Hi Guys
First of all. Thanks for this forum. I really appreciate you offering help voluntarily.
I have been having some issues with malware in particular search hijackers. I have enclosed the logs as requested below.
Malware Bytes Log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6259
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
03/04/2011 20:52:42
mbam-log-2011-04-03 (20-52-42).txt
Scan type: Quick scan
Objects scanned: 169855
Time elapsed: 7 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER Log
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-03 21:22:59
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHZ2160BH_G2 rev.00000009
Running: uzknwox6.exe; Driver: C:\Users\PETERS~1\AppData\Local\Temp\uwlyikog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x9748E730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x9748E7E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x9748E880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x9748E920]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 8305A589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307F092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 83086AF8 4 Bytes [30, E7, 48, 97] {XOR BH, AH; DEC EAX; XCHG EDI, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 83086DC8 8 Bytes [E0, E7, 48, 97, 80, E8, 48, ...] {LOOPNZ 0xffffffffffffffe9; DEC EAX; XCHG EDI, EAX; SUB AL, 0x48; XCHG EDI, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 83086E3C 4 Bytes JMP A4410589
? System32\Drivers\spzw.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8F82FCA0 5 Bytes JMP 867E94E0
.text axlwxl6a.SYS 8FC11000 12 Bytes [44, C8, 42, 83, EE, C6, 42, ...]
.text axlwxl6a.SYS 8FC1100D 9 Bytes [A7, 42, 83, 48, CB, 42, 83, ...] {CMPSD ; INC EDX; OR DWORD [EAX-0x35], 0x42; ADD DWORD [EAX], 0x0}
.text axlwxl6a.SYS 8FC11017 41 Bytes [00, DE, 27, 98, 83, E6, 25, ...]
.text axlwxl6a.SYS 8FC11041 128 Bytes [F6, 07, 83, 60, F5, 07, 83, ...]
.text axlwxl6a.SYS 8FC110C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AF98D000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AF98D123 629 Bytes [85, 98, AF, FE, 05, 34, 85, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 AF98D399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F AF98D3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B AF98D4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 770451C0 5 Bytes JMP 0054000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77045D40 5 Bytes JMP 0055000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77046298 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 759E590C 5 Bytes JMP 008F000A
.text C:\Windows\Explorer.EXE[1752] ntdll.dll!NtProtectVirtualMemory 770451C0 5 Bytes JMP 00A0000A
.text C:\Windows\Explorer.EXE[1752] ntdll.dll!NtWriteVirtualMemory 77045D40 5 Bytes JMP 00A1000A
.text C:\Windows\Explorer.EXE[1752] ntdll.dll!KiUserExceptionDispatcher 77046298 5 Bytes JMP 0090000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3240] USER32.dll!TrackPopupMenu 76934B3B 4 Bytes JMP 62A32024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5084] ntdll.dll!NtProtectVirtualMemory 770451C0 5 Bytes JMP 0025000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5084] ntdll.dll!NtWriteVirtualMemory 77045D40 5 Bytes JMP 0037000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5084] ntdll.dll!KiUserExceptionDispatcher 77046298 5 Bytes JMP 0024000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83886042] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [838866D6] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83886800] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8388613E] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 855A81F8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
Device \Driver\volmgr \Device\VolMgrControl 855A31F8
Device \Driver\usbuhci \Device\USBPDO-0 864D7500
Device \Driver\usbuhci \Device\USBPDO-1 864D7500
Device \Driver\usbuhci \Device\USBPDO-2 864D7500
Device \Driver\sptd \Device\422399275 spzw.sys
Device \Driver\usbehci \Device\USBPDO-3 8677C500
Device \Driver\NetBT \Device\NetBT_Tcpip_{D6996C8C-ACC4-46FA-968D-6D3804E8B818} 8644C1F8
Device \Driver\usbuhci \Device\USBPDO-4 864D7500
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 864D7500
Device \Driver\usbuhci \Device\USBPDO-6 864D7500
Device \Driver\volmgr \Device\HarddiskVolume1 855A31F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-7 8677C500
Device \Driver\volmgr \Device\HarddiskVolume2 855A31F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 8663D1F8
Device \Driver\atapi \Device\Ide\IdePort0 855A51F8
Device \Driver\atapi \Device\Ide\IdePort1 855A51F8
Device \Driver\atapi \Device\Ide\IdePort2 855A51F8
Device \Driver\atapi \Device\Ide\IdePort3 855A51F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 855A51F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 855A61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 855A61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 855A61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 855A61F8
Device \Driver\cdrom \Device\CdRom1 8663D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8644C1F8
Device \Driver\PCI_PNP1273 \Device\0000005a spzw.sys
Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 864D7500
Device \Driver\usbuhci \Device\USBFDO-1 864D7500
Device \Driver\NetBT \Device\NetBT_Tcpip_{3F55DAFF-4228-4CC8-A753-876E392EEBC5} 8644C1F8
Device \Driver\usbuhci \Device\USBFDO-2 864D7500
Device \Driver\usbehci \Device\USBFDO-3 8677C500
Device \Driver\usbuhci \Device\USBFDO-4 864D7500
Device \Driver\usbuhci \Device\USBFDO-5 864D7500
Device \Driver\usbuhci \Device\USBFDO-6 864D7500
Device \Driver\usbehci \Device\USBFDO-7 8677C500
Device \Driver\axlwxl6a \Device\Scsi\axlwxl6a1Port4Path0Target0Lun0 86735500
Device \Driver\axlwxl6a \Device\Scsi\axlwxl6a1 86735500
Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHZ2160BH_G2____________________00000009#5&576c5bc&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b00026
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b00026@00249f878bed 0x6A 0x31 0x27 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7E 0x59 0xE0 0x96 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x11 0xF4 0xBC 0x3B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x99 0x8E 0x72 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b00026 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b00026@00249f878bed 0x6A 0x31 0x27 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x5E 0xD7 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x11 0xF4 0xBC 0x3B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x99 0x8E 0x72 ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0
DDS
DDS (Ver_11-03-05.01) - NTFSx86
Run by Peter Sharpe at 21:23:36.46 on 03/04/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1913.730 [GMT 1:00]
.
AV: AVG Anti-Virus SBS Edition *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus SBS Edition *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\runservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\YouCam\YouCamTray.exe
C:\Program Files\Fujitsu OSD Utility\OSDUtility.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\HP\HP Color LaserJet CM2320 MFP Series\hppfaxprintersrv.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Peter Sharpe\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FTSA&bmod=EU01
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=FTSA&bmod=EU01
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\3.0"
mRun: [YouCam Mirror Tray icon] "c:\program files\cyberlink\youcam\YouCamTray.exe" /s
mRun: [Fujitsu OSD Utility] c:\progra~1\fujits~1\OSDUTI~1.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HP Color LaserJet CM2320 MFP Series Fax] c:\program files\hp\hp color laserjet cm2320 mfp series\hppfaxprintersrv.exe "HP Color LaserJet CM2320 MFP Series Fax"
mRun: [<NO NAME>]
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
StartupFolder: c:\users\peters~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\peters~1\appdata\roaming\mozilla\firefox\profiles\h3o8tkt1.default\
FF - prefs.js: browser.search.selectedEngine - AltaVista
FF - prefs.js: browser.startup.homepage - hxxp://www.fenews.co.uk/
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-2-1 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-1 52872]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-1 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-1 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-1 243024]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2010-3-30 2560]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-2-1 122448]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-2-1 30288]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-2-1 20560]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-13 167424]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-13 167936]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 29192]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2010-2-9 66560]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2010-2-9 107520]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2010-2-9 8064]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2010-9-21 20504]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-8-26 25480]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-20 1343400]
.
=============== Created Last 30 ================
.
2011-04-03 19:26:00 -------- d-----w- c:\progra~2\STOPzilla!
2011-04-03 17:52:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-03 17:52:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-02 14:27:06 -------- d-----w- c:\users\peters~1\appdata\roaming\Malwarebytes
2011-04-02 14:26:47 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-02 14:26:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-02 11:37:05 -------- d-----w- c:\windows\system32\MpEngineStore
2011-03-31 14:21:03 -------- d-----w- c:\users\peters~1\appdata\roaming\Faiz
2011-03-29 23:11:42 -------- d-----w- c:\program files\IObit
2011-03-29 09:23:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 09:23:35 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-03-27 11:44:30 -------- d-----w- c:\users\peters~1\appdata\local\Sunbelt Software
2011-03-27 11:41:59 -------- dc-h--w- c:\progra~2\{8790345A-AF70-4319-B9E7-AAA25C6DCD42}
2011-03-27 11:41:22 -------- d-----w- c:\program files\Lavasoft
2011-03-23 20:01:42 -------- d-----w- c:\users\peters~1\appdata\roaming\Childish Things
2011-03-23 19:58:41 -------- d-----w- c:\program files\Childish Things
2011-03-19 22:33:59 -------- d-----w- c:\users\peters~1\appdata\roaming\eMusic
2011-03-19 22:33:59 -------- d-----w- c:\users\peters~1\appdata\local\eMusic
2011-03-19 22:33:51 -------- d-----w- c:\program files\eMusic Download Manager
2011-03-15 11:32:07 -------- d--h--w- c:\progra~2\Common Files
2011-03-10 09:37:18 1034240 ----a-w- c:\windows\system32\mstsc.exe
.
==================== Find3M ====================
.
2011-04-03 19:57:04 1385 --sha-w- c:\windows\system32\mmf.sys
2011-01-07 07:31:10 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 07:31:10 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: FUJITSU_MHZ2160BH_G2 rev.00000009 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86429439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8642f7d0]; MOV EAX, [0x8642f84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x83053448] -> \Device\Harddisk0\DR0[0x8640B030]
3 CLASSPNP[0x8919759E] -> ntkrnlpa!IofCallDriver[0x83053448] -> [0x8668D908]
\Driver\atapi[0x8644BEB8] -> IRP_MJ_CREATE -> 0x86429439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHZ2160BH_G2____________________00000009#5&576c5bc&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
I have attached the "attach file" as my post was too long otherwise.
Thanks Again. I really appreciate it.
First of all. Thanks for this forum. I really appreciate you offering help voluntarily.
I have been having some issues with malware in particular search hijackers. I have enclosed the logs as requested below.
Malware Bytes Log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6259
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
03/04/2011 20:52:42
mbam-log-2011-04-03 (20-52-42).txt
Scan type: Quick scan
Objects scanned: 169855
Time elapsed: 7 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER Log
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-03 21:22:59
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHZ2160BH_G2 rev.00000009
Running: uzknwox6.exe; Driver: C:\Users\PETERS~1\AppData\Local\Temp\uwlyikog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x9748E730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x9748E7E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x9748E880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x9748E920]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 8305A589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307F092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 83086AF8 4 Bytes [30, E7, 48, 97] {XOR BH, AH; DEC EAX; XCHG EDI, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 83086DC8 8 Bytes [E0, E7, 48, 97, 80, E8, 48, ...] {LOOPNZ 0xffffffffffffffe9; DEC EAX; XCHG EDI, EAX; SUB AL, 0x48; XCHG EDI, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 83086E3C 4 Bytes JMP A4410589
? System32\Drivers\spzw.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8F82FCA0 5 Bytes JMP 867E94E0
.text axlwxl6a.SYS 8FC11000 12 Bytes [44, C8, 42, 83, EE, C6, 42, ...]
.text axlwxl6a.SYS 8FC1100D 9 Bytes [A7, 42, 83, 48, CB, 42, 83, ...] {CMPSD ; INC EDX; OR DWORD [EAX-0x35], 0x42; ADD DWORD [EAX], 0x0}
.text axlwxl6a.SYS 8FC11017 41 Bytes [00, DE, 27, 98, 83, E6, 25, ...]
.text axlwxl6a.SYS 8FC11041 128 Bytes [F6, 07, 83, 60, F5, 07, 83, ...]
.text axlwxl6a.SYS 8FC110C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AF98D000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AF98D123 629 Bytes [85, 98, AF, FE, 05, 34, 85, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 AF98D399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F AF98D3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B AF98D4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 770451C0 5 Bytes JMP 0054000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77045D40 5 Bytes JMP 0055000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77046298 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 759E590C 5 Bytes JMP 008F000A
.text C:\Windows\Explorer.EXE[1752] ntdll.dll!NtProtectVirtualMemory 770451C0 5 Bytes JMP 00A0000A
.text C:\Windows\Explorer.EXE[1752] ntdll.dll!NtWriteVirtualMemory 77045D40 5 Bytes JMP 00A1000A
.text C:\Windows\Explorer.EXE[1752] ntdll.dll!KiUserExceptionDispatcher 77046298 5 Bytes JMP 0090000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3240] USER32.dll!TrackPopupMenu 76934B3B 4 Bytes JMP 62A32024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5084] ntdll.dll!NtProtectVirtualMemory 770451C0 5 Bytes JMP 0025000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5084] ntdll.dll!NtWriteVirtualMemory 77045D40 5 Bytes JMP 0037000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5084] ntdll.dll!KiUserExceptionDispatcher 77046298 5 Bytes JMP 0024000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83886042] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [838866D6] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83886800] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8388613E] \SystemRoot\System32\Drivers\spzw.sys
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\axlwxl6a.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 855A81F8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
Device \Driver\volmgr \Device\VolMgrControl 855A31F8
Device \Driver\usbuhci \Device\USBPDO-0 864D7500
Device \Driver\usbuhci \Device\USBPDO-1 864D7500
Device \Driver\usbuhci \Device\USBPDO-2 864D7500
Device \Driver\sptd \Device\422399275 spzw.sys
Device \Driver\usbehci \Device\USBPDO-3 8677C500
Device \Driver\NetBT \Device\NetBT_Tcpip_{D6996C8C-ACC4-46FA-968D-6D3804E8B818} 8644C1F8
Device \Driver\usbuhci \Device\USBPDO-4 864D7500
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 864D7500
Device \Driver\usbuhci \Device\USBPDO-6 864D7500
Device \Driver\volmgr \Device\HarddiskVolume1 855A31F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-7 8677C500
Device \Driver\volmgr \Device\HarddiskVolume2 855A31F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 8663D1F8
Device \Driver\atapi \Device\Ide\IdePort0 855A51F8
Device \Driver\atapi \Device\Ide\IdePort1 855A51F8
Device \Driver\atapi \Device\Ide\IdePort2 855A51F8
Device \Driver\atapi \Device\Ide\IdePort3 855A51F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 855A51F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 855A61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 855A61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 855A61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 855A61F8
Device \Driver\cdrom \Device\CdRom1 8663D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8644C1F8
Device \Driver\PCI_PNP1273 \Device\0000005a spzw.sys
Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 864D7500
Device \Driver\usbuhci \Device\USBFDO-1 864D7500
Device \Driver\NetBT \Device\NetBT_Tcpip_{3F55DAFF-4228-4CC8-A753-876E392EEBC5} 8644C1F8
Device \Driver\usbuhci \Device\USBFDO-2 864D7500
Device \Driver\usbehci \Device\USBFDO-3 8677C500
Device \Driver\usbuhci \Device\USBFDO-4 864D7500
Device \Driver\usbuhci \Device\USBFDO-5 864D7500
Device \Driver\usbuhci \Device\USBFDO-6 864D7500
Device \Driver\usbehci \Device\USBFDO-7 8677C500
Device \Driver\axlwxl6a \Device\Scsi\axlwxl6a1Port4Path0Target0Lun0 86735500
Device \Driver\axlwxl6a \Device\Scsi\axlwxl6a1 86735500
Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHZ2160BH_G2____________________00000009#5&576c5bc&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b00026
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b00026@00249f878bed 0x6A 0x31 0x27 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7E 0x59 0xE0 0x96 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x11 0xF4 0xBC 0x3B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x99 0x8E 0x72 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b00026 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b00026@00249f878bed 0x6A 0x31 0x27 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0x5E 0xD7 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x11 0xF4 0xBC 0x3B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x99 0x8E 0x72 ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0
DDS
DDS (Ver_11-03-05.01) - NTFSx86
Run by Peter Sharpe at 21:23:36.46 on 03/04/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1913.730 [GMT 1:00]
.
AV: AVG Anti-Virus SBS Edition *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus SBS Edition *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\runservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\YouCam\YouCamTray.exe
C:\Program Files\Fujitsu OSD Utility\OSDUtility.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\HP\HP Color LaserJet CM2320 MFP Series\hppfaxprintersrv.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Peter Sharpe\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FTSA&bmod=EU01
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=FTSA&bmod=EU01
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\3.0"
mRun: [YouCam Mirror Tray icon] "c:\program files\cyberlink\youcam\YouCamTray.exe" /s
mRun: [Fujitsu OSD Utility] c:\progra~1\fujits~1\OSDUTI~1.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HP Color LaserJet CM2320 MFP Series Fax] c:\program files\hp\hp color laserjet cm2320 mfp series\hppfaxprintersrv.exe "HP Color LaserJet CM2320 MFP Series Fax"
mRun: [<NO NAME>]
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
StartupFolder: c:\users\peters~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\peters~1\appdata\roaming\mozilla\firefox\profiles\h3o8tkt1.default\
FF - prefs.js: browser.search.selectedEngine - AltaVista
FF - prefs.js: browser.startup.homepage - hxxp://www.fenews.co.uk/
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-2-1 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-1 52872]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-1 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-1 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-1 243024]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2010-3-30 2560]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-2-1 122448]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-2-1 30288]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-2-1 20560]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-13 167424]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-13 167936]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 29192]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2010-2-9 66560]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2010-2-9 107520]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2010-2-9 8064]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2010-9-21 20504]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-8-26 25480]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-20 1343400]
.
=============== Created Last 30 ================
.
2011-04-03 19:26:00 -------- d-----w- c:\progra~2\STOPzilla!
2011-04-03 17:52:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-03 17:52:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-02 14:27:06 -------- d-----w- c:\users\peters~1\appdata\roaming\Malwarebytes
2011-04-02 14:26:47 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-02 14:26:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-02 11:37:05 -------- d-----w- c:\windows\system32\MpEngineStore
2011-03-31 14:21:03 -------- d-----w- c:\users\peters~1\appdata\roaming\Faiz
2011-03-29 23:11:42 -------- d-----w- c:\program files\IObit
2011-03-29 09:23:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 09:23:35 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-03-27 11:44:30 -------- d-----w- c:\users\peters~1\appdata\local\Sunbelt Software
2011-03-27 11:41:59 -------- dc-h--w- c:\progra~2\{8790345A-AF70-4319-B9E7-AAA25C6DCD42}
2011-03-27 11:41:22 -------- d-----w- c:\program files\Lavasoft
2011-03-23 20:01:42 -------- d-----w- c:\users\peters~1\appdata\roaming\Childish Things
2011-03-23 19:58:41 -------- d-----w- c:\program files\Childish Things
2011-03-19 22:33:59 -------- d-----w- c:\users\peters~1\appdata\roaming\eMusic
2011-03-19 22:33:59 -------- d-----w- c:\users\peters~1\appdata\local\eMusic
2011-03-19 22:33:51 -------- d-----w- c:\program files\eMusic Download Manager
2011-03-15 11:32:07 -------- d--h--w- c:\progra~2\Common Files
2011-03-10 09:37:18 1034240 ----a-w- c:\windows\system32\mstsc.exe
.
==================== Find3M ====================
.
2011-04-03 19:57:04 1385 --sha-w- c:\windows\system32\mmf.sys
2011-01-07 07:31:10 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 07:31:10 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: FUJITSU_MHZ2160BH_G2 rev.00000009 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86429439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8642f7d0]; MOV EAX, [0x8642f84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x83053448] -> \Device\Harddisk0\DR0[0x8640B030]
3 CLASSPNP[0x8919759E] -> ntkrnlpa!IofCallDriver[0x83053448] -> [0x8668D908]
\Driver\atapi[0x8644BEB8] -> IRP_MJ_CREATE -> 0x86429439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHZ2160BH_G2____________________00000009#5&576c5bc&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
I have attached the "attach file" as my post was too long otherwise.
Thanks Again. I really appreciate it.