management] c:\program files\emachines\emachines power management\ePowerTray.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANQAxADQAOAA4ADcANwA3ADUALQBGAFAAOQAyACsANgAtAEIAQQBSADkARwArADEALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADIA"&"prod=90"&"ver=9.0.872
StartupFolder: c:\users\kadiej~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\web'n'~1.lnk - c:\program files\t-mobile\web'n'walk manager\web'n'walk Manager.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100203085505
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 ePowerSvc;Acer ePower Service;c:\program files\emachines\emachines power management\ePowerSvc.exe [2009-7-11 723488]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 GtDetectSc;GtDetectSc;c:\program files\t-mobile\web'n'walk manager\GtDetectSc.exe [2008-4-30 200704]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\vodafone\vodafone mobile broadband\bin\VmbService.exe [2010-4-28 9216]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-3-11 49664]
R3 WefiEngSvc;WeFi Engine Service;c:\program files\wefi\WefiEngSvc.exe [2010-2-24 133976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca6403c0a161cc;Google Update Service (gupdate1ca6403c0a161cc);c:\program files\google\update\GoogleUpdate.exe [2009-11-13 133104]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2008-11-7 62592]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2008-11-7 105984]
S3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [2008-11-7 20352]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2008-11-7 8064]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-12-16 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2010-12-16 105856]
=============== Created Last 30 ================
2011-02-15 15:55:16 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{671da89d-4cf3-4048-90b5-48e3ae049b90}\mpengine.dll
2011-02-14 15:23:18 -------- d-----w- c:\windows\en
2011-02-14 15:17:30 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-02-14 15:17:30 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-02-14 15:17:30 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-02-14 15:16:11 94040 ----a-w- c:\program files\common files\windows live\.cache\1c72fd131cbcc5a05\DSETUP.dll
2011-02-14 15:16:11 525656 ----a-w- c:\program files\common files\windows live\.cache\1c72fd131cbcc5a05\DXSETUP.exe
2011-02-14 15:16:11 1691480 ----a-w- c:\program files\common files\windows live\.cache\1c72fd131cbcc5a05\dsetup32.dll
2011-02-14 15:16:08 94040 ----a-w- c:\program files\common files\windows live\.cache\19a67f331cbcc5a04\DSETUP.dll
2011-02-14 15:16:08 525656 ----a-w- c:\program files\common files\windows live\.cache\19a67f331cbcc5a04\DXSETUP.exe
2011-02-14 15:16:08 1691480 ----a-w- c:\program files\common files\windows live\.cache\19a67f331cbcc5a04\dsetup32.dll
2011-02-14 15:15:45 -------- d-----w- c:\users\kadiej~1\appdata\local\Windows Live
2011-02-14 15:11:58 754688 ----a-w- c:\windows\system32\webservices.dll
2011-02-14 14:57:50 -------- d-----w- C:\AVG10
2011-02-14 14:57:31 -------- d-----w- C:\Vodafone
2011-02-13 21:14:25 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-02-13 15:53:32 -------- d-----w- c:\users\kadiej~1\appdata\roaming\AVG10
2011-02-13 15:52:01 -------- d--h--w- c:\progra~2\Common Files
2011-02-13 15:50:38 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-13 15:50:38 -------- d-----w- c:\progra~2\AVG10
2011-02-13 15:44:58 -------- d-----w- c:\progra~2\MFAData
2011-02-13 15:40:57 135 ----a-w- c:\users\kadiej~1\appdata\roaming\2939.bat
2011-02-12 22:00:52 -------- d-----w- c:\program files\ESET
2011-02-12 21:33:04 -------- d-----w- c:\windows\pss
2011-02-12 19:00:36 -------- d-----w- c:\users\kadiej~1\appdata\roaming\SUPERAntiSpyware.com
2011-02-12 19:00:36 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-02-12 18:59:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-12 18:01:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-12 18:01:00 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-12 17:57:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-12 13:24:55 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-07 03:02:51 -------- d-----w- c:\windows\system32\x64
2011-01-18 12:24:21 256 ----a-w- c:\windows\system32\pool.bin
2011-01-18 12:24:17 -------- d-----w- c:\users\kadiej~1\appdata\roaming\Research In Motion
2011-01-18 12:22:17 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-01-18 12:20:16 -------- d-----w- c:\program files\common files\Research In Motion
==================== Find3M ====================
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS545050B9A300 rev.PB4OC60F -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86B95EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85aa1872; SUB DWORD [EBP-0x4], 0x85aa112e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82645912] -> \Device\Harddisk0\DR0[0x8586F898]
3 CLASSPNP[0x8A7A28B3] -> ntkrnlpa!IofCallDriver[0x82645912] -> [0x856C5AA0]
5 acpi[0x806926BC] -> ntkrnlpa!IofCallDriver[0x82645912] -> [0x84D05B98]
[0x86C4AF38] -> IRP_MJ_CREATE -> 0x86B95EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS545050B9A300_________________PB4OC60F#5&19ff1653&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B95AEA
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 14:58:37.65 ===============