Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tazz1 at 12:08:26.99 on Mon 07/03/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.2814.1467 [GMT 11:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tazz1\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\tazz1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: localhost
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\tazz1\appdata\roaming\mozilla\firefox\profiles\z7prsgv7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tazz1.com.au/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\users\tazz1\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\tazz1\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\tazz1\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-23 64512]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-5 172032]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-2-22 1405384]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-23 1153368]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-5 5550592]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-5-5 176128]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-2-22 15232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-22 257568]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2010-10-11 52824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-13 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-03-05 00:57:55 -------- d-----w- C:\Mp3 Output
2011-03-05 00:57:53 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2011-03-05 00:57:52 -------- d-----w- c:\program files\Smallvideosoft
2011-03-04 04:42:26 -------- d-----w- C:\VundoFix Backups
2011-03-04 00:47:23 -------- d-----w- c:\users\tazz1\appdata\roaming\ProgSense
2011-03-04 00:47:23 -------- d-----w- C:\Downloads
2011-03-01 02:44:56 388096 ----a-r- c:\users\tazz1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-01 02:44:56 -------- d-----w- c:\program files\Trend Micro
2011-03-01 01:46:44 -------- d-----w- c:\program files\Microsoft
2011-02-23 22:41:29 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{29a71aab-be16-42f9-aa7f-a144ff5dd814}\mpengine.dll
2011-02-23 03:36:14 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-23 02:16:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-23 02:16:20 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-23 02:15:45 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-02-23 02:15:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-23 02:15:08 -------- d-----w- c:\users\tazz1\appdata\local\Sunbelt Software
2011-02-23 02:14:36 -------- dc-h--w- c:\progra~2\{05D7E05D-9BCE-4F9F-8206-9129E8EAAF25}
2011-02-23 02:14:32 -------- d-----w- c:\program files\Lavasoft
2011-02-22 03:20:23 -------- d-----w- c:\windows\rnapxs
2011-02-22 03:20:17 -------- d-----w- c:\program files\CA
2011-02-22 03:06:52 -------- d-----w- c:\progra~2\MFAData
2011-02-22 00:33:56 0 ----a-w- c:\users\tazz1\appdata\local\Tzined.bin
2011-02-22 00:33:55 -------- d-----w- c:\users\tazz1\appdata\local\{37C227EF-FB29-4F61-A191-9B20D5943239}
2011-02-21 01:57:39 -------- d-----w- c:\users\tazz1\appdata\roaming\Leawo
2011-02-21 01:57:34 -------- d-----w- c:\progra~2\Leawo
2011-02-21 01:51:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-02-21 01:51:11 -------- d-----w- c:\program files\Leawo
2011-02-21 01:00:06 -------- d-----w- c:\program files\Audacity
2011-02-14 00:49:34 99896 ----a-w- c:\windows\system32\bass.dll
2011-02-14 00:49:34 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-02-14 00:49:34 16448 ----a-w- c:\windows\system32\basswma.dll
2011-02-14 00:49:34 15872 ----a-w- c:\windows\system32\ogg.dll
2011-02-14 00:49:34 1198592 ----a-w- c:\windows\system32\vorbis.dll
2011-02-14 00:46:45 -------- d-----w- c:\program files\StationPlaylist
2011-02-06 23:04:44 -------- d-----w- c:\program files\SopCast
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST31000528AS rev.CC38 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86467439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8646d7b8]; MOV EAX, [0x8646d834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82C45458] -> \Device\Harddisk0\DR0[0x86446600]
3 CLASSPNP[0x8AB8C59E] -> ntkrnlpa!IofCallDriver[0x82C45458] -> [0x85F2A918]
5 ACPI[0x8340A3B2] -> ntkrnlpa!IofCallDriver[0x82C45458] -> \IdeDeviceP0T0L0-0[0x85603908]
\Driver\atapi[0x86453B20] -> IRP_MJ_CREATE -> 0x86467439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST31000528AS____________________________CC38____#5&15602d3e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 1953525166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 12:09:20.26 ===============
Attached File(s)
-
Attach.txt (16.36K)
Number of downloads: 0 -
ARK.txt (6.32K)
Number of downloads: 1
Back to top
Please download Malwarebytes' Anti-Malware from 
