Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown virus causing major problems


  • This topic is locked This topic is locked
19 replies to this topic

#1 dexterlady

dexterlady

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 15 December 2009 - 09:14 PM

Symptoms.

MS Outlook will open - just - but doing anything casues it to freeze - usual message "This program has stopped responding"

Browser red-directs from any google searches

Pop up ads all the time.
Windowe explorer stops responding.

I think the problem has come on gradually - pop ups first, then today the outlook and browser problems.

On switching computer off I get "please wait whilst ssy.mgr closes then "This program has stopped responding"

Today I had the same with WAB file.


OS is windows XP, Browser Firefox

Spybot search and destroy detects nothing.

Have done disk slean up and defragged.

Thank you for you help in anticipation!


DDS log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Deenagh at 1:36:32.14 on 16/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.639 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\GEARSEC.EXE
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Deenagh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {cd9b7762-dfbc-42b1-bb30-02a78287b456} - metaspinner GmbH
BHO: {e9e027bf-c3f3-4022-8f6b-8f6d39a59684} - metaspinner GmbH
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C5F7A735-70F1-477F-8C36-6FF3C736017B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [VTTimer] VTTimer.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {E9D57C4D-B779-46DA-B2B1-754738186112} = 213.208.106.212,213.208.106.213
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\deenagh\applic~1\mozilla\firefox\profiles\p7fp5qlg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: d:\documents and settings\deenagh\application data\mozilla\firefox\profiles\p7fp5qlg.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\deenagh\application data\mozilla\firefox\profiles\p7fp5qlg.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [2007-2-11 24786]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2007-1-24 7040]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [2007-2-11 45534]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\drivers\pfc027.sys [2005-5-27 162304]

=============== Created Last 30 ================

2009-12-01 14:51:41 81 ----a-w- C:\CTX.DAT
2009-12-01 14:51:32 0 d-----w- d:\documents and settings\deenagh\Citrix
2009-11-21 02:15:52 0 d-----w- c:\program files\IndependentOwners

==================== Find3M ====================

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2006-02-25 13:37:52 1030 --sha-w- c:\windows\system\nodemgr.sys

============= FINISH: 1:36:44.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 AM

Posted 28 December 2009 - 02:13 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 28 December 2009 - 06:18 PM

Hi Elise

Thank you for your reply.

Since posting I have done a few things to my computer and used malwarebytes anti-malware in safe mode.

I am not entirely sure that the problems originally encountered (slow computer, browser re-directs, MS Outlook crashing) have entirely gone, so I will do a DDS run now and post it as well as gmer as you instructed.

#4 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 28 December 2009 - 08:36 PM

Here is the DDS log



DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 23:20:18.16 on 28/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.175 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\DAEMON Tools\daemon.exe
svchost.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\GEARSEC.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Documents and Settings\Deenagh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {cd9b7762-dfbc-42b1-bb30-02a78287b456} - metaspinner GmbH
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {e9e027bf-c3f3-4022-8f6b-8f6d39a59684} - metaspinner GmbH
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C5F7A735-70F1-477F-8C36-6FF3C736017B} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [VTTimer] VTTimer.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {E9D57C4D-B779-46DA-B2B1-754738186112} = 213.208.106.212,213.208.106.213
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\deenagh\applic~1\mozilla\firefox\profiles\p7fp5qlg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: d:\documents and settings\deenagh\application data\mozilla\firefox\profiles\p7fp5qlg.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-16 64288]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [2007-2-11 24786]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-12-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-12-15 337000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2007-1-24 7040]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-12-15 972008]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [2007-2-11 45534]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\drivers\pfc027.sys [2005-5-27 162304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]

=============== Created Last 30 ================

2009-12-18 22:06:27 0 d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-18 22:06:18 0 d-----w- d:\docume~1\deenagh\applic~1\SUPERAntiSpyware.com
2009-12-18 22:06:18 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-18 19:19:13 3168 ----a-w- c:\windows\system32\tmp.reg
2009-12-18 18:35:28 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-18 16:48:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-18 16:48:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-18 11:57:22 0 d-----w- d:\docume~1\deenagh\applic~1\Trusteer
2009-12-18 11:57:14 0 d-----w- c:\program files\Trusteer
2009-12-18 11:51:48 0 d-----w- d:\docume~1\alluse~1\applic~1\Trusteer
2009-12-16 16:27:45 0 d-----w- d:\docume~1\deenagh\applic~1\Malwarebytes
2009-12-16 16:27:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-16 16:27:40 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-16 16:27:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 16:27:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 15:56:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-16 14:46:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-16 14:45:09 0 dc-h--w- d:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-16 14:44:28 0 d-----w- c:\program files\Lavasoft
2009-12-01 14:51:41 81 ----a-w- C:\CTX.DAT
2009-12-01 14:51:32 0 d-----w- d:\documents and settings\deenagh\Citrix

==================== Find3M ====================

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2006-02-25 13:37:52 1030 --sha-w- c:\windows\system\nodemgr.sys

============= FINISH: 23:21:35.97 ===============


Attach log


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 20/12/2005 20:53:00
System Uptime: 24/12/2009 11:24:57 (108 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | K8M800-8237
Processor: AMD Sempron™ Processor 3000+ | Socket 754 | 1808/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 23 GiB total, 10.799 GiB free.
D: is FIXED (NTFS) - 46 GiB total, 24.645 GiB free.
E: is CDROM (CDFS)
G: is CDROM (CDFS)
H: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 18/12/2009 22:59:20 - System Checkpoint
RP2: 19/12/2009 23:02:56 - System Checkpoint
RP3: 21/12/2009 00:02:59 - System Checkpoint
RP4: 22/12/2009 00:17:27 - System Checkpoint
RP5: 23/12/2009 22:17:27 - System Checkpoint
RP6: 24/12/2009 22:29:19 - System Checkpoint
RP7: 25/12/2009 23:29:17 - System Checkpoint
RP8: 27/12/2009 00:29:18 - System Checkpoint
RP9: 28/12/2009 01:29:21 - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player
ArcSoft WebCam Companion
BuildDesk Expert 3.2 UK
CamMaestro 3.01 DU PC Camera
Compatibility Pack for the 2007 Office system
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen
Critical Update for Windows Media Player 11 (KB959772)
deskPDF 2.5 Standard Edition
GEAR Drivers
GenoPro 2.0.1.6
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HWiNFO32 Version 1.72
iCAMView Utility
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 17
Lexmark 5400 Series
Lexmark Precision Photo
Lexmark Toolbar
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync 3.7
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007 Trial
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Sync Framework Runtime v1.0 (x86)
Microsoft Sync Framework Services v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MotionPicture Screen Saver
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Personal Ancestral File 5
Platform
Rapport
RealPlayer
Realtek AC'97 Audio
S3GSetup
Sage Accounts 8.20
Samsung SCX-4200 Series
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SmarThru 4
Sonic RecordNow!
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SyncToy 2.0 (x86)
Ultimate Mahjongg 5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Driver for Panasonic DVC
VIA Platform Device Manager
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCam Driver for Panasonic DVC
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinZip

==== Event Viewer Messages From Past Week ========

26/12/2009 16:20:15, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s).
26/12/2009 15:49:19, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
26/12/2009 15:18:24, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
24/12/2009 11:25:25, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 001485B03A5B has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
22/12/2009 11:10:42, error: Service Control Manager [7034] - The Rapport Management Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-29 01:30:17
Windows 5.1.2600 Service Pack 3
Running: f1k757qf.exe; Driver: D:\DOCUME~1\user\LOCALS~1\Temp\fwrdrpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xB8C1DD36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB8C1E442]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA98887E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB8C1E58E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xB8C21CC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xB8C21CF8]
SSDT sptd.sys ZwEnumerateKey [0xBA6DCC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6DCFF6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB8C1E4F2]
SSDT sptd.sys ZwOpenKey [0xBA6DCA18]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xB8C1DE7A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xB8C1E06C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xB8C1E19E]
SSDT sptd.sys ZwQueryKey [0xBA6DD0C0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB8C21DCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB8C21D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB8C21D68]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xB8C21D9A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xB8C1DCE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB8C1E5EE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xB8C21C66]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xB8C1DC88]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xB8C1DBE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xB8C1DC2C]

INT 0x93 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKE/Trusteer Ltd.) BAACD800

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD5069.SYS The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 BA05D4D0 16 Bytes [0A, 48, 61, 4D, CF, A7, 73, ...] {OR CL, [EAX+0x61]; DEC EBP; IRET ; CMPSD ; JAE 0xffffffffffffffcb; STOSB ; MOVSB ; POP SS; DEC EAX; OR [EBX+ECX*8], AL; INT1 }
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 BA05D4E1 31 Bytes [C0, 05, BA, 90, 65, 39, 75, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0132299A
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0132294A
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 0132290E
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013228F2
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0132277E
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01322870
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ws2_32.dll!recv 71AB676F 5 Bytes JMP 013227B6
.text C:\Program Files\Java\jre6\bin\jusched.exe[176] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013227EE
.text C:\WINDOWS\system32\lxctcoms.exe[400] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00E6299A
.text C:\WINDOWS\system32\lxctcoms.exe[400] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00E6294A
.text C:\WINDOWS\system32\lxctcoms.exe[400] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00E6290E
.text C:\WINDOWS\system32\lxctcoms.exe[400] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E628F2
.text C:\WINDOWS\system32\lxctcoms.exe[400] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00E6277E
.text C:\WINDOWS\system32\lxctcoms.exe[400] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E62870
.text C:\WINDOWS\system32\lxctcoms.exe[400] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00E627B6
.text C:\WINDOWS\system32\lxctcoms.exe[400] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E627EE
.text C:\WINDOWS\system32\tcpsvcs.exe[516] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0084299A
.text C:\WINDOWS\system32\tcpsvcs.exe[516] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0084294A
.text C:\WINDOWS\system32\tcpsvcs.exe[516] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 0084290E
.text C:\WINDOWS\system32\tcpsvcs.exe[516] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 008428F2
.text C:\WINDOWS\system32\tcpsvcs.exe[516] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0084277E
.text C:\WINDOWS\system32\tcpsvcs.exe[516] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00842870
.text C:\WINDOWS\system32\tcpsvcs.exe[516] WS2_32.dll!recv 71AB676F 5 Bytes JMP 008427B6
.text C:\WINDOWS\system32\tcpsvcs.exe[516] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 008427EE
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C6299A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C6294A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C6290E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C628F2
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C6277E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C62870
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C627B6
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C627EE
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1184] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004348F0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1184] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1184] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022
.text C:\WINDOWS\Explorer.EXE[1664] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0170299A
.text C:\WINDOWS\Explorer.EXE[1664] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0170294A
.text C:\WINDOWS\Explorer.EXE[1664] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 0170290E
.text C:\WINDOWS\Explorer.EXE[1664] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017028F2
.text C:\WINDOWS\Explorer.EXE[1664] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0170277E
.text C:\WINDOWS\Explorer.EXE[1664] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01702870
.text C:\WINDOWS\Explorer.EXE[1664] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017027B6
.text C:\WINDOWS\Explorer.EXE[1664] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017027EE
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C8299A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C8294A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C8290E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C828F2
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C8277E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C82870
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C827B6
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2412] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C827EE
.text C:\WINDOWS\System32\alg.exe[2572] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00AB299A
.text C:\WINDOWS\System32\alg.exe[2572] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00AB294A
.text C:\WINDOWS\System32\alg.exe[2572] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00AB290E
.text C:\WINDOWS\System32\alg.exe[2572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AB28F2
.text C:\WINDOWS\System32\alg.exe[2572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AB277E
.text C:\WINDOWS\System32\alg.exe[2572] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AB2870
.text C:\WINDOWS\System32\alg.exe[2572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AB27B6
.text C:\WINDOWS\System32\alg.exe[2572] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AB27EE
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00EF299A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00EF294A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00EF290E
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EF28F2
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EF277E
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EF2870
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EF27B6
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[5020] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EF27EE

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [BA6C4068] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortValidateRange] [BA6C40A4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cpqarray.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6D8A32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6D8B6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6D8AF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6D96CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6D95A2] sptd.sys
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [BA6C4068] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aha154x.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78xx.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dac960nt.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql10wnt.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetSrb] [BA6C3F9E] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortValidateRange] [BA6C40A4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [BA6C4068] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT amsint.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT i2omp.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiDebugPrint] [BA6C3F98] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortGetSrb] [BA6C3F9E] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortValidateRange] [BA6C40A4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ini910u.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ql1240.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT aic78u2.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortValidateRange] [BA6C40A4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT ABP480N5.SYS[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortValidateRange] [BA6C40A4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT asc3350p.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiDebugPrint] [BA6C3F98] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cd20xrnt.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetLogicalUnit] [BA6C3DE2] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT adpu160m.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetVirtualAddress] [BA6C4068] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortValidateRange] [BA6C40A4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortSetBusDataByOffset] [BA6BFCF4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT dpti2o.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT perc2.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetPhysicalAddress] [BA6C3FE4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetBusData] [BA6C0416] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortGetUncachedExtension] [BA6C0508] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT hpn.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortMoveMemory] [BA6C3F4C] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortStallExecution] [BA6C40D4] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortLogError] [BA6C3ECC] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortNotification] [BA6C40E6] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortFreeDeviceBase] [BA6BFC28] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortConvertUlongToPhysicalAddress] [BA6C40AE] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortGetDeviceBase] [BA6BFAFA] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortCompleteRequest] [BA6C446A] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT cbidf2k.sys[SCSIPORT.SYS!ScsiPortInitialize] [BA6CAF74] \WINDOWS\System32\Drivers\SPTD5069.SYS
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6FAC82] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89780EB0

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\00000050 \Device\00000070 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 897CC1D0
Device \Driver\Ftdisk \Device\HarddiskVolume2 897CC1D0
Device \Driver\Cdrom \Device\CdRom0 895AC3C8
Device \FileSystem\Rdbss \Device\FsWrap 893254E0
Device \Driver\Ftdisk \Device\HarddiskVolume3 897CC1D0
Device \Driver\Cdrom \Device\CdRom1 895AC3C8
Device \Driver\atapi \Device\Ide\IdePort0 [BA63AB40] atapi.sys[unknown section] {MOV EAX, 0x89783b18; XCHG [ESP], EAX; PUSH EAX; PUSH 0xba6ed442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [BA63AB40] atapi.sys[unknown section] {MOV EAX, 0x89783b18; XCHG [ESP], EAX; PUSH EAX; PUSH 0xba6ed442; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [BA63AB40] atapi.sys[unknown section] {MOV EAX, 0x89783b18; XCHG [ESP], EAX; PUSH EAX; PUSH 0xba6ed442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [BA63AB40] atapi.sys[unknown section] {MOV EAX, 0x89783b18; XCHG [ESP], EAX; PUSH EAX; PUSH 0xba6ed442; RET }
Device \Driver\Cdrom \Device\CdRom2 895AC3C8
Device \Driver\ACPI \Device\00000080 895A4F00
Device \Driver\ACPI \Device\00000081 895A4F00
Device \Driver\ACPI \Device\00000082 895A4F00
Device \Driver\ACPI \Device\00000076 895A4F00
Device \Driver\NetBT \Device\NetBt_Wins_Export 892F0EB0
Device \Driver\ACPI \Device\00000083 895A4F00
Device \Driver\NetBT \Device\NetBT_Tcpip_{E9D57C4D-B779-46DA-B2B1-754738186112} 892F0EB0
Device \Driver\NetBT \Device\NetbiosSmb 892F0EB0
Device \Driver\ACPI \Device\00000079 895A4F00
Device \Driver\ACPI \Device\00000086 895A4F00
Device \Driver\ACPI \Device\00000087 895A4F00
Device \Driver\ACPI \Device\00000089 895A4F00
Device \Driver\Disk \Device\Harddisk0\DR0 897800E8
Device \Driver\ACPI \Device\0000006b 895A4F00
Device \Driver\ACPI \Device\0000007a 895A4F00
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89333968
Device \Driver\ACPI \Device\0000007b 895A4F00
Device \Driver\ACPI \Device\0000006e 895A4F00
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89333968
Device \Driver\ACPI \Device\0000007c 895A4F00
Device \FileSystem\Npfs \Device\NamedPipe 89330558
Device \Driver\Ftdisk \Device\FtControl 897CC1D0
Device \Driver\ACPI \Device\0000007d 895A4F00
Device \FileSystem\Msfs \Device\Mailslot 89310EB0
Device \Driver\ACPI \Device\0000008a 895A4F00
Device \Driver\ACPI \Device\0000007e 895A4F00
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target1Lun0 8932EC80
Device \Driver\viamraid \Device\Scsi\viamraid1 897C93D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8932EC80
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 8932EC80
Device \FileSystem\Fastfat \Fat 88887D10
Device \FileSystem\Fastfat \Fat AEBA7297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89304B50

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1017393826
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1578877982
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1135834449
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0x80 0x75 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x2E 0x06 0x23 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x55 0xC1 0x25 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x55 0xC1 0x25 0x74 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0x80 0x75 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x2E 0x06 0x23 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x55 0xC1 0x25 0x74 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x55 0xC1 0x25 0x74 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0x80 0x75 0xA1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x2E 0x06 0x23 0xD0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x55 0xC1 0x25 0x74 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x55 0xC1 0x25 0x74 ...

---- EOF - GMER 1.0.15 ----

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 AM

Posted 29 December 2009 - 03:05 AM

Hello dexterlady,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2009 - 05:43 AM

Hi

Here is the combo fix log.

ComboFix 09-12-28.05 - Deenagh 29/12/2009 11:06:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.768 [GMT 0:00]
Running from: d:\documents and settings\Deenagh\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2065447393-1421300993-2910704980-1003
c:\recycler\S-1-5-21-3421700463-2875015409-2882359847-1003
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\tmp.reg
d:\documents and settings\All Users\Start Menu\Programs\UnInstall.lnk
d:\documents and settings\Deenagh\Local Settings\Temporary Internet Files\2020RP_TempGeneratedImage.jpg
d:\documents and settings\Deenagh\x.exe
d:\documents and settings\HelpAssistant\x.exe

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_RKHIT
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-18 22:06 . 2009-12-18 22:06 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-18 22:06 . 2009-12-18 22:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-18 22:06 . 2009-12-18 22:06 -------- d-----w- d:\documents and settings\Deenagh\Application Data\SUPERAntiSpyware.com
2009-12-18 18:35 . 2009-12-18 18:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-18 17:00 . 2009-12-18 17:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-18 16:48 . 2009-12-18 16:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-18 11:57 . 2009-12-18 11:57 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Trusteer
2009-12-18 11:57 . 2009-12-18 11:57 -------- d-----w- c:\program files\Trusteer
2009-12-18 11:51 . 2009-12-18 11:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Trusteer
2009-12-16 21:16 . 2009-12-16 21:16 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-16 16:27 . 2009-12-16 16:27 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Malwarebytes
2009-12-16 16:27 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-16 16:27 . 2009-12-16 16:27 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-16 16:27 . 2009-12-16 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 16:27 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 15:56 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-16 14:46 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-16 14:45 . 2009-12-16 14:45 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-16 14:44 . 2009-12-16 14:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Lavasoft
2009-12-16 14:44 . 2009-12-16 14:44 -------- d-----w- c:\program files\Lavasoft
2009-12-15 21:16 . 2009-12-15 21:16 -------- d-----w- d:\documents and settings\HelpAssistant\WINDOWS
2009-12-15 21:16 . 2009-12-15 21:16 -------- d-----w- d:\documents and settings\HelpAssistant\vw
2009-12-15 21:16 . 2009-12-15 21:16 -------- d-----w- d:\documents and settings\HelpAssistant\VirtualTourEditor
2009-12-15 21:16 . 2009-12-15 21:16 -------- d-----w- d:\documents and settings\HelpAssistant\UserData
2009-12-15 21:16 . 2009-12-15 21:16 -------- d-----w- d:\documents and settings\HelpAssistant\Shared
2009-12-15 21:16 . 2009-12-15 21:16 -------- d-----w- d:\documents and settings\HelpAssistant\Phone Browser
2009-12-15 18:36 . 2009-12-15 18:36 -------- d-----w- d:\documents and settings\HelpAssistant\Incomplete
2009-12-15 18:36 . 2009-12-15 18:36 -------- d-----w- d:\documents and settings\HelpAssistant\Contacts
2009-12-15 18:36 . 2009-12-15 18:36 -------- d-----w- d:\documents and settings\HelpAssistant\Citrix
2009-12-01 14:51 . 2009-12-01 14:51 81 ----a-w- C:\CTX.DAT
2009-12-01 14:51 . 2009-12-01 14:56 -------- d-----w- d:\documents and settings\Deenagh\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 10:57 . 2005-12-27 12:09 -------- d-----w- c:\program files\Lx_cats
2009-12-18 19:01 . 2009-12-19 18:02 211948 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-12-18 16:48 . 2005-10-13 19:05 -------- d-----w- c:\program files\Java
2009-12-18 11:57 . 2005-12-20 20:54 103352 ----a-w- d:\documents and settings\Deenagh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 14:53 . 2005-12-27 15:50 -------- d-----w- d:\documents and settings\Deenagh\Application Data\AdobeUM
2009-12-16 11:24 . 2005-12-22 21:58 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-16 10:55 . 2005-12-22 21:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-16 00:03 . 2005-10-13 19:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 23:21 . 2009-11-21 02:15 -------- d-----w- c:\program files\IndependentOwners
2009-12-15 23:18 . 2009-11-03 23:01 -------- d-----w- c:\program files\FamTree3
2009-12-15 23:18 . 2006-04-01 08:10 -------- d-----w- c:\program files\Docudesk
2009-12-15 10:08 . 2009-06-25 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF
2009-12-01 14:51 . 2009-06-25 06:34 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Nitro PDF
2009-11-14 13:08 . 2009-11-14 13:08 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Xenocode
2009-11-05 05:22 . 2009-11-05 05:22 -------- d-----w- c:\program files\SyncToy 2.0
2009-11-05 05:21 . 2009-11-05 05:21 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-03 23:01 . 2009-11-03 23:01 1409 ----a-w- c:\windows\Fonts\BUCKGM.FOT
2009-11-03 22:43 . 2009-11-03 22:33 -------- d-----w- c:\program files\GenoPro
2009-10-29 07:46 . 2004-08-10 15:38 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 15:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 15:37 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 15:38 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 15:37 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 15:38 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 15:38 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 15:38 79872 ----a-w- c:\windows\system32\raschap.dll
2006-02-25 13:37 . 1602-07-12 21:55 1030 --sha-w- c:\windows\system\nodemgr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-30 1829712]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 106496]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2006-08-16 503808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-18 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2006-5-27 585728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2004-02-02 13:58 139264 ----a-w- c:\program files\Lexmark\Lexmark Precision Photo\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-09-22 14:44 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-01-20 19:04 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-07-30 14:45 1829712 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-10-12 02:10 49263 ----a-w- c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-06 12:30 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\otherprograms\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"4238:TCP"= 4238:TCP:Services
"3144:TCP"= 3144:TCP:Services
"2035:TCP"= 2035:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [16/12/2009 14:46 64288]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [11/02/2007 23:23 24786]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [24/01/2007 18:48 7040]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [11/02/2007 23:23 45534]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\drivers\pfc027.sys [27/05/2005 13:57 162304]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/02/2006 10:33 642560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
TCP: {E9D57C4D-B779-46DA-B2B1-754738186112} = 213.208.106.212,213.208.106.213
FF - ProfilePath - d:\documents and settings\Deenagh\Application Data\Mozilla\Firefox\Profiles\p7fp5qlg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: d:\documents and settings\Deenagh\Application Data\Mozilla\Firefox\Profiles\p7fp5qlg.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 11:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3945055753-3081336041-269820232-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5664)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\WebCam Companion\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ASTSRV.EXE
c:\windows\system32\CTsvcCDA.EXE
c:\windows\system32\GEARSEC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxctcoms.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\VTTimer.exe
c:\apps\ABoard\AOSD.exe
.
**************************************************************************
.
Completion time: 2009-12-29 11:44:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 11:44

Pre-Run: 11,508,383,744 bytes free
Post-Run: 11,414,986,752 bytes free

- - End Of File - - 8658F850AA03D9B78771B82326DC1CEF

Edited by dexterlady, 29 December 2009 - 06:46 AM.


#7 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2009 - 06:53 AM

Having done the combo fix run as instructed, (see log above) My MS outlook program hangs whenever I try to do anything - like open an email, send and receive etc. This was one of my original problems which I had cured!!!

Edited by dexterlady, 29 December 2009 - 07:04 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 AM

Posted 29 December 2009 - 09:58 AM

Hello dexterlady,

Can you please let me know what you did to fix the problem with Outlook? Combofix did not remove anything that could explain this, but it did remove a nasty infection with backdoor capabilities. Therefore, please consider the following...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2009 - 05:20 PM

Hi

Here is the MBAM log

I see the infected file was in helpassisaant/. I know this is a Windows thing, but have also noticed that this user HelpAssistant is new on my system. Can I disable it or remove all the files within it - they seem to be a mirror image of the files in my user name.

You asked what I did to get MS outlook working before, I recall that ran MBAM in safe mode having disabled system restore before I did it.



Malwarebytes' Anti-Malware 1.42
Database version: 3450
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

29/12/2009 22:10:04
mbam-log-2009-12-29 (22-10-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 243272
Time elapsed: 1 hour(s), 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Mozilla\Firefox\Profiles\p7fp5qlg.default\Cache\8278C4E6d01 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#10 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2009 - 05:22 PM

Just checked - MS outlook still hanging - only way to get out of it is to end program. Also noticed that on closing down the computer SSMGR also hanging
Meant to ask you - what was the infection I had?

.......................Since writing this outlook has now started to work. I renamed outcomd.dat and restarted outlook so that it would revert to its default settings. I do have huge inboxxes so I think it may have been trying to autoarchive but without asking me first.

Edited by dexterlady, 30 December 2009 - 01:36 AM.


#11 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 30 December 2009 - 12:28 AM

I have also noticed that the computer has "Allow remote assistance invitations to be sent from this computer" switched on, so I have turned it off. (My computer - properties - remote)

Regarding the user HelpAssistant, I have discovered that all the folders in there were created (or copied from mne) on 15th December (when my problems first started) I have now deleted all folders there too but have not deleted the user HelpAssistant.

Edited by dexterlady, 30 December 2009 - 01:42 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 AM

Posted 30 December 2009 - 04:09 AM

Hi dexterlady

For more information about the infection you had, look here

To get rid of the HelpAssistant altogether, do the following.

Right Click on My Computer and select Manage

- Within the Computer Manager window, double click on Local Users and Groups

- Double click on the Users folder

- On the right side of that window, you will see all of the available user accounts within your computer. Right Click on the HelpAssistant user account and select Properties

- In the HelpAssistant Properties window, you will see an option to disable the account. Place a check mark in the box next to that option

- Click OK twice to close those windows

- Close the Computer Management window

- Restart the computer

Once you restart, the HelpAssistant user profile should not be listed under Document and Settings. If it is, simply delete it.


Please let me know now how everything is running and what issues you are still having?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 30 December 2009 - 06:31 AM

Hi

Cannot delete Helpassistant from my computer - manage. I found the user in My Computer - Properties - users. Tried deleting but cannot fully delete it. Did a search using explorer - found the folder and tried to delete - telling me that I cannot access logs - access denied. I cannot see how to disable HelpAssistant.

Was I right to turn off allowing the computer to call for remote help as outlined in previous reply?

I ran another MBAM this morning and all is clear.

WHen should I turn on the CD emulation mode again?

In the meantime, very many thanks for your help - much appreciated

__________________________________________________________________

Re Help Assistant - the folders I cannot delete are to do with Trusteer Rapport - which is a website protection program I have - so I am not worried about them.

Edited by dexterlady, 30 December 2009 - 07:11 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 AM

Posted 30 December 2009 - 09:09 AM

Hello dexterlady,

Was I right to turn off allowing the computer to call for remote help as outlined in previous reply?

Yes, thats a safe thing to do.


INSTALL ANTIVIRUS
---------------------------
I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"135:TCP"=-
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"4238:TCP"=-
"3144:TCP"=-
"2035:TCP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 dexterlady

dexterlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 30 December 2009 - 09:53 AM

Here is the combo fix log.

Noted your comments re anti virus - I do have Spybot Teatimer running. I also have protection when accessing senstivie websites.



ComboFix 09-12-28.05 - Deenagh 30/12/2009 14:42:25.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.672 [GMT 0:00]
Running from: d:\documents and settings\Deenagh\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Deenagh\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-18 22:06 . 2009-12-18 22:06 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-18 22:06 . 2009-12-18 22:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-18 22:06 . 2009-12-18 22:06 -------- d-----w- d:\documents and settings\Deenagh\Application Data\SUPERAntiSpyware.com
2009-12-18 18:35 . 2009-12-18 18:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-18 17:00 . 2009-12-18 17:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-18 16:48 . 2009-12-18 16:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-18 11:57 . 2009-12-18 11:57 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Trusteer
2009-12-18 11:57 . 2009-12-18 11:57 -------- d-----w- c:\program files\Trusteer
2009-12-18 11:51 . 2009-12-18 11:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Trusteer
2009-12-16 21:16 . 2009-12-16 21:16 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-16 16:27 . 2009-12-16 16:27 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Malwarebytes
2009-12-16 16:27 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-16 16:27 . 2009-12-16 16:27 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-16 16:27 . 2009-12-16 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 16:27 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 15:56 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-16 14:46 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-16 14:45 . 2009-12-16 14:45 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-16 14:44 . 2009-12-16 14:46 -------- d-----w- d:\documents and settings\All Users\Application Data\Lavasoft
2009-12-16 14:44 . 2009-12-16 14:44 -------- d-----w- c:\program files\Lavasoft
2009-12-15 18:35 . 2009-12-30 11:24 -------- d-----w- d:\documents and settings\HelpAssistant
2009-12-01 14:51 . 2009-12-01 14:51 81 ----a-w- C:\CTX.DAT
2009-12-01 14:51 . 2009-12-01 14:56 -------- d-----w- d:\documents and settings\Deenagh\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 10:57 . 2005-12-27 12:09 -------- d-----w- c:\program files\Lx_cats
2009-12-18 16:48 . 2005-10-13 19:05 -------- d-----w- c:\program files\Java
2009-12-18 11:57 . 2005-12-20 20:54 103352 ----a-w- d:\documents and settings\Deenagh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 14:53 . 2005-12-27 15:50 -------- d-----w- d:\documents and settings\Deenagh\Application Data\AdobeUM
2009-12-16 11:24 . 2005-12-22 21:58 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-16 10:55 . 2005-12-22 21:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-16 00:03 . 2005-10-13 19:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 23:21 . 2009-11-21 02:15 -------- d-----w- c:\program files\IndependentOwners
2009-12-15 23:18 . 2009-11-03 23:01 -------- d-----w- c:\program files\FamTree3
2009-12-15 23:18 . 2006-04-01 08:10 -------- d-----w- c:\program files\Docudesk
2009-12-15 10:08 . 2009-06-25 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF
2009-12-01 14:51 . 2009-06-25 06:34 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Nitro PDF
2009-11-14 13:08 . 2009-11-14 13:08 -------- d-----w- d:\documents and settings\Deenagh\Application Data\Xenocode
2009-11-05 05:22 . 2009-11-05 05:22 -------- d-----w- c:\program files\SyncToy 2.0
2009-11-05 05:21 . 2009-11-05 05:21 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-03 23:01 . 2009-11-03 23:01 1409 ----a-w- c:\windows\Fonts\BUCKGM.FOT
2009-11-03 22:43 . 2009-11-03 22:33 -------- d-----w- c:\program files\GenoPro
2009-10-29 07:46 . 2004-08-10 15:38 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 15:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 15:37 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 15:38 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 15:37 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 15:38 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 15:38 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 15:38 79872 ----a-w- c:\windows\system32\raschap.dll
2006-02-25 13:37 . 1602-07-12 21:55 1030 --sha-w- c:\windows\system\nodemgr.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-12-29_11.40.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-29 11:57 . 2009-12-29 22:44 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2005-12-20 20:48 . 2009-12-29 11:05 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-29 22:44 . 2009-12-29 22:44 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
+ 2009-12-29 11:57 . 2009-12-29 22:44 16384 c:\windows\Temp\History\History.IE5\index.dat
- 2005-12-20 20:48 . 2009-12-29 11:05 16384 c:\windows\Temp\History\History.IE5\index.dat
+ 2009-12-29 11:57 . 2009-12-29 22:44 16384 c:\windows\Temp\Cookies\index.dat
- 2005-12-20 20:48 . 2009-12-29 11:05 16384 c:\windows\Temp\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-30 1829712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 106496]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2006-08-16 503808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-18 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2006-5-27 585728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2004-02-02 13:58 139264 ----a-w- c:\program files\Lexmark\Lexmark Precision Photo\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-09-22 14:44 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-01-20 19:04 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-07-30 14:45 1829712 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-10-12 02:10 49263 ----a-w- c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-06 12:30 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\otherprograms\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [16/12/2009 14:46 64288]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [11/02/2007 23:23 24786]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [24/01/2007 18:48 7040]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [11/02/2007 23:23 45534]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\drivers\pfc027.sys [27/05/2005 13:57 162304]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/02/2006 10:33 642560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
TCP: {E9D57C4D-B779-46DA-B2B1-754738186112} = 213.208.106.212,213.208.106.213
FF - ProfilePath - d:\documents and settings\Deenagh\Application Data\Mozilla\Firefox\Profiles\p7fp5qlg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: d:\documents and settings\Deenagh\Application Data\Mozilla\Firefox\Profiles\p7fp5qlg.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 14:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3945055753-3081336041-269820232-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(14444)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-30 14:48:11
ComboFix-quarantined-files.txt 2009-12-30 14:48
ComboFix2.txt 2009-12-29 11:44

Pre-Run: 11,402,960,896 bytes free
Post-Run: 11,367,587,840 bytes free

- - End Of File - - 68CFA2A21B73DB7759EDCCF5A4DE0E5B




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users