Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections on VISTA home/office computer


  • Please log in to reply
27 replies to this topic

#1 Spartan606

Spartan606

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 May 2011 - 11:36 AM

Hello there bleeping computer. I have been lurking this site for a while now learning how to identify and remove various malware and spyware but the time has come; I have entered into a dilemna which I cannot verily resolve myself.

Several symptoms persistently hoard CPU resources and slow my computer down which is a huge inconvenience to me as I work from my computer at home, my situation also presents a daunting security risk as this computer has been used for online banking in the past.

Here are the problems which have affected me.

Slow system Speed
Firefox hangs/crashes
Youtube Videos will not play
Intermittent Blue Screen of Death
Windows Explorer crashes and restarts.

I went on holday a while back for a week or so, and when I came back home I checked my family computer and was horrified to see it riddled with various spyware and malware.

I scanned the computer using spybot, and then after that I scanned it with Malware Bytes Anti Malware. The software removed several Trojans and other assorted spyware but the problems persisted.


Whilst searching though my C:\ Drive in various places I have discovered a dozen or so files and folders which, after quick google searches, appear to be malicious. However I lack the expertise required to solve the problems.

Below is a list of the suspicious files and folders which I have discvored.

- There is a folder in my system32 directory named 0409 which is supiscious aswell as several other files in the system32 directory.
- There is a file named "RTKVADA" in my WINDOWS directory
- There is a file named "eReg.DAT in my WINDOWS directory
- There is a file named "nsreg.DAT" in my WINDOWS directory
- There is a file named "hpoins.DAT" in my WINDOWS directory
- There is a file named "RtDefLvl" in my WINDOWS directory
- There is a file named "Hidewin" in my WINDOWS directory

Here are the names of some of the suspicious files in the system32 folder.

- pncrt.dll
- TCPSVCS.EXE
- Finger.exe
- dot3.tmp





The problem I have is that some of the files are in my System32 folder. I do not feel comfortable screwing around in directories as important as system32 so I have come to this community of talented individuals to ask for help. I have tried scanning with Spybot, MBAM and Avira Antivirus but to no avail.

My Machine is running on Vista Home Basic 32-bit (Service Pack 2) and I currently have the following tools installed and both are fully updated:

- Spybot Search and Destroy (Running Tea Timer)
- Malware Bytes Anti Malware

** Please notify me if any of my post constitutes to a violation of the forum rules and I will amend with haste **

If I have missed out any crucial information then please notify me.

I would greatly appreciate any help which a member may offer as my computer is crucial to my work, thank you. I eagerly await a reply!

P.S - I have Hijack this on my computer, would it make the situation easier to resolve if I post a log? Thanks in advance

Edited by Spartan606, 23 May 2011 - 11:32 AM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:39 AM

Posted 26 May 2011 - 03:22 PM

Can you post the malwarebytes log?

#3 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 27 May 2011 - 01:31 PM

Can you post the malwarebytes log?



Malware bytes does not detect anything each time I run it, even on a full scan. The last infection it detected was last year just before christmas so I will post that log.

Sorry for the long reply, I'm currently undergoing College finals so I'm rarely at my computer but I will check this topic at least once a day.

Thank you in advance.

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5256

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

06/12/2010 17:00:32
mbam-log-2010-12-06 (17-00-32).txt

Scan type: Quick scan
Objects scanned: 177042
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\ben kaya shaunna mum\downloads\Zwinky.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.


#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:39 AM

Posted 27 May 2011 - 11:55 PM

Have you reran malwarebytes since then?

#5 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 28 May 2011 - 10:30 AM

Have you reran malwarebytes since then?


Yes, plenty of times. The above log was created from a scan before christmas 2010. Malware bytes has never detected a single infection since. I always run it as administrator and it is always fully updated.

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:39 AM

Posted 28 May 2011 - 05:45 PM

Try running the following: Free ESET Online Scan

#7 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 29 May 2011 - 09:45 AM

Ok, I have downloaded the ESET scanner but I cannot run it. It stops halfway through and displays the messsage "Can not get update update. Is proxy configured?"

The thing is I do not use a proxy. I am unsure what to do. I have searched for a solution online but the abundance and variety of information regarding proxies is bewildering. I am not comfortable messing around with my network settings as the computer is used daily for work and school work by my family.

#8 Comp39

Comp39

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 29 May 2011 - 10:06 AM

You can try A squared, http://www.emsisoft.com/en/ It is free and will delete free. As with all scanners please check what is being deleted. Check on each item by Google, type into Google name of spyware, then the word malware, it should lookk something like this in Google search bar, SomethingNasty.exe malware.
You may wish to use Ccleaner first, as lots of spyware hide in Temp files, Ccleaner will clear those files.
http://www.filehippo.com/download_ccleaner Look to top right hand of page for LATEST version.

#9 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 29 May 2011 - 11:01 AM

You can try A squared, http://www.emsisoft.com/en/ It is free and will delete free. As with all scanners please check what is being deleted. Check on each item by Google, type into Google name of spyware, then the word malware, it should lookk something like this in Google search bar, SomethingNasty.exe malware.
You may wish to use Ccleaner first, as lots of spyware hide in Temp files, Ccleaner will clear those files.
http://www.filehippo.com/download_ccleaner Look to top right hand of page for LATEST version.


Sorry Comp39 but your post is in violation of the forum rules. Only registered experts can offer advice on the forums.

@ Cryptodan.

I have found a working proxy for ESET but the scan will not finished. I have uninstalled my anti virus programs temporarily whilst running the scan but it sops working at 53% and says "Unexpected Error 2002"

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 29 May 2011 - 11:18 AM

Sorry Comp39 but your post is in violation of the forum rules. Only registered experts can offer advice on the forums.

As explained here everyone may offer help in the Am I Infected forum, as long as the rules explained there are followed.

As a member you are allowed to interact with others that post in this area. Any advice given is subject to modification or removal by the moderating team. We appreciate the fact that you are trying to help others with your advice, but we require that this advice be kept general and minimally invasive. Preliminary scans, active scans and non-malware related tools are allowed to be used here, along with advice for A/V and other protection programs. Modification of OS settings and general tweaks to resolve problems is allowed, but advice for the removal of any files, folders or programs is restricted.


@Spartan606, press Windows key + R, type chkdsk /r and press enter. Type Y and press enter to schedule a disk check for the next reboot.
Restart your computer and let the disk check run unhindered. Note, this may take some time depending on the size of your disk.

When done, let me know if you notice any change in performance.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 29 May 2011 - 12:49 PM

Ah sorry, I seem to have misread the rules :P My apologies

I ran the Chkdsk and rebooted. I haven't noticed any significant increase in performance as of yet, however I have just tried to play a few youtube videos to check if firefox was working correctly and the videos actually played whereas before they would not play at all.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 29 May 2011 - 01:03 PM

Can you use it for a bit and then list the problems you are still having?

Also, how much RAM do you have installed on this computer?

Edited by elise025, 29 May 2011 - 01:04 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 30 May 2011 - 10:27 AM

Can you use it for a bit and then list the problems you are still having?

Also, how much RAM do you have installed on this computer?


I have 2.00 GB RAM installed on this machine.

However the problems which I stated in my initial post seem to persist.

- Youtube videos now start playing, but stop half way through. (Desite CCleaing and deleting Cache)
- Intermittent hangs and crashes in windows explorer

On the plus side it seems that the time taken to log onto the actual computer has sped up. Usually it takes about 2/3 minutes for a profile to load. Now it just loads straight away.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 30 May 2011 - 11:01 AM

Hi there,

To be sure lets also run a rootkit scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Spartan606

Spartan606
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 31 May 2011 - 11:57 AM

Hi there. Ok, I have ran GMER without any problems and created the log. I deactivated Spybot's Resident Tea Timer Tool and deactivated my Zonealarm checkpoint firewall.

Here is the GMER log.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-05-31 17:51:10
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000052 Hitachi_ rev.ST1O
Running: z7rk28x3.exe; Driver: C:\Users\winnie\AppData\Local\Temp\pwdiqpog.sys


---- System - GMER 1.0.15 ----

SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwAlpcConnectPort [0x8C180570]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwAlpcCreatePort [0x8C180E46]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwConnectPort [0x8C17FFC6]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwCreateFile [0x8C179884]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwCreateKey [0x8C19AFA8]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwCreatePort [0x8C180AD0]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwCreateWaitablePort [0x8C180C2E]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwDeleteFile [0x8C17A5B4]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwDeleteKey [0x8C19CA50]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwDeleteValueKey [0x8C19C346]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwLoadKey [0x8C19D41A]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwLoadKey2 [0x8C19D658]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwLoadKeyEx [0x8C19DB0A]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwOpenFile [0x8C17A16C]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwRenameKey [0x8C19E4E0]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwReplaceKey [0x8C19DDD4]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwRequestWaitReplyPort [0x8C17FB5E]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwRestoreKey [0x8C19EF40]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwSetInformationFile [0x8C17A9BE]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwSetSecurityObject [0x8C19EA68]
SSDT      \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)      ZwSetValueKey [0x8C19BA6A]

INT 0x51  ?                                                                                                                   83FCEBF8
INT 0x72  ?                                                                                                                   85FC5F00
INT 0x82  ?                                                                                                                   83FCDBF8
INT 0x92  ?                                                                                                                   83FCEBF8

---- Kernel code sections - GMER 1.0.15 ----

.text     ntkrnlpa.exe!KeSetEvent + 13D                                                                                       820FA8C0 8 Bytes  [70, 05, 18, 8C, 46, 0E, 18, ...]
.text     ntkrnlpa.exe!KeSetEvent + 1C1                                                                                       820FA944 4 Bytes  [C6, FF, 17, 8C]
.text     ntkrnlpa.exe!KeSetEvent + 1D9                                                                                       820FA95C 4 Bytes  [84, 98, 17, 8C]
.text     ntkrnlpa.exe!KeSetEvent + 1E9                                                                                       820FA96C 4 Bytes  [A8, AF, 19, 8C]
.text     ntkrnlpa.exe!KeSetEvent + 205                                                                                       820FA988 4 Bytes  [D0, 0A, 18, 8C]
.text     ...                                                                                                                 
?         System32\Drivers\spft.sys                                                                                           The system cannot find the path specified. !
.text     USBPORT.SYS!DllUnload                                                                                               877A041B 5 Bytes  JMP 85FC54E0 
.text     C:\Windows\system32\DRIVERS\nvlddmkm.sys                                                                            section is writeable [0x8B60D340, 0x3D9767, 0xE8000020]
.text     a6zvxhcn.SYS                                                                                                        827B3000 22 Bytes  [82, 23, 02, 82, 6C, 22, 02, ...]
.text     a6zvxhcn.SYS                                                                                                        827B3017 137 Bytes  [00, 32, 57, 79, 80, 3D, 55, ...]
.text     a6zvxhcn.SYS                                                                                                        827B30A1 43 Bytes  [70, 0F, 82, 74, 66, 09, 82, ...]
.text     a6zvxhcn.SYS                                                                                                        827B30CE 10 Bytes  [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text     a6zvxhcn.SYS                                                                                                        827B30DA 12 Bytes  [00, 00, 02, 00, 00, 00, 24, ...]
.text     ...                                                                                                                 

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT       \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar]                                           [806996D6] \SystemRoot\System32\Drivers\spft.sys
IAT       \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar]                                            [80699042] \SystemRoot\System32\Drivers\spft.sys
IAT       \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort]                                    [80699800] \SystemRoot\System32\Drivers\spft.sys
IAT       \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort]                                           [806990C0] \SystemRoot\System32\Drivers\spft.sys
IAT       \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort]                                     [8069913E] \SystemRoot\System32\Drivers\spft.sys
IAT       \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                  [806A8B90] \SystemRoot\System32\Drivers\spft.sys
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortNotification]                                          CC358B04
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortWritePortUchar]                                        83827D9F
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortWritePortUlong]                                        458B38C6
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortGetPhysicalAddress]                                    A5A5A514
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong]                         [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortGetScatterGatherList]                                  5F827D70
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortReadPortUchar]                                         30810889
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortStallExecution]                                        54771129
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortGetParentBusType]                                      10C25D5E
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortRequestCallback]                                       8B55CC00
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortWritePortBufferUshort]                                 084D8BEC
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortGetUnCachedExtension]                                  0CF0918B
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortCompleteRequest]                                       458B0000
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortMoveMemory]                                            8B108910
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests]                             000CF491
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb]                                04508900
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb]                                  053C7980
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortReadPortUshort]                                        560C558B
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortReadPortBufferUshort]                                  C6127557
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortInitialize]                                            B18D0502
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortGetDeviceBase]                                         00000CF8
IAT       \SystemRoot\System32\Drivers\a6zvxhcn.SYS[ataport.SYS!AtaPortDeviceStateChange]                                     A508788D

---- User IAT/EAT - GMER 1.0.15 ----

IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                               [74517817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                [7456A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                            [7451BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                      [7450F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                [745175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                             [7450E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]                 [74548395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]                    [7451DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                            [7450FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                             [7450FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                              [745071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]                      [7459CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]                         [7453C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                            [7450D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                      [74506853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                     [7450687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT       C:\Windows\Explorer.EXE[3084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                        [74512AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                              84C5A1F8
Device    \Driver\netbt \Device\NetBT_Tcpip_{D2B7E229-FE4E-4838-88F8-43247EBC0476}                                            863AF500
Device    \Driver\volmgr \Device\VolMgrControl                                                                                83FD01F8
Device    \Driver\PCI_PNP9049 \Device\00000043                                                                                spft.sys
Device    \Driver\usbohci \Device\USBPDO-0                                                                                    85F9F1F8
Device    \Driver\nvstor32 \Device\00000052                                                                                   84C581F8
Device    \Driver\usbehci \Device\USBPDO-1                                                                                    85FA21F8
Device    \Driver\nvstor32 \Device\00000053                                                                                   84C581F8
Device    \Driver\volmgr \Device\HarddiskVolume1                                                                              83FD01F8
Device    \Driver\volmgr \Device\HarddiskVolume2                                                                              83FD01F8
Device    \Driver\cdrom \Device\CdRom0                                                                                        85F9A1F8
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                  84C571F8
Device    \Driver\atapi \Device\Ide\IdePort1                                                                                  84C571F8
Device    \Driver\volmgr \Device\HarddiskVolume3                                                                              83FD01F8
Device    \Driver\cdrom \Device\CdRom1                                                                                        85F9A1F8
Device    \Driver\volmgr \Device\HarddiskVolume4                                                                              83FD01F8
Device    \Driver\cdrom \Device\CdRom2                                                                                        85F9A1F8
Device    \Driver\volmgr \Device\HarddiskVolume5                                                                              83FD01F8
Device    \Driver\volmgr \Device\HarddiskVolume6                                                                              83FD01F8
Device    \Driver\netbt \Device\NetBt_Wins_Export                                                                             863AF500
Device    \Driver\Smb \Device\NetbiosSmb                                                                                      863C51F8
Device    \Driver\USBSTOR \Device\0000005a                                                                                    8651F500
Device    \Driver\USBSTOR \Device\0000005b                                                                                    8651F500
Device    \Driver\USBSTOR \Device\0000005c                                                                                    8651F500
Device    \Driver\nvstor32 \Device\RaidPort0                                                                                  84C581F8
Device    \Driver\USBSTOR \Device\0000005d                                                                                    8651F500
Device    \Driver\iScsiPrt \Device\RaidPort1                                                                                  8604F1F8
Device    \Driver\USBSTOR \Device\0000005e                                                                                    8651F500
Device    \Driver\usbohci \Device\USBFDO-0                                                                                    85F9F1F8
Device    \Driver\usbehci \Device\USBFDO-1                                                                                    85FA21F8
Device    \Driver\sptd \Device\3132601056                                                                                     spft.sys
Device    \Driver\a6zvxhcn \Device\Scsi\a6zvxhcn1                                                                             85FE01F8
Device    \Driver\a6zvxhcn \Device\Scsi\a6zvxhcn1Port4Path0Target0Lun0                                                        85FE01F8
Device    \Driver\a6zvxhcn \Device\Scsi\a6zvxhcn1Port4Path0Target1Lun0                                                        85FE01F8
Device    \FileSystem\cdfs \Cdfs                                                                                              86FF31F8

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                  771343423
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                  285507792
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                  1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0x00 0x00 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9D 0x06 0x9B 0x6E ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0xA3 0xC0 0xD4 0x06 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x40 0xEC 0xBE 0x89 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                0x41 0x08 0xC4 0xC6 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0x00 0x00 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9D 0x06 0x9B 0x6E ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0xA3 0xC0 0xD4 0x06 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x40 0xEC 0xBE 0x89 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                    0x41 0x08 0xC4 0xC6 ...

---- EOF - GMER 1.0.15 ----





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users