DDS.txt
DDS (Ver_10-12-12.02) - NTFSx86
Run by camron at 18:36:07.39 on Fri 12/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.625 [GMT -8:00]
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\camron\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*
http://www.yahoo.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*
http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*
http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*
http://www.yahoo.com
BHO: AutorunsDisabled - No File
BHO: URLRedirectionBHO - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.yorkphoto.com/YorkActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://sunbeam08.multiply.com/photos/uploader.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psfus.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli csspwntfy
============= SERVICES / DRIVERS ===============
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-30 111232]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-30 38912]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-6-28 46142]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-9-3 444224]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-11-18 98304]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-7-12 3328]
R3 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-5-27 172032]
R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2005-8-5 57728]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-29 135664]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2010-11-1 99248]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2009-10-29 30603640]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2005-8-5 73600]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-30 14976]
=============== Created Last 30 ================
2010-12-18 01:38:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 01:38:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 01:38:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-17 19:53:19 -------- d-----w- c:\docume~1\camron\applic~1\Avira
2010-12-15 04:54:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG
2010-12-13 01:55:54 -------- d-sh--w- c:\documents and settings\camron\IECompatCache
2010-12-13 01:31:00 -------- d-sh--w- c:\documents and settings\camron\PrivacIE
2010-12-13 01:25:34 -------- d-sh--w- c:\documents and settings\camron\IETldCache
2010-12-13 01:13:09 -------- dc-h--w- c:\windows\ie8
2010-12-10 04:27:54 -------- d-----w- c:\docume~1\camron\applic~1\AVG10
2010-12-10 04:26:46 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-10 04:25:28 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-10 04:25:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-10 04:24:42 -------- d-----w- c:\program files\AVG
2010-12-10 04:09:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-02 03:26:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-02 03:26:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-02 03:26:03 133432520 ----a-w- c:\program files\Ad-AwareInstall.exe
2010-12-02 03:21:59 16409960 ----a-w- c:\program files\spybotsd162.exe
2010-12-02 03:18:36 7622112 ----a-w- c:\program files\mbam-setup-1.50.0.0.exe
2010-12-01 07:30:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-12-01 07:30:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-11-24 23:22:53 6153352 ----a-w- c:\program files\malware-setup-1.46.exe
==================== Find3M ====================
2010-12-12 23:47:08 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2007-02-12 17:17:30 1286944 ------w- c:\program files\SetupAnyDVD6114.exe
2006-12-03 20:28:42 6083152 ------w- c:\program files\SightSpeedInstall.exe
2006-11-29 22:53:06 739240 ------w- c:\program files\vnc-4_1_2-x86_win32.exe
2006-10-30 18:16:16 482288 ------w- c:\program files\YorkPhotoShow.exe
2006-09-05 10:30:45 3800811 ------w- c:\program files\wace265i.exe
2003-04-22 15:46:52 2719744 ------w- c:\program files\aiodrv.msi
2003-04-22 15:42:04 2588672 ------w- c:\program files\aiosw.msi
2003-03-10 02:30:44 184320 ----a-w- c:\program files\hpzscr07.dll
2003-03-10 02:30:42 274432 ----a-w- c:\program files\hpzglu07.exe
2003-03-10 02:30:42 237568 ----a-w- c:\program files\hpzc3212.dll
2002-09-09 23:48:20 22608 ----a-w- c:\program files\usbprint.sys
2002-09-09 23:48:12 12288 ----a-w- c:\program files\usbmon.dll
2002-09-09 23:47:52 254005 ----a-w- c:\program files\msvcrt.dll
2002-09-09 23:47:44 70656 ----a-w- c:\program files\msvcirt.dll
2002-09-09 23:47:00 212992 ----a-w- c:\program files\hpzpnp07.dll
2002-09-09 23:46:50 49212 ----a-w- c:\program files\hpzjvp01.dll
2002-09-09 23:46:42 249913 ----a-w- c:\program files\hpzjut01.dll
2002-09-09 23:46:32 417849 ----a-w- c:\program files\hpzjpp01.dll
2002-09-09 23:46:24 28722 ----a-w- c:\program files\hpzjlog.dll
2002-09-06 15:54:56 995383 ----a-w- c:\program files\MFC42.DLL
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: ST9500420AS rev.0002SDM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A7446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4ad504]; MOV EAX, [0x8a4ad580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A50BAB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008c[0x8A5859E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A4C3D98]
\Driver\atapi[0x8A4EE2C0] -> IRP_MJ_CREATE -> 0x8A4A7446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9500420AS_____________________________0002SDM1#5&2c06044&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4A7292
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 18:37:39.75 ===============