Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

viruses


  • This topic is locked This topic is locked
44 replies to this topic

#1 bignight2

bignight2

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 18 February 2009 - 09:08 AM

downloaded a program scanned it said no viruses, ended up deleting it anyway, soon as i did it flooded pc and couldnt open mbam and spybot, nor superantispyware



mbam i got to work by changing its name cause virus and stuff had all my spayware programs not opening

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

2/17/2009 7:48:44 AM
mbam-log-2009-02-17 (07-48-40).txt

Scan type: Quick Scan
Objects scanned: 58922
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati5ryxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati5ryxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati5ryxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati5ryxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fci (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fci (Rootkit.ADS) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fci (Rootkit.ADS) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\icf (Rootkit.ADS) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\icf (Rootkit.ADS) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icf (Rootkit.ADS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\drivers\ati5ryxx.sys (Rootkit.Agent) -> No action taken.
C:\xyephkl.exe (Trojan.TinyDownloader705) -> No action taken.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\svchost.exe:ext.exe (Rootkit.ADS) -> No action taken.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\temp\BN1.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN4.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN5.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN6.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN8.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN9.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN10.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN11.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN12.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\rs32net.exe (Rootkit.Agent) -> No action taken.

and hijack was this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:20 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] -C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [sy9i47ps9yglnabiat0qhqwaxjs2ifeyla3ygrarfjpuq] C:\DOCUME~1\Owner\LOCALS~1\Temp\l94p8o.exe
O4 - HKCU\..\Run: [md0778s4ilihujtxx] C:\DOCUME~1\Owner\LOCALS~1\Temp\eamlgt.exe
O4 - HKCU\..\Run: [s59hh9jud44l676i5fhdqw6j2biqj9ojrj2d] C:\DOCUME~1\Owner\LOCALS~1\Temp\r8c3pxb5x71fe.exe
O4 - HKCU\..\Run: [op00rff2amfsitthh5x45c6e7msynqrr14lm849tskuoy] C:\DOCUME~1\Owner\LOCALS~1\Temp\f5ijw7r0vb2sg.exe
O4 - HKCU\..\Run: [fxyzh0rfbq706y26urnvefw3ty0kef66rogr] C:\DOCUME~1\Owner\LOCALS~1\Temp\igaaq1i906b.exe
O4 - HKCU\..\Run: [kv9606o1ld9mk0] C:\DOCUME~1\Owner\LOCALS~1\Temp\igzahik8v.exe
O4 - HKCU\..\Run: [ijkuig3ex4bl9om2aqqhq3s057avaxrpevw7po4d] C:\DOCUME~1\Owner\LOCALS~1\Temp\gjerg90k3uadf.exe
O4 - HKCU\..\Run: [o0n1sqcvuwqoxrzz2s8u0uw026cj0mymapc] C:\DOCUME~1\Owner\LOCALS~1\Temp\ifukzq.exe
O4 - HKCU\..\Run: [qe8i97ih35dke8qmxr5] C:\DOCUME~1\Owner\LOCALS~1\Temp\ceuqjg.exe
O4 - HKCU\..\Run: [qwcm6rb6n2o74y2ay8x566i3smqowzxb] C:\DOCUME~1\Owner\LOCALS~1\Temp\c9iq3hw7l.exe
O4 - HKCU\..\Run: [zxcs5qwpvm4tuljdkbxw6y9k4j0nxt] C:\DOCUME~1\Owner\LOCALS~1\Temp\j8ps5tq.exe
O4 - HKCU\..\Run: [egvkoyev13lbxq72t] C:\DOCUME~1\Owner\LOCALS~1\Temp\q7032wokxlp3y.exe
O4 - HKCU\..\Run: [yxfmr15af3lqw4ioykuw2izy4qgm7e3cel2zc4z3] C:\DOCUME~1\Owner\LOCALS~1\Temp\c9o7dyy.exe
O4 - HKCU\..\Run: [fxyjof80r86h23rc9lrf9totb790jdu1l] C:\DOCUME~1\Owner\LOCALS~1\Temp\q22apo0xvvat.exe
O4 - HKCU\..\Run: [z0mdbfoxs84gv95w7pfm] C:\DOCUME~1\Owner\LOCALS~1\Temp\i985smb8qvf7.exe
O4 - HKCU\..\Run: [a5xh9c6k17iw0gjoe9jjqp8trw11a235k4uxkyl7uqf9c] C:\DOCUME~1\Owner\LOCALS~1\Temp\a5fp8r2zspr0.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O10 - Broken Internet access because of LSP provider 'c:\docume~1\owner\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 4516 bytes


got results from antivirus scan too and f-secure online

Edited by bignight2, 18 February 2009 - 01:51 PM.


BC AdBot (Login to Remove)

 


#2 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 25 February 2009 - 11:02 AM

update

Attached Files



#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 28 February 2009 - 12:15 PM

Hello bignight2 :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.


I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.







Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)





When completed please both both logs fromRSIT as well as the one from Kaspersky. Please do not post them as attachments. Put them in the window like you did your HJT log.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#4 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 28 February 2009 - 09:54 PM

Hi thanks for the help,here is a email i recieved from my provider and here is log, i will post kasperkys in a few ,
Thank you for contacting WOW! via email.

Our mail servers have detected an unusually high amount of email coming off your computer. The amount of email exceeds our terms of service and outgoing mail has been blocked due to possible spam. If you are send out these emails, please refrain from doing so. Contact us at 1-866-496-9669 and let us know you will reduce the amount of email being sent and we will unblock your outgoing email

error parsing function call when rsit runs autoit line 1

#5 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 01 March 2009 - 07:13 AM

this i rsit log that i got in c/ folder after error it runs

Attached Files

  • Attached File  log.txt   11.18KB   14 downloads


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 01 March 2009 - 09:37 AM

Thanks, but I still need the Kaspersky scan and as I said before please do not post them as attachments. Put them in the window provided for replies just as you would any other part of the post.

I am going to post this one for you. I also need you to check the log because there should be more to it than this.


Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2009-03-01 07:11:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 137 GB (74%) free of 186 GB
Total RAM: 2046 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:14 AM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 3117 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-17 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-17 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B24BA06E-FB7B-4757-95C2-DC01125F750E} - RefresherBand Class - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL [2001-08-03 45056]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"=-C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe []
"cctray"=C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe [2009-01-25 181488]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2008-11-29 234736]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-17 148888]
"QOELOADER"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe [2009-01-28 14088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\algchk.exe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe [2006-10-13 457728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIMACE]
MACE.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
C:\WINDOWS\system32\Ati2mdxx.exe [2009-01-13 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2005-05-19 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2002-11-22 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\system32\hphmon04.exe [2002-11-22 348160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [2006-05-05 38369]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
d:\i386\apps\app30050\incd 4\sharednt\incd.exe [2004-05-26 1400944]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
c:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-11-21 813912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBKEYBOARD]
C:\Program Files\Gigaware\Gigaware keyboard driver\5.0\KbdAp32A.exe [2006-09-09 394752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MailChacker.exe]
E:\Driver\MailChecker.exe -r []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickPhrase]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\WINDOWS\Creator\Remind_XP.exe [2005-03-09 966656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
C:\Program Files\Shareaza\Shareaza.exe [2007-02-05 4354048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPT513]
C:\WINDOWS\vsnpt513.exe [2003-08-12 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2006-11-17 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows NetConfig]
WINHOST.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BoontyBox Boonty Games.lnk]
[]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-01-13 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 77824]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll [2006-06-16 73728]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Edited by thewall, 01 March 2009 - 09:41 AM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 01 March 2009 - 10:06 AM

her is kasperky scan, thanks sorry about attachment

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 01, 2009 12:44:05
Records in database: 1858838
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 123005
Threat name: 14
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:17:42


File name / Threat name / Threats count
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\R4R0L0B9\NWS32[1].0XE Infected: not-a-virus:AdWare.Win32.SuperJuan.hiy 1
C:\Documents and Settings\Owner\Desktop\all on right\right side\sd\22\setup.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.60006 1
C:\Documents and Settings\Owner\Desktop\all on right\right side\sd\ll\kgb_setup_421.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.cg 1
C:\Documents and Settings\Owner\Desktop\all on right\right side\sd\ll\kgb_setup_421.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.do 1
C:\Documents and Settings\Owner\Desktop\all on right\right side\sd\ll\kgb_setup_421.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.d 1
C:\Documents and Settings\Owner\Desktop\all on right\right side\sd\ll\kgb_setup_421.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.e 1
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\Hawaiian Explorer The Lost Island\LostIsland.exe.bak Infected: Trojan-Downloader.Win32.Agent.ataj 1
C:\Program Files\Pirate Poppers\piratepoppers.exe.bak Infected: Trojan-Downloader.Win32.Agent.anrk 1
C:\Program Files\Slingo Supreme\SlingoSupreme.exe.bak Infected: Trojan-Downloader.Win32.Agent.avei 1
C:\Program Files\STK017_V2.01\STK017D.exe Infected: not-a-virus:AdWare.Win32.Cres.a 1
C:\Program Files\STK017_V2.01\STK017M.exe Infected: not-a-virus:AdWare.Win32.Cres 1
C:\Program Files\Trend Micro\HijackThis\backups\BACKUP-20080528-061802-552.0LL Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\sdxpaq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jpm 1
C:\WINDOWS\system32\tksibbat.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jpm 1

The selected area was scanned.

Attached Files


Edited by bignight2, 01 March 2009 - 10:10 AM.


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 01 March 2009 - 10:13 AM

Thanks, I will study them and get back as quickly as possible.

Edited by thewall, 01 March 2009 - 10:14 AM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 01 March 2009 - 10:17 AM

By the way please check to see if you cut part of the RSIT log off when you copied it. As I said before there should be more to it than what you posted.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 01 March 2009 - 10:19 AM

that was all of it, it stopped scanning with a error 1/4 way through

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 01 March 2009 - 10:22 AM

OK, we will use what we have. :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 03 March 2009 - 07:27 AM

I have noticed in IE7 in advanced tab at bottom, some settings are managed by your system administrator, never seen that before

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 03 March 2009 - 02:13 PM

The IE7 tab thing may well be tied into the infections you have, maybe not but let's address what we do know first and if you choose to proceed and that persists we will look into it more.


Due to the fact of your getting the E-Mail from your provider and the list of Trojans and rootkits which I see it is necessary for me to give you the following warning:



One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

For the time being I will proceed on the assumption you wish to clean up your computer. If you do not and would rather reformat or reinstall let me know in your next reply.





If you want to proceed then let's do the following:



Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".








Next, I want you to open your MBAM and update it. Then run a scan making sure the Full Scan button is checked rather than the Quick Scan. Please provide the log in your next reply.





We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please run RSIT again and see if you can get me a complete log.


In your next reply if you choose to try and clean your computer please provide the following:
  • Log from MBAM
  • GMER log
  • New RSIT log

Edited by thewall, 03 March 2009 - 02:14 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 bignight2

bignight2
  • Topic Starter

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:usa
  • Local time:04:20 PM

Posted 03 March 2009 - 03:20 PM

Hi, thanks

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 3

3/3/2009 3:18:33 PM
mbam-log-2009-03-03 (15-18-33).txt

Scan type: Quick Scan
Objects scanned: 77076
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

____________
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-03 15:08:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9EE00B0]
SSDT sptd.sys ZwEnumerateKey [0xB9EE4D1C]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EE50BC]
SSDT sptd.sys ZwOpenKey [0xB9EE0090]
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess [0xBA75C8AC]
SSDT sptd.sys ZwQueryKey [0xB9EE5194]
SSDT sptd.sys ZwQueryValueKey [0xB9EE5014]
SSDT sptd.sys ZwSetValueKey [0xB9EE5226]
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess [0xBA75C812]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTDDRV1.SYS The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B92F38AC 5 Bytes JMP 83E461B8
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B8C714D0 16 Bytes [ 98, D9, FA, 9D, 91, 49, D5, ... ]
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 12 B8C714E2 30 Bytes [ C7, B8, 77, C8, CA, 95, 58, ... ]
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[372] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2976] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [B9ECC068] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortValidateRange] [B9ECC0A4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EE0AB6] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EE0BEE] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EE0B76] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EE171C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EE15F2] sptd.sys
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [B9ECC068] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetSrb] [B9ECBF9E] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortValidateRange] [B9ECC0A4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [B9ECC068] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiDebugPrint] [B9ECBF98] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortGetSrb] [B9ECBF9E] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortValidateRange] [B9ECC0A4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortValidateRange] [B9ECC0A4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortValidateRange] [B9ECC0A4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiDebugPrint] [B9ECBF98] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [B9ECBDE2] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [B9ECC068] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortValidateRange] [B9ECC0A4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [B9EC7CF4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [B9ECBFE4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetBusData] [B9EC8416] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [B9EC8508] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [B9ECBF4C] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortStallExecution] [B9ECC0D4] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortLogError] [B9ECBECC] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortNotification] [B9ECC0E6] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [B9EC7C28] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [B9ECC0AE] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [B9EC7AFA] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [B9ECC46A] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortInitialize] [B9ED2F74] \WINDOWS\System32\Drivers\SPTDDRV1.SYS
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9F057AE] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8413E1D8

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8326C1D8
Device \Driver\USBSTOR \Device\000000cd 83D47990
Device \Driver\Tcpip \Device\Ip 833EFED4
Device \Driver\USBSTOR \Device\000000cf 83D47990
Device \Driver\usbohci \Device\USBPDO-0 83F031D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8415B1D8
Device \Driver\dmio \Device\DmControl\DmConfig 8415B1D8
Device \Driver\dmio \Device\DmControl\DmPnP 8415B1D8
Device \Driver\dmio \Device\DmControl\DmInfo 8415B1D8
Device \Driver\usbohci \Device\USBPDO-1 83F031D8
Device \Driver\usbehci \Device\USBPDO-2 83EA11D8

---- Threads - GMER 1.0.14 ----

Thread 4:636 837CD789
Thread 4:640 837CD789
Thread 4:644 837CD789
Thread 4:652 837CD789
Thread 4:656 837CD789
Thread 4:672 835DF789
Thread 4:680 835DF789
Thread 4:684 835DF789
Thread 4:692 835DF789
Thread 4:696 835DF789
Thread 4:712 833F1789
Thread 4:720 833F1789
Thread 4:724 833F1789
Thread 4:728 833F1789
Thread 4:736 833F1789

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -2068661607
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -105689831
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x75 0xC1 0x38 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x35 0x5A 0x20 0x5F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x33 0xEC 0xF3 0x69 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1C 0x43 0xBE 0xF6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x35 0x5A 0x20 0x5F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x3D 0xC1 0x0F 0xC9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x75 0xC1 0x38 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x35 0x5A 0x20 0x5F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x33 0xEC 0xF3 0x69 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION CB1F6BA9E476D707849CC2E6CF950BB91BA1EB85E0F23D44EE24D4CD800D52FC904DDC0CA09513D3C30A31E920CE3444451EFD667AE534C3EB55F1C9D5E87DCCFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A9C6AECB7A5D1407A2D97226D213B555BD05A5D676F52B40331AF589FAFA3286803C1DD144AA19140EEC0426D7D0F7BF84AF9E30A1CCB4C2ED35E754FC872C44A397343A85F3AA6C85A051EABF23338C0DA8770587651AD2A4FC88F259FEEC95D7DEA3C2E5E62B264D8A817AF41D4B379353A68F1B0B97D6BF4CE6E040F5D771D686AEC5EE0342E70CD72CAE7E47CCBA4E36B9CD02EC40B92124A05C93E4A2D24D28A8E661A86DDFDCD97AA9980B1B1262FCCD02159F79EA9BA66B696A2858B9DD7F7B08B11CFBBDCC87AB51B5B5E842EAF517B1E2987D5BF89D8ECD0D00D82B9B6E2552848990B6DDFA91CD78FB3F4E7814DC282C34D982F374E796FC12D4AC117A36B0B77C240306F0910E39F27B400C6E7A72E532EEDABC3AE5116BE455CA3ACAD3545A6602DFAF4CA6C085154E271FC05EE4B9367564F6240E513E66B316882D37B0309DC88D3913E05C1E41BC9399680C928646F39FBB0A782F11651FA160932EFE305AEED074EDDE1AF6391E1BDC691C575C4FCA1516E5D1C433979A8
Reg HKLM\SOFTWARE\Classes\cfexefile\defaulticon@ %1
Reg HKLM\SOFTWARE\Classes\Component Categories\{00021493-0000-0000-C000-000000000046}@409 Internet Explorer Browser Band
Reg HKLM\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}@409 Controls that are safely scriptable
Reg HKLM\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}@409 Controls safely initializable from persistent data
Reg HKLM\SOFTWARE\Classes\Component Categories\{ACAC94FC-E5CF-11D1-9066-00C04FD9189D}@409 DXTransform Authoring Versions
Reg HKLM\SOFTWARE\Classes\Component Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}@409 Image DirectTransform
Reg HKLM\SOFTWARE\Classes\Component Categories\{C501EDBF-9E70-11D1-9053-00C04FD9189D}@409 3D DirectTransform

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----


rsit still stops same spot

Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2009-03-03 15:19:39
Microsoft Windows XP Professional Service Pack 3
System drive C: has 136 GB (73%) free of 186 GB
Total RAM: 2046 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:47 PM, on 3/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O20 - AppInit_DLLs: sgbyir.dll ,
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 3184 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-17 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-17 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B24BA06E-FB7B-4757-95C2-DC01125F750E} - RefresherBand Class - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL [2001-08-03 45056]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"=-C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe []
"cctray"=C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe [2009-01-25 181488]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2008-11-29 234736]
"QOELOADER"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe [2009-01-28 14088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\algchk.exe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe [2006-10-13 457728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIMACE]
MACE.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
C:\WINDOWS\system32\Ati2mdxx.exe [2009-01-13 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2005-05-19 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2002-11-22 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\system32\hphmon04.exe [2002-11-22 348160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [2006-05-05 38369]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
d:\i386\apps\app30050\incd 4\sharednt\incd.exe [2004-05-26 1400944]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
c:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-11-21 813912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBKEYBOARD]
C:\Program Files\Gigaware\Gigaware keyboard driver\5.0\KbdAp32A.exe [2006-09-09 394752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MailChacker.exe]
E:\Driver\MailChecker.exe -r []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickPhrase]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\WINDOWS\Creator\Remind_XP.exe [2005-03-09 966656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
C:\Program Files\Shareaza\Shareaza.exe [2007-02-05 4354048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPT513]
C:\WINDOWS\vsnpt513.exe [2003-08-12 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2006-11-17 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows NetConfig]
WINHOST.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
C:\PROGRA~1\WI459E~1\WINDOW~1.EXE [2008-05-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BoontyBox Boonty Games.lnk]
[]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" sgbyir.dll , "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-01-13 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 77824]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll [2006-06-16 73728]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 PM

Posted 04 March 2009 - 08:29 AM

Download Gmer's mbr.exe from HERE and place it on your C drive (so the file is then C:\mbr.exe). Then click mbr.exe to run the scan (a window will open briefly, then close). The scan will create a mbr.log on your C drive as well (C:\mbr.log). Please copy/paste those contents in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users