Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit infection. Malwarebytes and other programs(google chrome) closing after a few seconds.


  • This topic is locked This topic is locked
22 replies to this topic

#1 Xerces

Xerces

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 19 November 2009 - 10:51 AM

I had an alert for a rootkit infection which spysweeper picked up and I deleted, but after that my computer has not been the same. It is really slow, google chrome opens but doesnt load any webpages. i tried to download firefox but cant even install it, im using IE which works but crashes randomly.Malwarebytes closes itself after a few seconds so I cant scan for infection.I uninstalled them and tried to reinstal but now I cant even install them. I get a weird message from Zonealarm firewall whenever i open a program that says a library will be installed everytime I open this program(for any program I open) which I click deny on. That never happened before so maybe thats important? Also Spysweeper detects something- (System monitor found, potentially masked rootkit found),the location is <HKLM\Software\Microsoft\Windows NT\Currentversion\drivers32 || midi9> but when I look in the registry it is not there and spysweeper doesnt delete it, it comes back in the next scan. Also rootrepeal doesnt install so i cant do the scan, I cant install much at the moment becuase of something thats messing my pc up! This is all the things that I think are wrong,hope you can help :-) here is my log:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Webby at 15:11:28.39 on 19/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.346 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
E:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
E:\web\Zone Alarm\ZoneAlarm\zlclient.exe
E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
E:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
E:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
E:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Webby\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
mWinlogon: System=csize.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-gb\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-gb\msntb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WAB] c:\documents and settings\webby\application data\macromedia\common\da68b80419.exe
uRun: [rundll32.exe]
mRun: [ZoneAlarm Client] "e:\web\zone alarm\zonealarm\zlclient.exe"
mRun: [Wireless Manager] "e:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [KernelFaultCheck] "c:\windows\system32\dumprep.exe" 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] "c:\progra~1\avg\avg9\avgtray.exe"
mRun: [SpySweeper] "e:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: winmm.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-1 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-1 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-18 285392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-9-10 32512]
R2 WRConsumerService;Webroot Client Service;e:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-7-3 1205760]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2005-9-29 14336]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2005-11-4 30371]

=============== Created Last 30 ================

2009-11-19 01:00:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-19 01:00:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 23:25:38 0 d--h--w- C:\$AVG
2009-11-18 23:22:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-18 23:20:35 0 d-----w- c:\windows\SxsCaPendDel
2009-11-17 11:10:12 36 ----a-w- c:\windows\rasqervy.dll
2009-11-17 11:09:58 8 ----a-w- c:\windows\sdfinacs.dll
2009-11-17 11:09:51 5 ----a-w- c:\windows\sdfixwcs.dll
2009-11-16 23:34:18 106 ----a-w- c:\windows\wuasirvy.dll
2009-11-16 23:34:18 104448 ----a-w- c:\windows\msacm32.drv
2009-11-02 22:40:34 0 d-----w- c:\docume~1\webby\applic~1\Blitware
2009-11-02 16:54:31 0 d-----w- c:\windows\system32\AGEIA
2009-10-25 21:20:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-25 21:20:29 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-11-18 23:28:53 827360 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-18 23:28:53 61462048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-18 23:28:53 1601824 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-18 23:28:53 153308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-18 23:24:54 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-18 23:24:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 23:24:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 15:30:12 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-11-18 14:54:21 512 ----a-w- C:\ScanSectorLog.dat
2009-10-13 14:27:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-06 18:56:49 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-04 16:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 16:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 16:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 16:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 16:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 16:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 16:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 16:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2007-07-19 10:43:49 2666 ----a-w- c:\program files\install.log
2007-05-28 00:58:23 16342 ----a-w- c:\program files\hs_err_pid3544.log
2007-03-19 02:39:44 17275 ----a-w- c:\program files\hs_err_pid3436.log
2007-03-02 18:17:17 12816 ----a-w- c:\program files\hs_err_pid1848.log
2006-12-04 02:03:50 16223 ----a-w- c:\program files\hs_err_pid3632.log
2006-11-29 22:49:11 15421 ----a-w- c:\program files\hs_err_pid2668.log
2006-10-23 22:19:29 16439 ----a-w- c:\program files\hs_err_pid2132.log
2006-10-22 17:33:34 17820 ----a-w- c:\program files\hs_err_pid1996.log
2006-10-19 18:44:12 16021 ----a-w- c:\program files\hs_err_pid2232.log
2006-10-18 22:20:31 11678 ----a-w- c:\program files\hs_err_pid3016.log
2006-09-26 14:55:43 1404 ----a-w- c:\program files\install_status.log
2004-10-11 19:46:32 205312 ----a-w- c:\program files\ltefx13n.dll
2004-01-19 14:31:00 153600 ----a-w- c:\program files\ltfil13n.DLL
2004-01-19 13:31:06 27648 ----a-w- c:\program files\lfiff13n.dll
2004-01-19 13:31:06 20480 ----a-w- c:\program files\lfCUT13n.dll
2004-01-19 12:31:50 453120 ----a-w- c:\program files\ltkrn13n.dll
2004-01-19 12:12:00 89600 ----a-w- c:\program files\Lfcgm13n.dll
2004-01-19 11:49:52 278016 ----a-w- c:\program files\LFJ2K13n.dll
2004-01-19 11:49:08 180736 ----a-w- c:\program files\Lfpng13n.dll
2004-01-19 11:47:36 76800 ----a-w- c:\program files\Lfwmf13n.dll
2004-01-19 11:47:04 509440 ----a-w- c:\program files\LFCMW13n.dll
2004-01-19 11:45:38 420352 ----a-w- c:\program files\LFCMP13n.DLL
2004-01-19 11:44:52 143872 ----a-w- c:\program files\lftif13n.dll
2004-01-19 11:36:48 56832 ----a-w- c:\program files\lfpsd13n.dll
2004-01-19 11:36:36 19968 ----a-w- c:\program files\lfpcd13n.dll
2004-01-19 11:36:32 26624 ----a-w- c:\program files\lfpcx13n.dll
2004-01-19 11:36:24 65536 ----a-w- c:\program files\Lfpct13n.dll
2004-01-19 11:36:18 18944 ----a-w- c:\program files\lfmsp13n.dll
2004-01-19 11:35:56 18944 ----a-w- c:\program files\lfmac13n.dll
2004-01-19 11:35:34 20992 ----a-w- c:\program files\lfimg13n.dll
2004-01-19 11:34:50 31744 ----a-w- c:\program files\lfclp13n.dll
2004-01-19 11:34:42 30208 ----a-w- c:\program files\lfbmp13n.dll
2004-01-19 11:33:48 444928 ----a-w- c:\program files\ltimg13n.dll
2004-01-19 11:32:18 265216 ----a-w- c:\program files\LTDIS13n.dll
2000-05-02 04:17:00 212480 ----a-w- c:\program files\PCDLIB32.DLL
1999-11-18 23:00:00 284032 ----a-w- c:\program files\XceedZip.dll

============= FINISH: 15:13:38.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 27 November 2009 - 09:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Please also provide a log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 27 November 2009 - 07:57 PM

Hi, thanks for replying.

The problems im having are as follows:

I had spysweeper block about 4 rootkit infections which I deleted but now I have these problems which Ive tried to fix but nothing Ive tried is working so I put a message on here.

Programs closing or not working , AVG cant update(I found a recommened fix on AVG website,I downloaded and ran rmagent_en.exe, but it didnt work), firefox cant install and google chrome not loading web pages to name a few

being redirected to spy sites or advertisement sites- IE is my only brower that works, but sometimes it will just close or keep opening new windows until I end process in task manager.

Malwarebytes closes after a few seconds into a scan , and other spyware programs ive downloaded I cant even install.

I get a weird message from Zonealarm firewall whenever i open a program that says 'a library will be installed everytime I open this program'(for any program I open) which I click deny on. That never happened before so maybe thats important?

I cant get a scan on OTL, it stops responding when it reaches driver WS2IFSL... in the scan , Ive tried it in safe mode too which has the same result.

Here is my GMER log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 17:24:07
Windows 5.1.2600 Service Pack 2
Running: qtbw55e7.exe; Driver: C:\DOCUME~1\Webby\LOCALS~1\Temp\pxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 88EF8858 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEBACDE60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEBACA820]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xEBAD5690]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEBACE1F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xEBAD4480]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xEBAD46B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xEBAD7CE0]
SSDT 88EF8B28 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xEBACE2D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEBACAEA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xEBAD66A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xEBAD62E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xEBAD41F0]
SSDT sptd.sys ZwEnumerateKey [0xF72B2A92]
SSDT sptd.sys ZwEnumerateValueKey [0xF72B2E20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xEBAD69E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwMapViewOfSection [0xEBAD7F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEBACACF0]
SSDT sptd.sys ZwOpenKey [0xF72AD090]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xEBAD3F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xEBAD3D60]
SSDT sptd.sys ZwQueryKey [0xF72B2EF8]
SSDT sptd.sys ZwQueryValueKey [0xF72B2D78]
SSDT 88EF88D0 ZwQueueApcThread
SSDT 88EF8768 ZwReadVirtualMemory
SSDT 88FCF1E8 ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xEBAD6CD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xEBACDB00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xEBAD6F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xEBACE010]
SSDT 88EF89C0 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEBACB010]
SSDT 88FCD288 ZwSetInformationKey
SSDT 88EF8C18 ZwSetInformationProcess
SSDT 88EF8A38 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xEBAD5E67]
SSDT 88EF8BA0 ZwSuspendProcess
SSDT 88EF8948 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xEBAD48E0]
SSDT 88EF8AB0 ZwTerminateThread
SSDT 88EF87E0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805010E8 12 Bytes [F0, E1, AC, EB, 80, 44, AD, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 262C 80501330 8 Bytes CALL 50D91026
? C:\windows\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F5C6A62C 5 Bytes JMP 88D73428
init C:\windows\system32\drivers\nvax.sys entry point in "init" section [0xF7560A0C]
.text C:\windows\system32\DRIVERS\nv4_mini.sys section is writeable [0xF53FE360, 0x3D46A5, 0xE8000020]
? System32\Drivers\asbotkg6.SYS The system cannot find the path specified. !
pnidata C:\windows\System32\DRIVERS\secdrv.sys unknown last section [0xB8359F00, 0x24000, 0x48000000]
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805010E8 12 Bytes [F0, E1, AC, EB, 80, 44, AD, ...]
.text ntkrnlpa.exe!ZwYieldExecution + 2B04 80501330 8 Bytes CALL 50D91026

---- User code sections - GMER 1.0.15 ----

.text C:\windows\Explorer.EXE[484] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\Explorer.EXE[484] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\Explorer.EXE[484] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\Explorer.EXE[484] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\Explorer.EXE[484] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\Explorer.EXE[484] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\Explorer.EXE[484] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\Explorer.EXE[484] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[488] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\Program Files\Java\jre6\bin\jqs.exe[580] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10033D7C
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10033BEC
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10033DEC
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10033AA0
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] WS2_32.dll!send 71AB428A 5 Bytes JMP 10033214
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100327E4
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10032778
.text E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe[644] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10033A4C
.text C:\windows\system32\winlogon.exe[752] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\system32\winlogon.exe[752] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\system32\winlogon.exe[752] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\system32\winlogon.exe[752] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\system32\winlogon.exe[752] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\system32\winlogon.exe[752] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\system32\winlogon.exe[752] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\system32\winlogon.exe[752] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\system32\services.exe[800] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\system32\services.exe[800] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\system32\services.exe[800] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\system32\services.exe[800] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\system32\services.exe[800] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\system32\services.exe[800] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\system32\services.exe[800] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\system32\services.exe[800] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\system32\lsass.exe[812] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\system32\lsass.exe[812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\system32\lsass.exe[812] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\system32\lsass.exe[812] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\system32\lsass.exe[812] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\system32\lsass.exe[812] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\system32\lsass.exe[812] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\system32\lsass.exe[812] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe[996] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\system32\svchost.exe[1020] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\system32\svchost.exe[1020] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\system32\svchost.exe[1020] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\system32\svchost.exe[1020] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\system32\svchost.exe[1020] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\system32\svchost.exe[1020] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\system32\svchost.exe[1020] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\System32\svchost.exe[1188] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\System32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\System32\svchost.exe[1188] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\System32\svchost.exe[1188] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\System32\svchost.exe[1188] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\System32\svchost.exe[1188] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\System32\svchost.exe[1188] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\System32\svchost.exe[1188] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1244] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1284] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\System32\svchost.exe[1300] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\System32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\System32\svchost.exe[1300] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\System32\svchost.exe[1300] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\System32\svchost.exe[1300] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\System32\svchost.exe[1300] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\System32\svchost.exe[1300] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\System32\svchost.exe[1300] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1560] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\system32\spoolsv.exe[1732] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\system32\spoolsv.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\system32\spoolsv.exe[1732] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\system32\spoolsv.exe[1732] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\system32\spoolsv.exe[1732] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\system32\spoolsv.exe[1732] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\system32\spoolsv.exe[1732] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\system32\spoolsv.exe[1732] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\system32\wscntfy.exe[3096] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\system32\wscntfy.exe[3096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\system32\wscntfy.exe[3096] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\system32\wscntfy.exe[3096] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\system32\wscntfy.exe[3096] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\system32\wscntfy.exe[3096] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\system32\wscntfy.exe[3096] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\system32\wscntfy.exe[3096] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3136] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C
.text C:\windows\System32\alg.exe[3980] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003D7C
.text C:\windows\System32\alg.exe[3980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003BEC
.text C:\windows\System32\alg.exe[3980] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003DEC
.text C:\windows\System32\alg.exe[3980] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AA0
.text C:\windows\System32\alg.exe[3980] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003214
.text C:\windows\System32\alg.exe[3980] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027E4
.text C:\windows\System32\alg.exe[3980] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002778
.text C:\windows\System32\alg.exe[3980] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003A4C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72ADAB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72ADBFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72ADB7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72AE728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72AE5FE] sptd.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 88EF85F8
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 88EF86F0
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EBAD2950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EBAD2E70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EBAD2FD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EBAD2AC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EBAD2AC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EBAD2950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EBAD2E70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EBAD2FD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EBAD2950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EBAD2FD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EBAD2E70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EBAD2AC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EBAD2FD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EBAD2950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EBAD2E70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EBAD2AC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EBAD2950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EBAD2E70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EBAD2FD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EBAD2950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EBAD2AC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EBAD2FD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EBAD2E70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 88FD31E8

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \FileSystem\Fastfat \FatCdrom 87611980
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Ip 885590A8
Device \Driver\Tcpip \Device\Ip 88D0FC18
Device \Driver\Tcpip \Device\Ip 88CB52A8
Device \Driver\Tcpip \Device\Ip 883A72A8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBPDO-0 88DD5980
Device \Driver\dmio \Device\DmControl\DmIoDaemon 88F691E8
Device \Driver\dmio \Device\DmControl\DmConfig 88F691E8
Device \Driver\dmio \Device\DmControl\DmPnP 88F691E8
Device \Driver\dmio \Device\DmControl\DmInfo 88F691E8
Device \Driver\usbehci \Device\USBPDO-1 88DBC980
Device \Driver\PCI_NTPNP9672 \Device\00000060 sptd.sys
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp 885590A8
Device \Driver\Tcpip \Device\Tcp 88D0FC18
Device \Driver\Tcpip \Device\Tcp 88CB52A8
Device \Driver\Tcpip \Device\Tcp 883A72A8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\prodrv06 \Device\ProDrv06 E3DE1378
Device \Driver\Ftdisk \Device\HarddiskVolume1 88FD61E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 88FD61E8
Device \Driver\Cdrom \Device\CdRom0 88DA86F0
Device \Driver\Cdrom \Device\CdRom1 88DA86F0
Device \Driver\nvata \Device\00000082 88FD41E8
Device \Driver\nvata \Device\00000082 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1022900
Device \Driver\NetBT \Device\NetBt_Wins_Export 87E7B1E8
Device \Driver\nvata \Device\00000084 88FD41E8
Device \Driver\nvata \Device\00000084 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\NetBT \Device\NetbiosSmb 87E7B1E8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp 885590A8
Device \Driver\Tcpip \Device\Udp 88D0FC18
Device \Driver\Tcpip \Device\Udp 88CB52A8
Device \Driver\Tcpip \Device\Udp 883A72A8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp 885590A8
Device \Driver\Tcpip \Device\RawIp 88D0FC18
Device \Driver\Tcpip \Device\RawIp 88CB52A8
Device \Driver\Tcpip \Device\RawIp 883A72A8

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBFDO-0 88DD5980
Device \Driver\usbehci \Device\USBFDO-1 88DBC980
Device \Driver\nvata \Device\NvAta0 88FD41E8
Device \Driver\nvata \Device\NvAta0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8861C980
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST 885590A8
Device \Driver\Tcpip \Device\IPMULTICAST 88D0FC18
Device \Driver\Tcpip \Device\IPMULTICAST 88CB52A8
Device \Driver\Tcpip \Device\IPMULTICAST 883A72A8
Device \Driver\nvata \Device\NvAta1 88FD41E8
Device \Driver\nvata \Device\NvAta1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8861C980
Device \Driver\nvata \Device\NvAta2 88FD41E8
Device \Driver\nvata \Device\NvAta2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Ftdisk \Device\FtControl 88FD61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{AFBD21BD-9FF8-4140-9FB0-9CA71B8A7CA4} 87E7B1E8
Device \Driver\asbotkg6 \Device\Scsi\asbotkg61Port3Path0Target0Lun0 88CEE1E8
Device \Driver\asbotkg6 \Device\Scsi\asbotkg61Port3Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\asbotkg6 \Device\Scsi\asbotkg61 88CEE1E8
Device \Driver\asbotkg6 \Device\Scsi\asbotkg61 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Fastfat \Fat 87611980

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 87BB41E8
---- Processes - GMER 1.0.15 ----

Library H:\EMULAT~1\PSP\PSPPRO~1\DVD-PSP\TOTALV~1\RealMediaSplitter.ax (*** hidden *** ) @ C:\windows\Explorer.EXE [484] 0x03CE0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x0C 0x0C 0xF1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACfagvppfmnrbffmecx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACfagvppfmnrbffmecx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACnsyfwbwrubowfjpwm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfxhxiltitafvkbuet.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACjqvdpxwnsutfqqykd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACrtkiemxsjulxdkkfw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAColwerqhtbbaiwqspj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACkxrxnpnqkxctprdds.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACnuyxfjpabvashjysh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x0C 0x0C 0xF1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x0C 0x0C 0xF1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBA 0xC7 0x7E 0x76 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBA 0xC7 0x7E 0x76 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x39 0x48 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1264931528
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1340442731
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x39 0x48 0xD5 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x39 0x48 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x0A 0x91 0x18 0x43 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}@Model 184
Reg HKLM\SOFTWARE\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}@MData 0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 1.0.15 ----


Thanks for taking the time to help me out :(

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 28 November 2009 - 11:06 AM

Hi,

I also need the log from OTL. :(

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 28 November 2009 - 11:13 AM

Hi, Ive tried to run OTL but I cant get a scan to finish. It stops responding when it reaches driver WS2IFSL... in the scan , Ive tried it in safe mode too which has the same result.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 29 November 2009 - 11:58 AM

Hi,

sorry I must have missed that in your last reply.

Please provide a log from DDS instead:

Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

Please also run a scan with mbr:
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 29 November 2009 - 01:32 PM

Hi, here are the dds logs and MBR log you asked for:

DDS (Ver_09-11-29.01) - NTFSx86
Run by Webby at 18:14:21.06 on 29/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.649 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

E:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\spoolsv.exe
E:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
E:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\windows\system32\wscntfy.exe
C:\windows\Explorer.EXE
E:\web\Zone Alarm\ZoneAlarm\zlclient.exe
E:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
E:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\Program Files\Virgin Broadband Wireless\ndis_events.exe
E:\Program Files\Spotify\spotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Webby\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
mWinlogon: System=csize.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-gb\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-gb\msntb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - e:\program files\anti virus and spyware\avg anti-spyware 7.5\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WAB] "c:\documents and settings\webby\application data\macromedia\common\da68b80419.exe"
uRun: [rundll32.exe]
mRun: [ZoneAlarm Client] "e:\web\zone alarm\zonealarm\zlclient.exe"
mRun: [Wireless Manager] "e:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [KernelFaultCheck] "c:\windows\system32\dumprep.exe" 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] "c:\progra~1\avg\avg9\avgtray.exe"
mRun: [SpySweeper] "e:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: winmm.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-1 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-6 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-1 360584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-11-4 394192]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-18 285392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-9-10 32512]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;e:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;e:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-7-3 1205760]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2005-11-4 30371]
S3 KLIF;KLIF;c:\windows\system32\zonelabs\avsys\klif.sys [2007-3-26 174864]
S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-11-19 34816]
S3 rootrepeal[1];rootrepeal[1];c:\windows\system32\drivers\rootrepeal[1].sys [2009-11-19 34816]

=============== Created Last 30 ================

2009-11-27 00:54:52 0 d-----w- c:\program files\common files\PC Tools
2009-11-24 14:13:24 0 d-----w- C:\_OTL
2009-11-24 14:10:19 0 d-----w- C:\AVGTemp
2009-11-24 00:44:18 0 d-----w- c:\docume~1\webby\applic~1\AVG8
2009-11-19 15:18:13 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[1].sys
2009-11-19 15:17:14 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-19 01:00:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-19 01:00:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 23:25:38 0 d--h--w- C:\$AVG
2009-11-18 23:22:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-18 23:20:35 0 d-----w- c:\windows\SxsCaPendDel
2009-11-17 11:10:12 36 ----a-w- c:\windows\rasqervy.dll
2009-11-17 11:09:58 8 ----a-w- c:\windows\sdfinacs.dll
2009-11-17 11:09:51 5 ----a-w- c:\windows\sdfixwcs.dll
2009-11-16 23:34:18 106 ----a-w- c:\windows\wuasirvy.dll
2009-11-16 23:34:18 104448 ----a-w- c:\windows\msacm32.drv
2009-11-02 22:40:34 0 d-----w- c:\docume~1\webby\applic~1\Blitware
2009-11-02 16:54:31 0 d-----w- c:\windows\system32\AGEIA

==================== Find3M ====================

2009-11-18 23:28:53 827360 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-18 23:28:53 61462048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-18 23:28:53 1601824 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-18 23:28:53 153308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-18 23:24:54 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-18 23:24:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 23:24:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 15:30:12 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-11-18 14:54:21 512 ----a-w- C:\ScanSectorLog.dat
2009-10-25 21:19:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-13 14:27:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-06 18:56:49 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-04 16:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 16:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 16:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 16:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 16:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 16:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 16:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 16:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2007-07-19 10:43:49 2666 ----a-w- c:\program files\install.log
2007-05-28 00:58:23 16342 ----a-w- c:\program files\hs_err_pid3544.log
2007-03-19 02:39:44 17275 ----a-w- c:\program files\hs_err_pid3436.log
2007-03-02 18:17:17 12816 ----a-w- c:\program files\hs_err_pid1848.log
2006-12-04 02:03:50 16223 ----a-w- c:\program files\hs_err_pid3632.log
2006-11-29 22:49:11 15421 ----a-w- c:\program files\hs_err_pid2668.log
2006-10-23 22:19:29 16439 ----a-w- c:\program files\hs_err_pid2132.log
2006-10-22 17:33:34 17820 ----a-w- c:\program files\hs_err_pid1996.log
2006-10-19 18:44:12 16021 ----a-w- c:\program files\hs_err_pid2232.log
2006-10-18 22:20:31 11678 ----a-w- c:\program files\hs_err_pid3016.log
2006-09-26 14:55:43 1404 ----a-w- c:\program files\install_status.log
2004-10-11 19:46:32 205312 ----a-w- c:\program files\ltefx13n.dll
2004-01-19 14:31:00 153600 ----a-w- c:\program files\ltfil13n.DLL
2004-01-19 13:31:06 27648 ----a-w- c:\program files\lfiff13n.dll
2004-01-19 13:31:06 20480 ----a-w- c:\program files\lfCUT13n.dll
2004-01-19 12:31:50 453120 ----a-w- c:\program files\ltkrn13n.dll
2004-01-19 12:12:00 89600 ----a-w- c:\program files\Lfcgm13n.dll
2004-01-19 11:49:52 278016 ----a-w- c:\program files\LFJ2K13n.dll
2004-01-19 11:49:08 180736 ----a-w- c:\program files\Lfpng13n.dll
2004-01-19 11:47:36 76800 ----a-w- c:\program files\Lfwmf13n.dll
2004-01-19 11:47:04 509440 ----a-w- c:\program files\LFCMW13n.dll
2004-01-19 11:45:38 420352 ----a-w- c:\program files\LFCMP13n.DLL
2004-01-19 11:44:52 143872 ----a-w- c:\program files\lftif13n.dll
2004-01-19 11:36:48 56832 ----a-w- c:\program files\lfpsd13n.dll
2004-01-19 11:36:36 19968 ----a-w- c:\program files\lfpcd13n.dll
2004-01-19 11:36:32 26624 ----a-w- c:\program files\lfpcx13n.dll
2004-01-19 11:36:24 65536 ----a-w- c:\program files\Lfpct13n.dll
2004-01-19 11:36:18 18944 ----a-w- c:\program files\lfmsp13n.dll
2004-01-19 11:35:56 18944 ----a-w- c:\program files\lfmac13n.dll
2004-01-19 11:35:34 20992 ----a-w- c:\program files\lfimg13n.dll
2004-01-19 11:34:50 31744 ----a-w- c:\program files\lfclp13n.dll
2004-01-19 11:34:42 30208 ----a-w- c:\program files\lfbmp13n.dll
2004-01-19 11:33:48 444928 ----a-w- c:\program files\ltimg13n.dll
2004-01-19 11:32:18 265216 ----a-w- c:\program files\LTDIS13n.dll
2000-05-02 04:17:00 212480 ----a-w- c:\program files\PCDLIB32.DLL
1999-11-18 23:00:00 284032 ----a-w- c:\program files\XceedZip.dll

============= FINISH: 18:15:36.06 ===============

MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys sfsync02.sys >>UNKNOWN [0x88FD41E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x88fd51e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

Thanks Xerces

Attached Files



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 29 November 2009 - 03:18 PM

Hi,

I'm afraid I have bad news:

Your logs reveal an information stealing trojan.


I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required to clean your PC.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation as soon as possible.

If you do not have access to a known clean computer, you will still need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

Please run Combofix as a next step:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 29 November 2009 - 08:24 PM

Hi again.The windows recovery didnt install as it failed to download but the scan still worked,here is the combofix log.

ComboFix 09-11-29.02 - Webby 30/11/2009 0:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.639 [GMT 0:00]
Running from: c:\documents and settings\Webby\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\or54yr
c:\windows\Downloaded Program Files\or54yr\7eqs88.exe
c:\windows\Downloaded Program Files\or54yr\7eqs88.jar
c:\windows\lpb.bak
c:\windows\msacm32.drv
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\UACkxrxnpnqkxctprdds.db
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\wuasirvy.dll
e:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-29 18:20 . 2009-11-29 18:20 77312 ----a-w- C:\mbr.exe
2009-11-27 00:54 . 2009-11-27 00:55 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-27 00:54 . 2009-11-27 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-24 14:13 . 2009-11-24 14:13 -------- d-----w- C:\_OTL
2009-11-24 14:10 . 2009-11-24 14:10 -------- d-----w- C:\AVGTemp
2009-11-24 00:44 . 2009-11-24 00:44 -------- d-----w- c:\documents and settings\Webby\Application Data\AVG8
2009-11-19 15:18 . 2009-11-19 15:18 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[1].sys
2009-11-19 15:17 . 2009-11-19 15:17 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-19 01:00 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-19 01:00 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 23:25 . 2009-11-18 23:30 -------- d-----w- C:\$AVG
2009-11-18 23:22 . 2009-11-18 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-18 23:20 . 2009-11-18 23:29 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-17 16:20 . 2009-11-17 16:20 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-17 16:19 . 2009-11-17 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-17 16:19 . 2009-11-17 16:19 -------- d-----w- c:\program files\NOS
2009-11-17 14:52 . 2009-11-19 14:58 18432 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\da68b80419.exe
2009-11-16 23:31 . 2009-11-20 15:26 104960 ----a-w- c:\documents and settings\Webby\Application Data\Macromedia\Common\da68b8041.dll
2009-11-16 23:31 . 2009-11-20 15:26 18432 ----a-w- c:\documents and settings\Webby\Application Data\Macromedia\Common\da68b80419.exe
2009-11-02 22:40 . 2009-11-02 22:40 -------- d-----w- c:\documents and settings\Webby\Application Data\Blitware
2009-11-02 16:54 . 2009-11-02 16:54 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-02 16:54 . 2009-11-02 16:54 -------- d-----w- c:\windows\system32\AGEIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 00:15 . 2005-11-04 10:33 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-11-29 16:41 . 2009-08-02 17:28 -------- d-----w- c:\documents and settings\Webby\Application Data\Spotify
2009-11-27 15:31 . 2009-08-25 21:01 -------- d-----w- c:\documents and settings\Webby\Application Data\vlc
2009-11-19 01:40 . 2009-11-19 14:52 2291712 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2009-11-19 01:40 . 2009-11-19 14:52 1167872 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2009-11-18 23:28 . 2009-07-11 15:24 827360 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-18 23:28 . 2009-07-11 15:24 61462048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-18 23:28 . 2009-07-11 15:24 1601824 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-18 23:28 . 2009-07-11 15:24 153308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-18 23:24 . 2009-06-01 15:06 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-18 23:24 . 2009-06-01 15:06 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 23:24 . 2006-12-06 00:33 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-18 23:24 . 2009-06-01 15:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 23:22 . 2009-06-01 15:04 -------- d-----w- c:\program files\AVG
2009-11-18 14:54 . 2009-07-12 22:15 512 ----a-w- C:\ScanSectorLog.dat
2009-11-04 23:27 . 2009-11-04 23:29 2132992 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2009-11-04 00:15 . 2009-09-03 14:55 -------- d-----w- c:\documents and settings\Webby\Application Data\dvdcss
2009-11-02 16:54 . 2007-01-17 20:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-25 21:19 . 2009-10-25 21:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-25 21:18 . 2006-06-04 20:37 -------- d-----w- c:\program files\Java
2009-10-25 21:17 . 2009-09-27 18:40 152576 ----a-w- c:\documents and settings\Webby\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-14 23:19 . 2009-10-14 23:22 1840640 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2009-10-14 14:23 . 2009-10-14 14:23 583168 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2009-10-13 14:27 . 2007-03-25 01:12 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-08 17:30 . 2009-10-04 16:21 -------- d-----w- c:\documents and settings\Webby\Application Data\Affinegy
2009-10-08 13:54 . 2009-10-08 13:58 525312 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2009-10-07 14:44 . 2009-10-07 14:44 2736640 ----a-w- c:\windows\Internet Logs\xDB2C.tmp
2009-10-06 18:56 . 2005-09-30 11:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-06 11:57 . 2009-10-06 11:59 4740608 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-10-06 11:54 . 2009-10-06 11:59 4740096 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-09-27 22:35 . 2005-09-29 11:43 49016 ----a-w- c:\documents and settings\Webby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 16:44 . 2009-09-29 16:19 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 16:44 . 2009-09-29 16:19 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 16:44 . 2009-09-29 16:19 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 16:29 . 2009-09-29 16:19 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 16:29 . 2009-09-29 16:19 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 16:29 . 2009-09-29 16:19 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 16:29 . 2009-09-29 16:19 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 16:29 . 2009-09-29 16:19 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2007-05-28 00:58 . 2007-05-28 00:58 16342 ----a-w- c:\program files\hs_err_pid3544.log
2007-03-19 02:39 . 2007-03-19 02:39 17275 ----a-w- c:\program files\hs_err_pid3436.log
2007-03-02 18:17 . 2007-03-02 18:17 12816 ----a-w- c:\program files\hs_err_pid1848.log
2006-12-04 02:03 . 2006-12-04 02:03 16223 ----a-w- c:\program files\hs_err_pid3632.log
2006-11-29 22:49 . 2006-11-29 22:49 15421 ----a-w- c:\program files\hs_err_pid2668.log
2006-10-23 22:19 . 2006-10-23 22:19 16439 ----a-w- c:\program files\hs_err_pid2132.log
2006-10-22 17:33 . 2006-10-22 17:33 17820 ----a-w- c:\program files\hs_err_pid1996.log
2006-10-19 18:44 . 2006-10-19 18:44 16021 ----a-w- c:\program files\hs_err_pid2232.log
2006-10-18 22:20 . 2006-10-18 21:11 11678 ----a-w- c:\program files\hs_err_pid3016.log
2006-09-26 14:55 . 2006-09-26 14:55 1404 ----a-w- c:\program files\install_status.log
2004-10-11 19:46 . 2004-10-11 19:46 205312 ----a-w- c:\program files\ltefx13n.dll
2004-01-19 14:31 . 2004-01-19 14:31 153600 ----a-w- c:\program files\ltfil13n.DLL
2004-01-19 13:31 . 2004-01-19 13:31 27648 ----a-w- c:\program files\lfiff13n.dll
2004-01-19 13:31 . 2004-01-19 13:31 20480 ----a-w- c:\program files\lfCUT13n.dll
2004-01-19 12:31 . 2004-01-19 12:31 453120 ----a-w- c:\program files\ltkrn13n.dll
2004-01-19 12:12 . 2004-01-19 12:12 89600 ----a-w- c:\program files\Lfcgm13n.dll
2004-01-19 11:49 . 2004-01-19 11:49 278016 ----a-w- c:\program files\LFJ2K13n.dll
2004-01-19 11:49 . 2004-01-19 11:49 180736 ----a-w- c:\program files\Lfpng13n.dll
2004-01-19 11:47 . 2004-01-19 11:47 76800 ----a-w- c:\program files\Lfwmf13n.dll
2004-01-19 11:47 . 2004-01-19 11:47 509440 ----a-w- c:\program files\LFCMW13n.dll
2004-01-19 11:45 . 2004-01-19 11:45 420352 ----a-w- c:\program files\LFCMP13n.DLL
2004-01-19 11:44 . 2004-01-19 11:44 143872 ----a-w- c:\program files\lftif13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 56832 ----a-w- c:\program files\lfpsd13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 19968 ----a-w- c:\program files\lfpcd13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 26624 ----a-w- c:\program files\lfpcx13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 65536 ----a-w- c:\program files\Lfpct13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 18944 ----a-w- c:\program files\lfmsp13n.dll
2004-01-19 11:35 . 2004-01-19 11:35 18944 ----a-w- c:\program files\lfmac13n.dll
2004-01-19 11:35 . 2004-01-19 11:35 20992 ----a-w- c:\program files\lfimg13n.dll
2004-01-19 11:34 . 2004-01-19 11:34 31744 ----a-w- c:\program files\lfclp13n.dll
2004-01-19 11:34 . 2004-01-19 11:34 30208 ----a-w- c:\program files\lfbmp13n.dll
2004-01-19 11:33 . 2004-01-19 11:33 444928 ----a-w- c:\program files\ltimg13n.dll
2004-01-19 11:32 . 2004-01-19 11:32 265216 ----a-w- c:\program files\LTDIS13n.dll
2000-05-02 04:17 . 2000-05-02 04:17 212480 ----a-w- c:\program files\PCDLIB32.DLL
1999-11-18 23:00 . 1999-11-18 23:00 284032 ----a-w- c:\program files\XceedZip.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WAB"="c:\documents and settings\Webby\Application Data\Macromedia\Common\da68b80419.exe" [2009-11-20 18432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wireless Manager"="e:\program files\Virgin Broadband Wireless\Wireless Manager.exe startup" [X]
"ZoneAlarm Client"="e:\web\Zone Alarm\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"Malwarebytes Anti-Malware (reboot)"="e:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-18 2020120]
"SpySweeper"="e:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-18 23:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=c:\windows\lpb.bak 2yKOEBOFFO

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=c:\windows\pss\Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune3.5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune3.5.lnk
backup=c:\windows\pss\MagicTune3.5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Webby^Start Menu^Programs^Startup^OpenOffice.org 1.1.5.lnk]
path=c:\documents and settings\Webby\Start Menu\Programs\Startup\OpenOffice.org 1.1.5.lnk
backup=c:\windows\pss\OpenOffice.org 1.1.5.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\Webby's Documents\\My Received Files\\iTunes.exe"=
"e:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"e:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10662:TCP"= 10662:TCP:BitComet 10662 TCP
"10662:UDP"= 10662:UDP:BitComet 10662 UDP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27/02/2007 01:22 646392]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [12/11/2008 15:02 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/06/2009 15:06 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/06/2009 15:06 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/11/2009 23:22 285392]
R2 WRConsumerService;Webroot Client Service;e:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [03/07/2009 15:56 1205760]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [04/11/2005 10:20 30371]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-27 c:\windows\Tasks\wrSpySweeper_L3804F10ADE324199856BBE95EB81C246.job
- e:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-07-03 14:40]

2009-11-27 c:\windows\Tasks\wrSpySweeper_L3804F10ADE324199856BBE95EB81C246.job
- e:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-07-03 14:40]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - e:\program files\ANTI VIRUS AND SPYWARE\AVG Anti-Spyware 7.5\Toolbar\IEToolbar.dll
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - e:\program files\ANTI VIRUS AND SPYWARE\AVG Anti-Spyware 7.5\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - e:\program files\ANTI VIRUS AND SPYWARE\AVG Anti-Spyware 7.5\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - e:\program files\ANTI VIRUS AND SPYWARE\AVG Anti-Spyware 7.5\Toolbar\IEToolbar.dll
HKCU-Run-rundll32.exe - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Steam App 218 - e:\program files\My Games\Valve\Steam\steam.exe steam://uninstall/218
AddRemove-Steam App 400 - e:\program files\My Games\Valve\Steam\steam.exe steam://uninstall/400
AddRemove-Steam App 420 - e:\program files\My Games\Valve\Steam\steam.exe steam://uninstall/420
AddRemove-Steam App 440 - e:\program files\My Games\Valve\Steam\steam.exe steam://uninstall/440



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 01:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys sfsync02.sys >>UNKNOWN [0x88FD41E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf750bfc3
\Driver\ACPI -> ACPI.sys @ 0xf726ccb8
\Driver\atapi -> 0x88fd51e8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1364589140-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2c,1c,39,fe,71,24,e2,02,76,98,2e,ea,1e,62,c5,0d,dc,b8,76,94,ec,6d,aa,
3d,3f,71,32,cc,a1,1e,27,a3,ed,40,61,06,d3,94,74,aa,0a,08,ac,8e,4f,07,41,0b,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1202660629-1364589140-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:43,8e,3f,58,6b,36,63,ec,c1,13,43,68,88,7d,ef,40,bc,f3,61,b4,cf,
51,08,9c,97,63,6e,0e,db,bc,53,9a,9a,9e,73,e3,45,c9,75,cf,68,ae,18,e0,88,08,\
"rkeysecu"=hex:fa,fb,11,f4,8c,ee,7a,30,ae,41,90,ff,4e,7d,c9,cf

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):0a,91,18,43,e0,15,0e,c2,d8,d5,27,89,25,16,fe,bf,bb,77,a8,da,f5,
8d,d5,59,39,39,17,29,dc,37,47,88,08,54,e6,9a,3d,ef,e7,c1,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b8
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,a8,a5,91,e0,f3,36,42,6b,0e,19,9b,7e,c0,c3,5d,71,69,0b,ea,46,83,b4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6280)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
e:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
e:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
e:\program files\Virgin Broadband Wireless\Wireless Manager.exe
e:\program files\Virgin Broadband Wireless\ndis_events.exe
.
**************************************************************************
.
Completion time: 2009-11-30 01:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 01:13

Pre-Run: 1,226,821,632 bytes free
Post-Run: 1,061,406,720 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 442FFEA31DCE6123F0E1B768E7FE1E94

Thanks Xerces

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 29 November 2009 - 08:57 PM

Hi,

please run defogger:
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Afterwards run a new scan with mbr:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
Combofix took out a couple of files, how does your PC do now?

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 30 November 2009 - 12:15 PM

Ok Ive ran deffoger and then Mbr- here are the results:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys sfsync02.sys >>UNKNOWN [0x88FD41E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x88fd51e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys sfsync02.sys nvata.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys sfsync02.sys nvata.sys
kernel: MBR read successfully
user & kernel MBR OK


My Pc can now run MBAM without closing it- I ran a scan and it has detected:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Webby\Application Data\Macromedia\Common\da68b8041.dll (Hijack.Sound) -> Quarantined and deleted successfully.


AVG can now update aswell, Ive not tested firefox or google yet.

Is my computer now clean or is there anything else you can notice?

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 01 December 2009 - 08:51 AM

Hi,

your PC is looking cleaner, however I'm not convinced you are clean already. I would like to ask you to try to run a new scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

I would also like to see a new log form OTL:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here:
    • OTListIt.txt
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 01 December 2009 - 11:57 AM

Hi myrti, Ive ran OTL but it still stops responding when it reaches driver WS2IFSL... in the scan. Here is the Gmer log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 16:43:39
Windows 5.1.2600 Service Pack 2
Running: qtbw55e7.exe; Driver: C:\DOCUME~1\Webby\LOCALS~1\Temp\pxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 88F5A990 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF4118E60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF4115820]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF4120690]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF41191F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF411F480]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF411F6B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF4122CE0]
SSDT 88F5AC60 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF41192D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF4115EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF41216A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF41212E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF411F1F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadDriver [0xF4113360]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF41219E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwMapViewOfSection [0xF4122F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF4115CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF411EF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF411ED60]
SSDT 88F5AA08 ZwQueueApcThread
SSDT 88F1B020 ZwReadVirtualMemory
SSDT 88F7D8D0 ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF4121CD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF4118B00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF4121F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF4119010]
SSDT 88F5AAF8 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF4116010]
SSDT 88FE5168 ZwSetInformationKey
SSDT 88F5AD50 ZwSetInformationProcess
SSDT 88F5AB70 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetSystemInformation [0xF41131D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF4120E67]
SSDT 88F5ACD8 ZwSuspendProcess
SSDT 88F5AA80 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF411F8E0]
SSDT 88F5ABE8 ZwTerminateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwUnloadDriver [0xF4113530]
SSDT 88F5A918 ZwWriteVirtualMemory

INT 0x20 srescan.sys F71809B0

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805010E8 12 Bytes [F0, 91, 11, F4, 80, F4, 11, ...]
? srescan.sys The system cannot find the file specified. !
init C:\windows\system32\drivers\nvax.sys entry point in "init" section [0xF7560A0C]
.text C:\windows\system32\DRIVERS\nv4_mini.sys section is writeable [0xF684C360, 0x3D46A5, 0xE8000020]
pnidata C:\windows\System32\DRIVERS\secdrv.sys unknown last section [0xB7F9CF00, 0x24000, 0x48000000]
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805010E8 12 Bytes [F0, 91, 11, F4, 80, F4, 11, ...]

---- User code sections - GMER 1.0.15 ----

.text E:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[1176] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes CALL 00450771 E:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[3152] ntdll.dll!KiFastSystemCall + 2 7C90EB8D 2 Bytes [CD, 20] {INT 0x20}
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Webby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3868] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 88F1BEB0
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 88F1BFA8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F411D950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F411DE70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F411DFD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F411DAC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F411DAC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F411D950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F411DE70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F411DFD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F411D950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F411DFD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F411DE70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F411DAC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F411DFD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F411D950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F411DE70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F411DAC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F411D950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F411DE70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F411DFD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F411D950] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F411DAC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F411DFD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F411DE70] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Ip 886592A8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp 886592A8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x0C 0x0C 0xF1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACfagvppfmnrbffmecx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACfagvppfmnrbffmecx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACnsyfwbwrubowfjpwm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACfxhxiltitafvkbuet.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACjqvdpxwnsutfqqykd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACrtkiemxsjulxdkkfw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAColwerqhtbbaiwqspj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACkxrxnpnqkxctprdds.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACnuyxfjpabvashjysh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x0C 0x0C 0xF1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x0C 0x0C 0xF1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBA 0xC7 0x7E 0x76 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBA 0xC7 0x7E 0x76 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x39 0x48 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x39 0x48 0xD5 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x4F 0x20 0xE6 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x99 0x02 0x18 0xFE ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x39 0x48 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x0A 0x91 0x18 0x43 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}@Model 184
Reg HKLM\SOFTWARE\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{7f15a6d3-6163-4ef2-83ac-58d3c8abc1af}@MData 0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 1.0.15 ----

Cheers!

#14 Xerces

Xerces
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 01 December 2009 - 11:59 AM

Also the zonealarm warning saying that a library will be loaded when I start a program has now stopped, not sure if thats important though...

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:03 PM

Posted 01 December 2009 - 12:04 PM

Hi,

Did you download a new copy of OTL? If not please try doing that. Other please post a new DDS log instead then:
Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users