Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .
- DDS (Ver_11-03-05.01) - NTFSx86
- Run by Tyler at 12:06:39.62 on Wed 04/20/2011
- Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_23
- Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1103 [GMT -7:00]
- .
- AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
- SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
- SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
- .
- ============== Running Processes ===============
- .
- C:\Windows\system32\wininit.exe
- C:\Windows\system32\lsm.exe
- C:\Windows\system32\svchost.exe -k DcomLaunch
- C:\Windows\system32\nvvsvc.exe
- C:\Windows\system32\svchost.exe -k RPCSS
- C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
- C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
- C:\Windows\system32\svchost.exe -k netsvcs
- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
- C:\Windows\system32\svchost.exe -k LocalService
- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
- C:\Windows\system32\nvvsvc.exe
- C:\Windows\system32\svchost.exe -k NetworkService
- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
- C:\Windows\system32\Dwm.exe
- C:\Windows\Explorer.EXE
- C:\Windows\system32\taskhost.exe
- C:\Windows\System32\spoolsv.exe
- C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
- C:\Windows\system32\AERTSrv.exe
- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
- C:\Program Files\Bonjour\mDNSResponder.exe
- C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
- C:\Windows\system32\svchost.exe -k imgsvc
- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
- C:\Windows\System32\svchost.exe -k secsvcs
- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
- C:\Windows\system32\SearchIndexer.exe
- C:\Program Files\Windows Media Player\wmpnetwk.exe
- C:\Windows\System32\svchost.exe -k LocalServicePeerNet
- C:\Windows\system32\wbem\wmiprvse.exe
- C:\Program Files\Mozilla Firefox\firefox.exe
- C:\Windows\system32\msiexec.exe
- C:\Windows\system32\vssvc.exe
- C:\Windows\System32\svchost.exe -k swprv
- C:\Program Files\Mozilla Firefox\plugin-container.exe
- C:\Windows\system32\sppsvc.exe
- C:\Windows\system32\taskhost.exe
- C:\Windows\servicing\TrustedInstaller.exe
- C:\Windows\system32\SearchProtocolHost.exe
- C:\Windows\system32\SearchFilterHost.exe
- C:\Windows\system32\wuauclt.exe
- \\?\C:\Windows\system32\wbem\WMIADAP.EXE
- C:\Users\Tyler\Desktop\dds.scr
- C:\Windows\system32\conhost.exe
- C:\Windows\system32\wbem\wmiprvse.exe
- .
- ============== Pseudo HJT Report ===============
- .
- uInternet Settings,ProxyOverride = *.local
- BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
- BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
- BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
- mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
- mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
- mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
- mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
- mPolicies-system: EnableLUA = 0 (0x0)
- mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
- mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
- Trusted Zone: intuit.com\ttlc
- DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
- DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
- Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
- Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
- .
- ================= FIREFOX ===================
- .
- FF - ProfilePath - c:\users\tyler\appdata\roaming\mozilla\firefox\profiles\m9xyvd7z.default\
- FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
- FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
- FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
- FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
- FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
- FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
- FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
- .
- ============= SERVICES / DRIVERS ===============
- .
- R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-7-13 4608]
- R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-6 357968]
- R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-6 294608]
- R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
- R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-6 17744]
- R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-2-6 51280]
- R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-6 40384]
- R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
- R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
- R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
- R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
- R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
- S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-11-29 8192]
- S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
- S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-9-13 79360]
- S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
- S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
- S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
- S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
- S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
- S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]
- S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-21 1343400]
- .
- =============== Created Last 30 ================
- .
- 2011-04-20 19:04:08 388096 ----a-r- c:\users\tyler\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
- 2011-04-20 18:06:57 -------- d-----w- c:\program files\ESET
- 2011-04-20 17:26:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
- 2011-04-20 17:26:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
- 2011-04-20 17:13:01 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5b847d12-16f3-4bd0-8e47-a9c3c2998250}\mpengine.dll
- 2011-04-20 06:43:08 -------- d-----w- c:\users\tyler\appdata\roaming\8BD3CBF1A238C722473BB8C7B3E545D4
- 2011-04-20 05:31:46 -------- d-----w- c:\program files\Trend Micro
- 2011-04-14 03:18:34 506368 ----a-w- c:\windows\system32\sqlite3.dll
- 2011-04-07 04:38:41 -------- d-----w- c:\program files\MSECache
- 2011-04-06 03:51:01 -------- d-----w- c:\program files\Microsoft IntelliPoint
- 2011-04-06 03:38:53 -------- d-----w- c:\windows\system32\SPReview
- 2011-04-06 03:38:29 -------- d-----w- c:\windows\system32\EventProviders
- 2011-04-06 03:31:59 81920 ----a-w- c:\windows\system32\userenv.dll
- 2011-04-06 03:30:59 94208 ----a-w- c:\program files\common files\system\ole db\msdaosp.dll
- 2011-04-06 03:29:51 323072 ----a-w- c:\windows\system32\drvstore.dll
- 2011-04-06 03:29:51 257024 ----a-w- c:\windows\system32\dpx.dll
- 2011-04-06 03:26:24 1076736 ----a-w- c:\windows\system32\DWrite.dll
- 2011-04-06 03:26:23 805376 ----a-w- c:\windows\system32\FntCache.dll
- 2011-04-06 03:26:23 739840 ----a-w- c:\windows\system32\d2d1.dll
- 2011-04-06 03:13:45 870912 ----a-w- c:\windows\system32\XpsPrint.dll
- 2011-04-06 03:13:44 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
- 2011-04-06 03:13:39 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
- 2011-04-06 03:13:39 161792 ----a-w- c:\windows\system32\d3d10_1.dll
- 2011-04-06 03:12:55 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
- 2011-04-06 03:12:55 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
- 2011-04-06 03:12:55 107520 ----a-w- c:\windows\system32\cdd.dll
- 2011-03-28 05:17:06 -------- d-----w- c:\users\tyler\appdata\roaming\Gyazo
- 2011-03-28 01:04:39 1495112 ----a-w- c:\windows\system32\flash_player.exe
- 2011-03-25 06:19:00 -------- d-----w- C:\Temp
- 2011-03-23 00:30:48 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
- 2011-03-23 00:30:48 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
- 2011-03-23 00:30:48 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
- 2011-03-23 00:30:48 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
- 2011-03-23 00:30:48 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
- 2011-03-23 00:30:47 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
- 2011-03-23 00:30:47 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
- 2011-03-23 00:30:47 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
- .
- ==================== Find3M ====================
- .
- 2011-04-06 03:57:26 152576 ----a-w- c:\windows\system32\msclmd.dll
- 2011-02-23 15:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
- 2011-02-23 15:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
- 2011-02-23 15:27:00 57960 ----a-w- c:\windows\system32\OpenCL.dll
- 2011-02-23 15:27:00 5654120 ----a-w- c:\windows\system32\nvwgf2um.dll
- 2011-02-23 15:27:00 4942952 ----a-w- c:\windows\system32\nvcuda.dll
- 2011-02-23 15:27:00 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
- 2011-02-23 15:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
- 2011-02-23 15:27:00 1965672 ----a-w- c:\windows\system32\nvapi.dll
- 2011-02-23 15:27:00 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
- 2011-02-23 15:27:00 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
- 2011-02-23 15:27:00 10079336 ----a-w- c:\windows\system32\nvd3dum.dll
- 2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
- 2011-02-10 00:22:48 214592 ----a-w- c:\windows\system32\PnkBstrB.xtr
- 2011-02-10 00:04:32 139152 ----a-w- c:\users\tyler\appdata\roaming\PnkBstrK.sys
- 2011-02-03 05:49:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
- 2011-02-03 01:11:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
- .
- =================== ROOTKIT ====================
- .
- Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
- Windows 6.1.7601 Disk: ST332062 rev.3.AD -> Harddisk0\DR0 ->
- .
- device: opened successfully
- user: MBR read successfully
- .
- Disk trace:
- called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x850A14F0]<<
- _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x850a77d0]; MOV EAX, [0x850a784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
- 1 ntkrnlpa!IofCallDriver[0x81E4952F] -> \Device\Harddisk0\DR0[0x8507A948]
- 3 CLASSPNP[0x8840459E] -> ntkrnlpa!IofCallDriver[0x81E4952F] -> [0x84E8B700]
- 5 ACPI[0x880473D4] -> ntkrnlpa!IofCallDriver[0x81E4952F] -> \00000068[0x849A6430]
- \Driver\nvstor[0x85081F38] -> IRP_MJ_CREATE -> 0x850A14F0
- kernel: MBR read successfully
- _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
- detected disk devices:
- \Device\00000068 -> \??\SCSI#Disk&Ven_ST332062&Prod_0AS#4&134f60d7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
- detected hooks:
- user & kernel MBR OK
- sectors 625142446 (+7): user != kernel
- Warning: possible TDL3 rootkit infection !
- .
- ============= FINISH: 12:12:15.70 ===============
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement