DDS results
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 11:00:24 on 2011-11-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.563 [GMT -6:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: BullGuard Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Main
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
svchost.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Backup
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Proxy
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
dPolicies-explorer: NoDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
LSP: c:\windows\system32\BGLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281801832890
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281801921015
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{7EE890C2-9A16-4655-B00C-EEC4871864EC} : DhcpNameServer = 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: BgGamingMonitor.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\xngyjcsx.default\
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: BullGuard Safe Browsing: antiphishing@bullguard - c:\program files\bullguard ltd\bullguard\antiphishing\ff\antiphishing@bullguard
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2011-11-2 64608]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2011-11-2 789448]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2011-11-2 19272]
R2 BsBackup;BullGuard backup service;c:\windows\system32\SvcHost.exe -k BullGuard_Backup [2004-8-4 14336]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2011-10-27 292192]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2004-8-4 14336]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2004-8-4 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard_Proxy [2004-8-4 14336]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2004-8-4 14336]
R2 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2011-10-27 167264]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2011-11-12 275808]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-11-2 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-11-2 267624]
S1 MpKsl9c92129e;MpKsl9c92129e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{461b02a2-5338-4728-a202-ac239f015809}\mpksl9c92129e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{461b02a2-5338-4728-a202-ac239f015809}\MpKsl9c92129e.sys [?]
S1 MpKslc3cb35f8;MpKslc3cb35f8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{461b02a2-5338-4728-a202-ac239f015809}\mpkslc3cb35f8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{461b02a2-5338-4728-a202-ac239f015809}\MpKslc3cb35f8.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 srv70;srv70;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-13 16:43:15 54016 ----a-w- c:\windows\system32\drivers\adbk.sys
2011-11-12 22:02:49 -------- d--h--w- C:\4cd936a9afb93e5872139c2890
2011-11-12 19:44:04 -------- d--h--w- c:\documents and settings\administrator\application data\Malwarebytes
2011-11-12 19:42:58 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-12 19:42:55 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-12 19:42:55 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-11-12 19:41:23 9466208 ---ha-w- C:\mbam-setup-1.51.1.1800.exe
2011-11-12 19:36:30 -------- d--h--w- c:\documents and settings\administrator\local settings\application data\LogMeIn Rescue Applet
2011-11-12 15:50:13 -------- d--h--w- c:\program files\common files\BullGuard Ltd
2011-11-12 15:50:07 -------- d--h--w- c:\program files\BullGuard Ltd
2011-11-12 14:29:21 560804 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-02 10:45:40 34280 ---ha-w- c:\windows\system32\drivers\afw.sys
2011-11-02 10:45:40 267624 ---ha-w- c:\windows\system32\drivers\afwcore.sys
2011-11-02 10:45:28 789448 ---ha-w- c:\windows\system32\drivers\NSKernel.sys
2011-11-02 10:45:28 19272 ---ha-w- c:\windows\system32\drivers\NSNetmon.sys
2011-11-02 10:45:12 304712 ---ha-w- c:\windows\system32\drivers\Trufos.sys
2011-11-02 10:44:58 64608 ---ha-w- c:\windows\system32\drivers\BdSpy.sys
.
==================== Find3M ====================
.
2011-10-18 15:06:54 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-22 08:47:40 100216 ---ha-w- c:\windows\system32\BgGamingMonitor.dll
2011-09-14 13:26:10 53080 ---ha-w- c:\windows\system32\BGLsp.dll
2011-09-03 10:17:37 599040 ---ha-w- c:\windows\system32\crypt32.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: ST380815AS rev.3.CHF -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A3254C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x8a32c8a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x8a32c730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A790AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x8A7ACF18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A75BD98]
\Driver\atapi[0x8A40BD28] -> IRP_MJ_CREATE -> 0x8A3254C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A3252E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:01:22.07 ===============