DDS (Ver_10-11-27.01) - NTFSx86
Run by Robert at 9:30:37.73 on Sun 11/28/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.960 [GMT -6:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
"C:\Windows\System32\svchost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\Virus Removal\DDS\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [cftmon] c:\windows\system32\fbzps.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Metropolis] rundll32.exe c:\windows\system32\sshnas21.dll,GetHandle
dRun: [U36VRSFLG6] c:\windows\temp\Jwx.exe
dRun: [454D5A46_ 0] c:\windows\temp\hslyg.exe
dRun: [DnE] c:\windows\temp\e.exe
dRun: [NtWqIVLZEWZU] c:\windows\temp\Jw7.exe
dRunOnce: [nNfPd01701] c:\programdata\nnfpd01701\nNfPd01701.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\users\robert\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B690420A-1193-4763-A8B3-7C19C7B9FEB9} - c:\windows\system32\config\systemprofile\appdata\local\{b690420a-1193-4763-a8b3-7c19c7b9feb9}\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: PDFescape Extension: {2A1D5949-B519-4924-BF62-8522FE0D5274} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}
FF - Extension: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Extension: myFireFox: {e213bb8f-8ebd-11db-96b7-005056c00008} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{e213bb8f-8ebd-11db-96b7-005056c00008}
FF - Extension: Abstract Classic: {2fbc1200-ad13-11db-abbd-0800200c9a66} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{2fbc1200-ad13-11db-abbd-0800200c9a66}
FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
============= SERVICES / DRIVERS ===============
R?2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-11 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-11 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-11 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-11 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-11 308136]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-6-25 361808]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-3 42528]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-24 193840]
=============== Created Last 30 ================
2010-11-21 17:29:54 -------- d-----w- c:\program files\whitesmoketoolbar
2010-11-19 00:22:01 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-16 02:20:42 -------- d-----w- c:\users\robert\appdata\roaming\SUPERAntiSpyware.com
2010-11-16 02:20:42 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-16 02:20:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-12 01:36:48 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-12 00:55:28 -------- d-----w- c:\progra~2\MFAData
2010-11-12 00:54:52 -------- d-----w- c:\users\robert\appdata\roaming\Malwarebytes
2010-11-12 00:54:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 00:54:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 00:54:43 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-12 00:54:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 23:55:18 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-11-11 23:55:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-10 22:08:06 412160 ----a-w- c:\windows\system32\fbzps.exe
2010-11-10 22:04:10 166 ----a-w- c:\windows\system32\delme.bat
2010-11-10 22:04:09 412160 ----a-w- c:\windows\system32\ptbp.exe
2010-11-10 22:03:48 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-11-10 22:03:48 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-11-10 22:03:48 100880 ----a-w- c:\windows\system32\Packet.dll
2010-11-10 22:01:33 -------- d--h--w- C:\$AVG
2010-11-09 00:50:11 -------- d-----w- c:\program files\uTorrent
2010-11-09 00:49:36 -------- d-----w- c:\users\robert\appdata\roaming\uTorrent
==================== Find3M ====================
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 17:07:35 834048 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 15:23:27 389632 ----a-w- c:\windows\system32\html.iec
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST9200827AS rev.3.BHA -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T0L0-5
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86869446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8686f504]; MOV EAX, [0x8686f580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E81962] -> \Device\Harddisk0\DR0[0x861CCAC8]
3 CLASSPNP[0x824478B3] -> ntkrnlpa!IofCallDriver[0x81E81962] -> [0x8598B838]
5 acpi[0x806116BC] -> ntkrnlpa!IofCallDriver[0x81E81962] -> [0x859678A0]
\Driver\atapi[0x866DB268] -> IRP_MJ_CREATE -> 0x86869446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP3T0L0-5 -> \??\IDE#DiskST9200827AS_____________________________3.BHA___#5&8eb2ae7&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86869292
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 9:32:11.90 ===============