Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Spyware.win32/Dropper now with logs Please Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 dohman

dohman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 11 November 2009 - 11:43 AM

I have tried for three days now, and have had no luck. I run avg and nothing comes up about the virus, however when I run oribt 360 it shows up every time I restart the computer. I have tried running numerous programs, adware, spyboy, malwarebytes, to delete the virus, however once they start, the shut off, and I can restart the program. I have to uninstall the program and then reinstall it. Please Help.

The win32diag will not let me get past the event log for some reason.

Running from: C:\Documents and Settings\Owner\My Documents\My Completed Downloads\Win32kDiag_1.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB905915\KB905915

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP165.tmp\ZAP165.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP297.tmp\ZAP297.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B3.tmp\ZAP2B3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA9.tmp\ZAPA9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\KPQ3KTEV\KPQ3KTEV

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\WPD\WPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\EHome\EHome

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ASP.NETClientFiles\ASP.NETClientFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Motive\Verizon\Verizon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\DataColャ࿿\DataColャ࿿

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\Download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll











Here is the GMER Log


here is a new one of GMER

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-11 11:23:21
Windows 5.1.2600 Service Pack 3
Running: wlntti0m.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwrdypod.sys


---- System - GMER 1.0.15 ----

SSDT 8A198288 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7978E22]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7959CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7959ECE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7979610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF79798C4]
SSDT sptd.sys ZwEnumerateKey [0xF7513D1C]
SSDT sptd.sys ZwEnumerateValueKey [0xF75140BC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7977B14]
SSDT sptd.sys ZwQueryKey [0xF7514194]
SSDT sptd.sys ZwQueryValueKey [0xF7514014]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7979D30]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF79790E2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7959982]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTDDRV1.SYS The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload BAD478AC 5 Bytes JMP 8A6BA758
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\DAP\DAP.EXE[1596] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C70D8580.x86.dll
.text C:\Program Files\DAP\DAP.EXE[1596] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C70D8580.x86.dll
.text C:\Program Files\DAP\DAP.EXE[1596] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C70D8580.x86.dll
.text C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe[2424] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C70D8580.x86.dll
.text C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe[2424] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C70D8580.x86.dll
.text C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe[2424] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C70D8580.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F751F6C4] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7535394] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F751F718] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F750FAB6] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F750FBEE] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F750FB76] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F751071C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75105F2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75354E8] sptd.sys
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75354E8] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C70D8580.x86.dll
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C70D8580.x86.dll
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FindFirstFileA] 0111F770
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FindFirstFileW] 0111FAA0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetCommandLineA] 01121030
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CloseHandle] 0111DB70
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] 011194C0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] 0111AA00
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] 0111B750
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] 0111FF60
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcessHeap] 01121020
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetEnvironmentVariableA] 0111B860
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetFileType] 0111DC80
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!DuplicateHandle] 0111DAD0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetFilePointer] 0111D930
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateFileA] 0111CA70
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!ReadFile] 0111D200
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateFileW] 0111CEB0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!WriteFile] 0111D630
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetACP] 01121040
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetEnvironmentStrings] 0111B9C0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetEnvironmentStringsW] 0111BCF0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!ExitProcess] 0111C020
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!ExitThread] 0111C190
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread] 0111C270
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] 0111C120
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 01120CD0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 011209C0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 011194C0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 0111AA00
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0111DB70
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 0111B750
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 0111AD30
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0111CEB0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0111FEA0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0111FEE0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 01121020
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0111FAA0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0111DAD0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 0111C270
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 0111B400
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 0111BCF0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 011215A0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0111D200
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0111D930
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0111E560
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0111E040
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0111E4E0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0111F000
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0111E6D0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 0111B0B0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 0111C120
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0111FFC0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0111E180
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0111DA70
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0111D630
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0111DC80
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 01121040
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0111DF80
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 011212E0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 01121280
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 011214D0
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 01121570
IAT C:\Program Files\DAP\DAP.EXE[1596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 011213A0
IAT C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe[2424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C70D8580.x86.dll
IAT C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe[2424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C70D8580.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6E21D8

AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 8A5FF990
Device \Driver\usbuhci \Device\USBPDO-1 8A5FF990
Device \Driver\usbuhci \Device\USBPDO-2 8A5FF990
Device \Driver\usbuhci \Device\USBPDO-3 8A5FF990
Device \Driver\usbehci \Device\USBPDO-4 8A602508

AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A74C1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A74C1D8
Device \Driver\Cdrom \Device\CdRom0 8A5921D8
Device \Driver\Cdrom \Device\CdRom1 8A5921D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A1B5990
Device \Driver\NetBT \Device\NetbiosSmb 8A1B5990

AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 8A5FF990
Device \Driver\usbuhci \Device\USBFDO-1 8A5FF990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A19A990
Device \Driver\usbuhci \Device\USBFDO-2 8A5FF990
Device \Driver\NetBT \Device\NetBT_Tcpip_{510E9FB5-0CAD-443F-AE32-220FA9808CE6} 8A1B5990
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A19A990
Device \Driver\usbuhci \Device\USBFDO-3 8A5FF990
Device \Driver\usbehci \Device\USBFDO-4 8A602508
Device \Driver\Ftdisk \Device\FtControl 8A74C1D8
Device \FileSystem\Cdfs \Cdfs 8A0F3788
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [312] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1224] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1356] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1488] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\Program Files\DAP\DAP.EXE [1596] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1636] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1956] 0x35670000
Library \\?\globalroot\Device\__max++>\C70D8580.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe [2424] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 74343943
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 111648917
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x46 0x37 0x6C ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0x03 0x9A 0x50 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0xB1 0xE8 0xC2 ...

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 PM

Posted 17 November 2009 - 10:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 PM

Posted 23 November 2009 - 03:48 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users