Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg 2011 flagged a Trojan "SHeur3.CFCW"


  • This topic is locked This topic is locked
9 replies to this topic

#1 mejohn

mejohn

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 27 June 2011 - 12:59 AM

Hello. My AVG 2011 has flagged (and blocked) two instances of Trojan "SHeur3.CFCW". One instance was also removed, while another couldn't be accessed. I ran updates for SuperAntiSpyware and my AVG and then ran full scans of both. Avg found 37 files, all removed. During the SAS scan AVG popped up with "blocked SHeur3.CFCW on open" and moved it to its vault. This was as SAS scanned a file in system restore that was the one AVG could not access earlier. There are a total of 40 entries for this Trojan in Avg's virus vault. Meanwhile SAS never flagged anything but cookies in its scan.

I've done just enough googleing in and off Bleeping computer to wonder if this is the same bug McAfee calls "SHeur3" since some think that one is irremovable. I hope a reformat isn't needed...For what it's worth my browser is not being redirected and my PC is not acting strangely at all otherwise. Any help is very welcome.
Thanks.

PS. All the instances are the same "CFCW" variant.

Edited by elise025, 27 June 2011 - 05:24 AM.
Moved from XP forum to Am I Infected ~Elise


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 27 June 2011 - 11:22 AM

It could be false positive.
Post what exactly is detected by AVG (file name and a location).

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 mejohn

mejohn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 27 June 2011 - 04:38 PM

OK, thanks. Well I've got over 50 file paths so here are the logs. Firstly I ran a MBAM scan after first posting here. 3 backdoor Trojans avg missed came up but nothing else. I'll include that log last. That makes three logs, one for an AVG full scan, AVG resident shield and for a MBAM full scan. Shuer3 *mostly* turns up in a lot of old files on my HDD I recovered for someone a while back, so it might've been there a while -whatever it is. The AVG resident log mostly shows exe's in system restore. The log from the first complete AVG scan that found 37 "infections" is:


"Scan ""Whole computer scan"" completed."
"Infections";"37";"37";"0"
"Folders selected for scanning:";"Whole computer scan"
"Scan started:";"Saturday, June 25, 2011, 4:20:40 AM"
"Scan finished:";"Saturday, June 25, 2011, 5:16:05 AM (55 minute(s) 24 second(s))"
"Total object scanned:";"865378"
"User who launched the scan:";"me"

"Infections"
"";"File";"Infection";"Result"
"";"D:\F\NewThemes\Winter\MatchingEXE-SS\wcountryroadss.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Valentine's\MatchingSS\KeyValentine_ss-65905.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\thanksglobeSS.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Thanksgiving\MatchingSS\thanksglobess.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\stainedglassroseSS.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SpringThemes\MatchingSS\PlanetMardiGras_ss-63004.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SpringThemes\MatchingSS\mypetuniass.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SpringThemes\MatchingSS\lavenderroses_ss-81543.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SpringThemes\MatchingSS\btflynflwer_ss-56068.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SpringThemes\MatchingSS\birdhousess.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SpringThemes\MatchingSS\balloonflowerss-82301.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\vicsanta_ss-60648.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\ValentineGlobe_ss-63788.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\StPatGlobe_ss-68466.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\roseclock_ss-55835.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\orchidclock_ss-55836.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\magnoliaclock_ss-55837.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\litehouse_ss-75547.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\irisclock_ss-55838.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\globespecial.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\EasterGlobe_ss-68673.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\daisyclock_ss-55839.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\SnowGlobes\MatchingSS\birthdayglobe_ss-72039.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Religious-General\SS's\blessing.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Parties&CircusEct\MatchingSS\theclownss-70757.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Parties&CircusEct\MatchingSS\PartyStarted_ss-64606.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Kids&FamilyEtc\MatchingSS\friendship_ss-61209.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Kids&FamilyEtc\MatchingSS\FamilyAffair_ss-65356.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Halloween\MatchingSS\abhalloweenss-55841.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\EasterThemes\MatchingSS\EasterTulips_ss-69796.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\EasterThemes\MatchingSS\eastertulipsss.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\EasterThemes\EasterSS\eastertulipsss.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\ClockSS\glassclock.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Christmas\MatchingSS\poinsettiaclock_ss-59314.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\Christmas\MatchingSS\bluxmas_ss-56711.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"D:\F\NewThemes\AutumnThemes\MatchingSS\AutumnGlobe_ss-82137.exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"
"";"C:\Documents and Settings\Shirley\Local Settings\Temporary Internet Files\Content.IE5\67QVYP6F\birthdayglobe_ss-72039[1].exe";"Trojan horse SHeur3.CFCW";"Moved to Virus Vault"



The AVG resident shield log:

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049008.exe";"Moved to Virus Vault";"6/27/2011, 5:19:06 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049039.exe";"Moved to Virus Vault";"6/27/2011, 5:18:12 AM";"file";"C:\WINDOWS\explorer.exe"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049007.exe";"Moved to Virus Vault";"6/27/2011, 5:17:38 AM";"file";"C:\WINDOWS\explorer.exe"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049020.exe";"Moved to Virus Vault";"6/27/2011, 3:40:31 AM";"file";"C:\WINDOWS\explorer.exe"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049040.exe";"Moved to Virus Vault";"6/27/2011, 3:38:55 AM";"file";"C:\WINDOWS\explorer.exe"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049006.exe";"Moved to Virus Vault";"6/27/2011, 3:38:08 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse SHeur3.CFCW";"d:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049005.exe";"Moved to Virus Vault";"6/27/2011, 12:56:35 AM";"file";"C:\Program Files\SUPERAntiSpyware\2bba05f7-af53-4130-acd9-e2ba24342341.com"
"Trojan horse SHeur3.CFCW";"c:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049004.exe";"Object is inaccessible.";"6/26/2011, 11:07:54 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse SHeur3.CFCW";"c:\System Volume Information\_restore{688F45D5-E7C4-4FC1-9B78-F8BC220039D9}\RP226\A0049004.exe";"Moved to Virus Vault";"6/26/2011, 10:08:53 PM";"file";"C:\WINDOWS\system32\svchost.exe"

And the Malwarebytes' Anti-Malware log is :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6957

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/27/2011 4:11:40 AM
mbam-log-2011-06-27 (04-11-40).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 568782
Time elapsed: 2 hour(s), 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Games\Quake II\Quake II.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Games\sid meier's alpha centauri\sid meier's alpha centauri.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\documents and settings\me\local settings\application data\thinstall\Cache\Stubs\f06e32d5182b52c532221c76c66be9b3b1d44f9d\quake2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 27 June 2011 - 05:27 PM

OK, let's comment...

1. Full scan
Basically, there was only one real infection in internet temporary files.
All others are in your old file and they're marked as "Heur", which means "heuristic" - means, those files matched some malicious files pattern, but they can't be classifies as 100% malicious; this is like AV program guess

2. All resident shield findings are located in your restore point, which we'll reset at some point.

Now MBAM found some infections, so let's run couple more scans...

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

========================================================

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

===============================================================

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 mejohn

mejohn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 28 June 2011 - 01:51 AM

OK. SUPERAntiSpyware ran as did Security Check but Rootkit Unhooker did not. That opened and it looked like it did something but after only a few seconds it just dropped off the screen. No prompt, no log, nothing. Here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2011 at 01:37 AM

Application Version : 4.54.1000

Core Rules Database Version : 7340
Trace Rules Database Version: 5152

Scan type : Complete Scan
Total Scan Time : 03:09:24

Memory items scanned : 236
Memory threats detected : 0
Registry items scanned : 5855
Registry threats detected : 0
File items scanned : 246730
File threats detected : 2

Adware.GloboLook
C:\CC_COMPILER\EXAMPLES\OWL\CLASSES\LISTWIND\BLAKJACK.ICO
C:\CC_COMPILER\EXAMPLES\OWL\GAMES\BLAKJACK\BLAKJACK.ICO


And here is the Security Check log:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG 2011
ZoneAlarm
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 8.3.0
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
IObit IObit Malware Fighter IMFsrv.exe
IObit IObit Malware Fighter IMF.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````


PS; I have Firefox 5.0 so I'm not sure why its coming up as out-of-date.

Edited by mejohn, 28 June 2011 - 01:55 AM.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 28 June 2011 - 04:41 PM

Don't worry about it. You're fine. Those readings sometimes may be inaccurate (depending on when SC has been updated last time).

Instead of RKUnhooker, run this...

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 mejohn

mejohn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 28 June 2011 - 11:09 PM

OK. That wasn't as easy as it should've been, I think. Worryingly I couldn't get either link to work. Even after going to the gmer page manually none of their download links worked, they just timed out. I had to go to download.com for it. Might be some shenanigans that someone needs to hear about?

But after that it ran fine. I didn't have to do anything but click scan. I don't read "log" but it seems it couldn't read the MBR...

Here it is:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-28 23:43:38
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdePort4 WDC_WD800BB-00CJA1 rev.17.07W17
Running: wi6o2vsl.exe; Driver: C:\DOCUME~1\me\LOCALS~1\Temp\kfniykoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB3F9F534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB3F99782]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB3FB86DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB3F9FCC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB3FB2EB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB3FB32A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB3FBC916]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB3F9FDF6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB3F9A398]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB3FB9FE4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB3FB993C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB3FB1DF0]
SSDT sptd.sys ZwEnumerateKey [0xB7F03FFE]
SSDT sptd.sys ZwEnumerateValueKey [0xB7F0438C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB3FBA93C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB3FBAB44]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB3F99FAA]
SSDT sptd.sys ZwOpenKey [0xB7ECFA30]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB3FB51CE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB3FB4DF8]
SSDT sptd.sys ZwQueryKey [0xB7F04464]
SSDT sptd.sys ZwQueryValueKey [0xB7F042E4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB3FBB8D2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB3FBB208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB3F9F0F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB3FBC2A4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB3F9F7DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB3F9A75C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB3FBBE12]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB3FB90C4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB3FB3F0A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB3FB3C86]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB3C15878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB3C15914]

INT 0x62 ? 8AE8BCC8
INT 0x63 ? 8AD0BF00
INT 0x73 ? 8AE8BCC8
INT 0x82 ? 8AE8BCC8
INT 0x83 ? 8AE8BCC8
INT 0x83 ? 8AE8BCC8
INT 0x83 ? 8AE8BCC8
INT 0x84 ? 8AD0BF00
INT 0x94 ? 8AD0BF00
INT 0xA4 ? 8AD0BF00
INT 0xB4 ? 8AD0BF00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C9C 80504538 12 Bytes [C0, FC, F9, B3, B4, 2E, FB, ...]
PAGE sptd.sys B7EF3000 1 Byte [74]
PAGE sptd.sys B7EF3004 5 Bytes [40, 33, EF, B7, A3] {INC EAX; XOR EBP, EDI; MOV BH, 0xa3}
PAGE sptd.sys B7EF300C 5 Bytes [50, 34, EF, B7, 98] {PUSH EAX; XOR AL, 0xef; MOV BH, 0x98}
PAGE sptd.sys B7EF3014 5 Bytes [B8, 33, EF, B7, 59] {MOV EAX, 0x59b7ef33}
PAGE sptd.sys B7EF301C 5 Bytes [78, 32, EF, B7, 61] {JS 0x34; OUT DX, EAX; MOV BH, 0x61}
PAGE ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7F8CD38]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B72AA8AC 5 Bytes JMP 8AD0B410
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB63AF380, 0x566445, 0xE8000020]
.text atmymyom.SYS B6362306 74 Bytes [00, 00, 00, 40, 03, 00, 40, ...]
.text atmymyom.SYS B6362351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text atmymyom.SYS B63623A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text atmymyom.SYS B63623B4 34 Bytes [40, 00, 00, C8, 50, 41, 47, ...]
.text atmymyom.SYS B63623D7 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1716] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044C909 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E96574] sptd.sys
IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E960C0] sptd.sys
IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E96FE0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E960C0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E96362] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E962A4] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E971BC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E96FE0] sptd.sys
IAT \SystemRoot\System32\Drivers\atmymyom.SYS[HAL.dll!KeGetCurrentIrql] 830C4D8A
IAT \SystemRoot\System32\Drivers\atmymyom.SYS[HAL.dll!KfAcquireSpinLock] 0001CCB8
IAT \SystemRoot\System32\Drivers\atmymyom.SYS[HAL.dll!KfReleaseSpinLock] 48880000
IAT \SystemRoot\System32\Drivers\atmymyom.SYS[HAL.dll!KfRaiseIrql] C0940F68
IAT \SystemRoot\System32\Drivers\atmymyom.SYS[HAL.dll!KfLowerIrql] 8B55C35D
IAT \SystemRoot\System32\Drivers\atmymyom.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 458D5653
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EAB312] sptd.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B3FA4672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B3FA44C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B3FA4CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B3FA2C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B3FA2C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B3FA4672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B3FA44C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B3FA4CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B3FA4672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B3FA2C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B3FA4CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B3FA44C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B3FA4CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B3FA44C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B3FA4672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B3FA2C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B3FA4672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B3FA44C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B3FA4CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B3FA4672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B3FA2C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B3FA4CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B3FA44C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AE8A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs pffilter.sys (Protected Folder filter driver/IObit Information Technology)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \FatCdrom 8AB09430
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip UrlFilter.sys (URL Filter/IObit.com)

Device \Driver\NetBT \Device\NetBT_Tcpip_{EECE3EDC-0029-4362-9F88-084B7B8C6E8D} 8AB69430
Device \Driver\usbohci \Device\USBPDO-0 8AD09430
Device \Driver\usbehci \Device\USBPDO-1 8AD08430
Device \Driver\usbuhci \Device\USBPDO-2 8AC1F1F8
Device \Driver\usbuhci \Device\USBPDO-3 8AC1F1F8
Device \Driver\usbehci \Device\USBPDO-4 8AD08430
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp UrlFilter.sys (URL Filter/IObit.com)

Device \Driver\Cdrom \Device\CdRom0 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdePort0 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-28 [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-1b [B7DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8AD1E1F8
Device \Driver\Cdrom \Device\CdRom2 8AD1E1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB69430
Device \Driver\NetBT \Device\NetbiosSmb 8AB69430
Device \Driver\PCI_PNP7494 \Device\0000004d sptd.sys
Device \Driver\PCI_PNP7494 \Device\0000004d sptd.sys
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp UrlFilter.sys (URL Filter/IObit.com)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp UrlFilter.sys (URL Filter/IObit.com)

Device \Driver\usbohci \Device\USBFDO-0 8AD09430
Device \Driver\usbehci \Device\USBFDO-1 8AD08430
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AB681F8
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 8AC1F1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AB681F8
Device \Driver\usbuhci \Device\USBFDO-3 8AC1F1F8
Device \Driver\usbehci \Device\USBFDO-4 8AD08430
Device \Driver\atmymyom \Device\Scsi\atmymyom1Port6Path0Target0Lun0 8ACB11F8
Device \Driver\atmymyom \Device\Scsi\atmymyom1 8ACB11F8
Device \FileSystem\Fastfat \Fat 8AB09430

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat pffilter.sys (Protected Folder filter driver/IObit Information Technology)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs 8AAE9430

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x11 0xFE 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0D 0x38 0x06 0xDE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDE 0xE6 0x02 0xE4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x11 0xFE 0x49 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0D 0x38 0x06 0xDE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x57 0xCE 0x97 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR1 MBR read error
Disk \Device\Harddisk1\DR1 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

We seem to be on opposite shifts. To kill some time I guess I'll run it again in safe mode just to see if the master boot record reads.

Edited by mejohn, 28 June 2011 - 11:13 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 28 June 2011 - 11:17 PM

MBR is one issue, but you also may have a rootkit (atapi.sys[unknown section])
That will require higher level help.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 mejohn

mejohn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 30 June 2011 - 01:24 AM

OK. Left that gmer scan run all night. I posted logs in the indicated forum on my way out today, double posted it seems then forgot this step. My bad, fixing both now. No way to delete my extra post. The lack of that option seems odd. I probably just missed it.

Well thanks for your efforts Broni. I realize that technically I'm not your problem now -different turfs and all- but do you have any recommendations for until my number comes up? Like, should I not use this computer at all if possible, or just avoid online activity, etc?

Thanks again.

PS, I'm not too sure if my new thread topic is appropriate. In fact, I'm not even that sure what it should have been. If it's poorly phrased can I do anything about it now? I only ask since a slew of newer threads than mine already have more replies than mine has had views...


The new thread is at:
http://www.bleepingcomputer.com/forums/topic406747.html

Edited by mejohn, 30 June 2011 - 01:46 AM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:59 AM

Posted 30 June 2011 - 01:50 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic406747.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Please do not bump your topic. Do not worry about being forgotten; we have mechanisms in place to ensure that you are not overlooked.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

~Blade
Forum Global Moderator

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users