.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
Run by Khrod Kat at 4:58:36 on 2011-06-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1116 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\Ctxfihlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DriveGLEAM\drivegleam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
J:\misc\GPU-Z.0.4.2.exe
J:\Paint Shop Pro 8\MB-Ruler\MB-Ruler.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\Explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dogpile.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5246
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DriveGLEAM] "c:\program files\drivegleam\drivegleam.exe" /STARTUP
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AtiTrayTools] "c:\program files\ray adams\ati tray tools\atitray.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTunerWrapper.exe" /S
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1
StartupFolder: c:\users\khrodk~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mb-ruler.lnk - j:\paint shop pro 8\mb-ruler\MB-Ruler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gpu-z.lnk - j:\misc\GPU-Z.0.4.2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mb-ruler.lnk - j:\paint shop pro 8\mb-ruler\MB-Ruler.exe
uPolicies-explorer: TaskbarNoThumbnail = 1 (0x1)
uPolicies-explorer: HideSCABattery = 0 (0x0)
uPolicies-explorer: HideSCANetwork = 0 (0x0)
uPolicies-explorer: HideSCAVolume = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bcsims.com\gpltd
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{D134D271-3206-4109-89F4-3A2CD7808D2C} : DhcpNameServer = 192.168.0.1 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
FF - component: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: WeatherBug: {3EC9C995-8072-4fc0-953E-4F30620D17F3} - %profile%\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: Fast Youtube Downloader:
fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2011-3-27 20384]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-30 233136]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-25 172032]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-12 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-12 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-12 61960]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-3-25 21504]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-1-30 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-1-30 818432]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-26 1153368]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-4 5550592]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-11-25 176128]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-1-30 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-1-30 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-1-30 115216]
R3 rxpvbus;Reality XP Avionics Bus Driver;c:\windows\system32\drivers\rxpvbus.sys [2005-11-4 44032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ARLGIFXTP;ARLGIFXTP;c:\users\khrodk~1\appdata\local\temp\arlgifxtp.exe --> c:\users\khrodk~1\appdata\local\temp\ARLGIFXTP.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-4-26 84832]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2011-5-25 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-5-25 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [2009-2-19 30984]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-12-29 247808]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2009-2-24 1984]
S3 SaiHFF04;SaiHFF04;c:\windows\system32\drivers\SaiHFF04.sys [2007-1-30 126344]
S3 SaiIFF04;Immersion's HID USB Driver (FF04);c:\windows\system32\drivers\SaiIFF04.sys [2007-1-30 16256]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 VZOTLKSYW;VZOTLKSYW;c:\users\khrodk~1\appdata\local\temp\vzotlksyw.exe --> c:\users\khrodk~1\appdata\local\temp\VZOTLKSYW.exe [?]
.
=============== Created Last 30 ================
.
2011-06-05 08:21:38 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-05 04:32:38 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-05 04:32:35 -------- d-----w- c:\users\khrod kat\appdata\local\temp
2011-06-05 04:21:07 98816 ----a-w- c:\windows\sed.exe
2011-06-05 04:21:07 518144 ----a-w- c:\windows\SWREG.exe
2011-06-05 04:21:07 256512 ----a-w- c:\windows\PEV.exe
2011-06-05 04:21:07 208896 ----a-w- c:\windows\MBR.exe
2011-06-05 03:59:51 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-05 03:54:32 -------- d-----w- c:\program files\Lavasoft
2011-06-03 12:31:30 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{05f44ba6-b9c3-4c92-a4f1-8650533e0ed1}\mpengine.dll
2011-05-31 13:42:50 -------- d-----w- c:\users\khrod kat\appdata\local\DestinationFinder
2011-05-31 13:02:28 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-05-31 13:02:28 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-05-31 13:00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-05-28 09:59:38 -------- d-----w- c:\users\khrod kat\appdata\roaming\runic games
2011-05-28 09:41:19 -------- d-----w- c:\program files\common files\Datalode
2011-05-25 09:18:25 53248 ------w- c:\windows\Ctregrun.exe
2011-05-25 07:26:39 -------- d-----w- c:\program files\common files\Creative Labs Shared
2011-05-25 07:26:00 102400 ----a-w- c:\windows\system32\cttele32.dll
2011-05-25 07:24:25 -------- d-----w- c:\windows\system32\Data
2011-05-25 07:24:11 22691984 ----a-w- c:\windows\system32\AppSetup.exe
2011-05-24 12:45:03 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-23 05:08:03 -------- d-----w- c:\programdata\PopCap Games
2011-05-14 16:16:20 -------- d-----w- c:\program files\ATI Technologies
2011-05-14 16:16:18 -------- d-----w- c:\program files\ATI
2011-05-14 16:15:36 -------- d-----w- C:\ATI
2011-05-06 16:44:11 -------- d-----w- c:\users\khrod kat\appdata\roaming\atitray
2011-05-06 16:25:44 -------- d-----w- c:\program files\Ray Adams
2011-05-06 15:06:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-06 15:06:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-06 15:05:30 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 07:25:52 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-25 07:25:52 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-05-12 23:08:30 737280 ----a-w- c:\windows\iun6002.exe
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_ rev.V5CO -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x854624D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x854687f0]; MOV EAX, [0x8546886c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x8205311B] -> \Device\Harddisk0\DR0[0x8538A0C8]
3 CLASSPNP[0x885A08B3] -> nt!IofCallDriver[0x8205311B] -> [0x84ED1E00]
5 acpi[0x826E86BC] -> nt!IofCallDriver[0x8205311B] -> [0x84ED87E8]
\Driver\nvstor32[0x84FEEB48] -> IRP_MJ_CREATE -> 0x854624D0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000009d -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 781422766 (+7): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 4:59:51.06 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/6/2008 3:20:17 PM
System Uptime: 6/5/2011 4:45:50 AM (0 hours ago)
.
Motherboard: Gateway | | MCP61SM2MA
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2200/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 69 GiB total, 3.657 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 4.513 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 146 GiB total, 59.989 GiB free.
L: is FIXED (NTFS) - 146 GiB total, 17.94 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Manufacturer: Generic
Name: USB CF Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB MS Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#
Manufacturer: Generic
Name: USB MS Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SD Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#920321111113&0#
Manufacturer: Generic
Name: USB SD Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#920321111113&0#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SM Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#920321111113&2#
Manufacturer: Generic
Name: USB SM Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#920321111113&2#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP1312: 6/1/2011 8:31:33 AM - Windows Update
RP1313: 6/2/2011 8:31:04 AM - Windows Update
RP1314: 6/3/2011 8:31:04 AM - Windows Update
.
==== Installed Programs ======================
.
.
µTorrent
ActiveSky Version 6 and ActiveSky Graphics
Ad-Aware
Adobe Audition 1.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
aerosoft's - New Spanish Airports - FS2004
aerosoft's - Pro Flight Emulator Deluxe
Aircraft Container SDK
Allway Sync version 10.3.8
ALMS 2009 GT2 MOD v1.2 for GTR2
Amnesia - The Dark Descent
Apple Application Support
Apple Software Update
Applian FLV Player
Application Mover
ArcSoft VideoImpression 2
Ashampoo Burning Studio 6
Astroburn Lite
ATI Catalyst Install Manager
AV DVD Player Morpher
Avira AntiVir Personal - Free Antivirus
AVS DVD Copy version 4.1.1
AVS DVD Player version 2.4
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bejeweled 2 Deluxe 1.0
BitComet 1.17
BlindWrite 6
Brazil Megapack 05/2008 FS2004 v1.0
CCleaner (remove only)
CD Recovery Toolbox Free 1.1
Chessmaster 7000
Core Temp version 0.99.8
CR-Software's - German Landmarks FS2004
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative MediaSource 5
Creative Smart Recorder
Creative Software AutoUpdate
Creative Sound Blaster Properties
Creative System Information
Creative WaveStudio 7
Curtiss-Wright AT-32 Condor for FSX or FS2004
D-Fend Reloaded 0.9.1 (deinstall)
DDS Converter 2.1
DDS Thumbnail Viewer
Deus Ex
Digital Media Reader
DriveGLEAM V1.08
Driver Sweeper 2.1.0
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD43 v4.6.0
DVDFab 7.0.4.0 (15/04/2010)
eMachines Recovery Center Installer
erLT
Farm Frenzy 3 American Pie
Farm Frenzy 2
feelThere Florida Landings 1.0
Flight Simulator 2004 Special Effects SDK
Flight Simulator 2004 Traffic Toolbox SDK
Flight Simulator 2004 Weather Themes SDK
FlightSim Manager
FormatFactory 2.50
Fraps
Free Easy Burner V 3.8
FS Panel Studio for FSX Build 20207
FS Real Time v1.64
FSRepaint
Game Booster
GARMIN 400 Series Trainer
German Landmarks FS2004
Ground Environment Professional
GT Legends 1.1.0.0
GTR 2 1.0.0.0
GTR2 Championship Manager
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Insectoid 1.02
ISO Recorder
IsoBuster 2.0
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro 8.10 Update Patch
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) SE Runtime Environment 6 Update 1
JGoodies JDiskReport 1.3.2
Legendary 707
Lockheed Orion 9 for FSX or FS2004
Malwarebytes' Anti-Malware version 1.51.0.1200
Media Player Classic - Home Cinema v1.5.0.2827
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Baseline Security Analyzer 2.1
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft IntelliPoint 8.0
Microsoft IntelliType Pro 7.1
Microsoft Office 97, Professional Edition
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows Media Video 9 VCM
Microsoft WSE 2.0 SP3 Runtime
Morrowind
Moscow Global Scenery - Version 1.2
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
No One Lives Forever
NoteTab Light (Remove only)
NVIDIA DDS Utilities
NVIDIA Photoshop Plug-ins
Object Fix Zip
OneTouch Version 3.0
OpenAL
PC Tools Firewall Plus 6.0
PicNic
Player
Power2Go 5.0
Prompt Media Player 2.1
Ptolemy
Python 2.4.1
Python 2.5.4
Python 2.6 comtypes-0.6.2
Python 2.6 psyco-1.6
Python 2.6 pywin32-214
Python 2.6.5
QuickTime
Railroad Tycoon II - Platinum
Ray Adams ATI Tray Tools
Real Environment Xtreme FS2004
Rename Us 3.03
Richard Burns Rally
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
RunAlyzer
SceneryConfigEditor v1.0.5 (remove only)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Sierra Utilities
SimCity 2000® Special Edition
Simmer's Sky - Japanese Airports vol.1
Simmer's Sky - Japanese Airports vol.2
Simmer's Sky - Japanese Airports vol.3
Simmer's Sky - Japanese Airports vol.4
Simmer's Sky - Japanese Airports vol.5
Simmer's Sky - Japanese Airports vol.6
Simmer's Sky - Japanese Airports vol.7
Simmer's Sky - Japanese Airports vol.8
Simmer's Sky - Japanese Airports vol.9
SolSuite 2010 v10.1
Sonar Screensaver 1.00
Spare Backup
Spybot - Search & Destroy
StreamTransport version: 1.0.2.2041
Super Flight Planner 3.0.3
System47 Screen Saver
TES Construction Set
TextCrawler 1.1.4
Thumbplug TGA
TorchED
Torchlight
TUGZip 3.4
UK SRTM Terrain Mesh Scenery for FS2004
Ultimate Terrain - Canada & Alaska
Ultimate Terrain - Europe
Ultimate Terrain - USA
UltimateDefrag V1 FREE Public Domain Version
Unlocker 1.8.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
URL Snooper v2.28.01
VcrSaver
Virtual City
Vista Visual Master
WinBMD
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
Works Upgrade
World of Warcraft FREE Trial
WSGT by RMT for GTR2
wxPython 2.5.3.1 (ansi) for Python 2.4
wxPython 2.8.0.1 (ansi) for Python 2.5
wxPython 2.8.11.0 (ansi) for Python 2.6
X-treme King Air B200 v.2.0.1
XQDC X-Setup Pro 9.2.100
XviD MPEG4 Video Codec (remove only)
.
==== Event Viewer Messages From Past Week ========
.
6/5/2011 4:51:36 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/5/2011 4:48:31 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
6/5/2011 4:48:06 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/5/2011 4:48:06 AM, Error: Service Control Manager [7000] - The NVR0FLASHDev service failed to start due to the following error: The system cannot find the file specified.
6/5/2011 4:46:35 AM, Error: EventLog [6008] - The previous system shutdown at 4:44:01 AM on 6/5/2011 was unexpected.
6/5/2011 4:41:39 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
6/5/2011 4:41:38 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
6/5/2011 12:30:20 AM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
6/5/2011 12:30:12 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
6/5/2011 12:21:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
6/5/2011 12:18:36 AM, Error: Service Control Manager [7034] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 3 time(s).
6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/5/2011 12:16:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/5/2011 12:02:49 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
6/5/2011 12:02:47 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atitray avipbb i8042prt MpFilter spldr sptd ssmdrv Wanarpv6
6/5/2011 12:02:47 AM, Error: Service Control Manager [7019] - The Print Spooler service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.
6/5/2011 12:02:47 AM, Error: Service Control Manager [7018] - Detected circular dependencies auto-starting services. Check the service dependency tree.
6/5/2011 12:02:47 AM, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 12:02:47 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 12:02:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
6/5/2011 12:02:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/5/2011 12:01:49 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .
6/4/2011 9:59:06 AM, Error: srv [2020] - The server was unable to allocate from the system paged pool because the pool was empty.
6/4/2011 9:36:39 AM, Error: srv [2018] - The server was unable to allocate from the system paged pool because the server reached the configured limit for paged pool allocations.
6/4/2011 9:35:18 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.23.77 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/4/2011 8:04:28 AM, Error: EventLog [6008] - The previous system shutdown at 8:02:55 AM on 6/4/2011 was unexpected.
6/4/2011 8:01:03 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '\SystemRoot\System32\Config\SOFTWARE'.
6/4/2011 8:00:45 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '\??\C:\Users\Khrod Kat\ntuser.dat'.
6/4/2011 5:15:32 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.20.26 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/4/2011 5:13:04 AM, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
6/4/2011 5:09:46 AM, Error: EventLog [6008] - The previous system shutdown at 5:07:41 AM on 6/4/2011 was unexpected.
6/4/2011 11:41:00 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.1184.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
6/4/2011 11:30:33 PM, Error: EventLog [6008] - The previous system shutdown at 11:27:18 PM on 6/4/2011 was unexpected.
6/3/2011 3:15:30 PM, Error: EventLog [6008] - The previous system shutdown at 3:10:29 PM on 6/3/2011 was unexpected.
5/31/2011 3:56:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 99.168.75.182 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
5/29/2011 7:48:06 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.17.211 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
5/29/2011 12:39:42 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.16.42 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================