DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 19:30:39.12 on Thu 01/06/2011
Internet Explorer: 8.0.6001.18702
============== Running Processes ===============
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\stacsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: MRI_DISABLED - No File
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R? SASDIFSV;SASDIFSV
R? SASKUTIL;SASKUTIL
S? AESTAud;AE Audio Service
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgio;avgio
S? avgntflt;avgntflt
=============== Created Last 30 ================
2011-01-06 01:49:19 -------- d-sha-r- C:\cmdcons
2011-01-06 01:46:25 89088 ----a-w- c:\windows\MBR.exe
2011-01-06 01:46:25 256512 ----a-w- c:\windows\PEV.exe
2011-01-06 01:46:25 161792 ----a-w- c:\windows\SWREG.exe
2011-01-06 01:46:24 98816 ----a-w- c:\windows\sed.exe
2011-01-06 00:40:30 -------- d-----w- c:\docume~1\owner\applic~1\IObit
2011-01-06 00:40:27 -------- d-----w- c:\program files\IObit
2011-01-06 00:39:20 -------- d-----w- c:\documents and settings\owner\DoctorWeb
2011-01-06 00:37:30 42730616 ----a-w- C:\4k8t247w.exe
2011-01-06 00:37:29 10160048 ----a-w- C:\asc-setup.exe
2011-01-05 23:49:17 -------- d-----w- c:\program files\CCleaner
2011-01-05 00:26:13 -------- d-----w- c:\windows\system32\NtmsData
2010-12-25 02:46:38 -------- d-----w- c:\docume~1\owner\applic~1\Avira
2010-12-23 22:42:16 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-23 22:42:14 -------- d-----w- c:\program files\Avira
2010-12-23 22:42:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-12-23 21:42:51 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-12-23 21:41:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-23 21:41:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-23 21:41:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-23 21:41:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-23 20:08:43 12546056 ----a-w- C:\SAS_1286367.COM
2010-12-23 19:47:40 -------- d-----w- c:\windows\pss
2010-12-23 19:25:56 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-12-23 04:48:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SanDisk_pSSD_16GB rev.SSD_4.46 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86518555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8651e7b0]; MOV EAX, [0x8651e82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86575AB8]
3 CLASSPNP[0xF75E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8657B3B8]
5 ACPI[0xF745F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8657A940]
\Driver\atapi[0x865264A8] -> IRP_MJ_CREATE -> 0x86518555
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; PUSH AX; POP ES; PUSH AX; POP DS; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REPNZ MOVSW ; JMP FAR 0x0:0x61d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSanDisk_pSSD_16GB_______________________SSD_4.46#5&2868f5b2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8651839B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 19:32:55.95 ===============

