Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/mbr infection? downloader? repeat infections


  • Please log in to reply
19 replies to this topic

#1 dworblack

dworblack

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 06 July 2011 - 10:10 AM

your forum is the most confusing place I've ever been in, im not even sure if this is the right place so please dont tear my head off if this is the wrong place, you guys should work on cleaning up your sticky threads so its less confusing to new users......anywho,


My computer is filled to the tits with something, i dont know, i cant remove it myself, I am a pretty proficient pc user, yet this escapes me, HELP ME. Ive used a variety of tools that are commonly used for removing a terrible infection such as, Catchme/combofix/hijackthis/tdskiller/gmerrootkitscan/malwarebytes/adaware/spybot s and d/dds.scr/ATF cleaner just to name a few, Obviously not in this order, but an insight to the level of attempt ive made at nailing down this infection. So i come to you bleepingcomputer, you guys are my last hope before i say bleep it and reformat.

my system OS is winxp corp edition sp3

Some of the signs of infection, rare occasional random pop ups (even using latest adblock+), random outgoing traffic to repeated IP address that are black/white listed for being malicious, random cpu usage. Tell me what you need me to post, so i can help you to help me, in as little words as possible.


Thanks.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 06 July 2011 - 09:12 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 07 July 2011 - 12:30 AM

Okay,

Sec Check
Results of screen317's Security Check version 0.99.7  
 Windows XP Service Pack 3  
 Internet Explorer 8  
[b]`````````````````````````````` 
[u]Antivirus/Firewall Check:[/u][/b] 
 Windows Firewall Disabled!  
 Antivirus up to date! (On Access scanning [b]disabled[/b]!) 
[b]``````````````````````````````` 
[u]Anti-malware/Other Utilities Check:[/u][/b] 
 Ad-Aware 
 Malwarebytes' Anti-Malware    
 Java(TM) 6 Update 26  
 [color=red][b]Out of date Java installed![/b][/color] 
 Adobe Flash Player 10.3.181.26  
Adobe Reader 8.3.0 
Out of date Adobe Reader installed! 
 Mozilla Firefox (x86 en-US..) [color=red][b]Firefox Out of Date![/b][/color]  
[b]```````````````````````````````` 
Process Check:  
[u]objlist.exe by Laurent[/u][/b] 
 [color=red][b]Ad-Aware AAWService.exe is disabled![/b][/color] 
 [color=red][b]Ad-Aware AAWTray.exe is disabled![/b][/color] 
 Malwarebytes' Anti-Malware mbamservice.exe  
 Malwarebytes' Anti-Malware mbamgui.exe  
[b]``````````End of Log````````````[/b] 

Minitool box
MiniToolBox by Farbar 
Ran by Administrator (administrator) on 07-07-2011 at 01:00:40
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ======================== 
=============== Hosts content: ============================================  

127.0.0.1       localhost

=============== End of Hosts ============================================== 

================= IP Configuration: ======================================= 

# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : Postal

        Primary Dns Suffix  . . . . . . . : 

        Node Type . . . . . . . . . . . . : Broadcast

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . : 

        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

        Physical Address. . . . . . . . . : 00-15-C5-54-0D-4D

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.3

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : July 6, 2011 3:19:08 PM

        Lease Expires . . . . . . . . . . : July 7, 2011 3:19:08 PM

Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.91.105, 74.125.91.147, 74.125.91.104, 74.125.91.103
	  74.125.91.99, 74.125.91.106



Pinging google.com [74.125.91.104] with 32 bytes of data:



Reply from 74.125.91.104: bytes=32 time=44ms TTL=52

Reply from 74.125.91.104: bytes=32 time=41ms TTL=52



Ping statistics for 74.125.91.104:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 41ms, Maximum = 44ms, Average = 42ms

Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
	  67.195.160.76



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=97ms TTL=53

Reply from 72.30.2.43: bytes=32 time=96ms TTL=53



Ping statistics for 72.30.2.43:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 96ms, Maximum = 97ms, Average = 96ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 54 0d 4d ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3	  1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3	  20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1	  20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3	  20
        224.0.0.0        240.0.0.0      192.168.1.3     192.168.1.3	  20
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3	  1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

================= End of IP Configuration ================================= 

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/06/2011 02:01:02 AM) (Source: Application Error) (User: )
Description: Faulting application teatimer.exe, version 1.6.6.32, faulting module kernel32.dll, version 5.1.2600.5512, fault address 0x00012aeb.
Processing media-specific event for [teatimer.exe!ws!]

Error: (06/21/2011 05:16:34 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.120, faulting module skype.exe, version 5.3.0.120, fault address 0x005183e8.
Processing media-specific event for [skype.exe!ws!]

Error: (06/20/2011 09:21:29 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.111, faulting module skype.exe, version 5.3.0.111, fault address 0x0018ec62.
Processing media-specific event for [skype.exe!ws!]

Error: (06/07/2011 00:12:29 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.111, faulting module skype.exe, version 5.3.0.111, fault address 0x005dd938.
Processing media-specific event for [skype.exe!ws!]

Error: (06/07/2011 06:36:17 AM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.111, faulting module skype.exe, version 5.3.0.111, fault address 0x005dd938.
Processing media-specific event for [skype.exe!ws!]

Error: (05/31/2011 09:14:44 PM) (Source: Application Error) (User: )
Description: Faulting application left4dead.exe, version 0.0.0.0, faulting module studiorender.dll, version 0.0.0.0, fault address 0x0000d128.
Processing media-specific event for [left4dead.exe!ws!]

Error: (05/01/2011 10:48:03 PM) (Source: Application Hang) (User: )
Description: Hanging application Setup.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/27/2011 07:43:17 PM) (Source: Application Error) (User: )
Description: Faulting application hl2.exe, version 0.0.0.0, faulting module materialsystem.dll, version 0.0.0.0, fault address 0x0000ab06.
Processing media-specific event for [hl2.exe!ws!]

Error: (04/26/2011 02:37:11 AM) (Source: Application Error) (User: )
Description: Faulting application hl2.exe, version 0.0.0.0, faulting module materialsystem.dll, version 0.0.0.0, fault address 0x0000ab06.
Processing media-specific event for [hl2.exe!ws!]

Error: (04/26/2011 02:20:54 AM) (Source: Application Error) (User: )
Description: Faulting application hl2.exe, version 0.0.0.0, faulting module client.dll, version 0.0.0.0, fault address 0x000d1375.
Processing media-specific event for [hl2.exe!ws!]


System errors:
=============
Error: (07/02/2011 06:01:11 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/30/2011 05:57:13 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/28/2011 05:53:00 AM) (Source: Dhcp) (User: )
Description: The IP address lease 99.236.74.7 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/21/2011 05:15:56 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/19/2011 00:13:03 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the libusbd service.

Error: (06/14/2011 04:53:24 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
AFD
APPDRV
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
PSSDK42
RasAcd
Rdbss
Tcpip

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
%%31

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
%%31

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
%%31


Microsoft Office Sessions:
=========================
Error: (07/06/2011 02:01:02 AM) (Source: Application Error)(User: )
Description: teatimer.exe1.6.6.32kernel32.dll5.1.2600.551200012aeb

Error: (06/21/2011 05:16:34 PM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.120skype.exe5.3.0.120005183e8

Error: (06/20/2011 09:21:29 PM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.111skype.exe5.3.0.1110018ec62

Error: (06/07/2011 00:12:29 PM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.111skype.exe5.3.0.111005dd938

Error: (06/07/2011 06:36:17 AM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.111skype.exe5.3.0.111005dd938

Error: (05/31/2011 09:14:44 PM) (Source: Application Error)(User: )
Description: left4dead.exe0.0.0.0studiorender.dll0.0.0.00000d128

Error: (05/01/2011 10:48:03 PM) (Source: Application Hang)(User: )
Description: Setup.exe1.0.0.1hungapp0.0.0.000000000

Error: (04/27/2011 07:43:17 PM) (Source: Application Error)(User: )
Description: hl2.exe0.0.0.0materialsystem.dll0.0.0.00000ab06

Error: (04/26/2011 02:37:11 AM) (Source: Application Error)(User: )
Description: hl2.exe0.0.0.0materialsystem.dll0.0.0.00000ab06

Error: (04/26/2011 02:20:54 AM) (Source: Application Error)(User: )
Description: hl2.exe0.0.0.0client.dll0.0.0.0000d1375


========================= End of Event log errors ========================= 

========================= Memory info: ====================================

Percentage of memory in use: 51%
Total physical RAM: 2046.39 MB
Available physical RAM: 991.86 MB
Total Pagefile: 3938.81 MB
Available Pagefile: 3107.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.38 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:93.16 GB) (Free:2.42 GB) NTFS
3 Drive e: (RSHIELD_CD2) (CDROM) (Total:0.66 GB) (Free:0 GB) CDFS

================= Users: ================================================== 

User accounts for \\POSTAL

-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant            
SUPPORT_388945a0         
The command completed successfully.

================= End of Users ============================================ 

Malwarebytes,

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7032

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/07/2011 1:04:48 AM
mbam-log-2011-07-07 (01-04-48).txt

Scan type: Quick scan
Objects scanned: 145426
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and finally,

Gmer,
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-07 01:26:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS721010G9SA00 rev.MCZOC10H
Running: 9bzsnjy6.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdapow.sys


---- System - GMER 1.0.15 ----

SSDT      Lbd.sys (Boot Driver/Lavasoft AB)                                                                                               ZwCreateKey [0xB811887E]
SSDT      spmg.sys                                                                                                                        ZwEnumerateKey [0xB7ECDDA4]
SSDT      spmg.sys                                                                                                                        ZwEnumerateValueKey [0xB7ECE132]
SSDT      spmg.sys                                                                                                                        ZwOpenKey [0xB7EB50C0]
SSDT      spmg.sys                                                                                                                        ZwQueryKey [0xB7ECE20A]
SSDT      spmg.sys                                                                                                                        ZwQueryValueKey [0xB7ECE08A]
SSDT      Lbd.sys (Boot Driver/Lavasoft AB)                                                                                               ZwSetValueKey [0xB8118BFE]
SSDT      \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)  ZwTerminateProcess [0xA56ED620]

INT 0x62  ?                                                                                                                               8AD11BF8
INT 0x74  ?                                                                                                                               8AA7FF00
INT 0x82  ?                                                                                                                               8AD11BF8
INT 0x84  ?                                                                                                                               8AA7FF00
INT 0x94  ?                                                                                                                               8AA7FF00

Code      \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys                                                                              pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

?         spmg.sys                                                                                                                        The system cannot find the file specified. !
.text     C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                        section is writeable [0xB6ED4360, 0x33AACD, 0xE8000020]
.text     USBPORT.SYS!DllUnload                                                                                                           B6E698AC 5 Bytes  JMP 8AA7F4E0 
.text     acea12ax.SYS                                                                                                                    B6D7C386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text     acea12ax.SYS                                                                                                                    B6D7C3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text     acea12ax.SYS                                                                                                                    B6D7C3C4 3 Bytes  [00, 80, 02]
.text     acea12ax.SYS                                                                                                                    B6D7C3C9 1 Byte  [30]
.text     acea12ax.SYS                                                                                                                    B6D7C3C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text     ...                                                                                                                             
init      C:\WINDOWS\system32\drivers\monfilt.sys                                                                                         entry point in "init" section [0xB4982280]
page      C:\WINDOWS\System32\Drivers\oz776.sys                                                                                           entry point in "page" section [0xB82E2E34]
.text     C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                                          section is writeable [0xB3BC5300, 0x3AF78, 0xE8000020]
.text     C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                                          section is writeable [0xB8480300, 0x1BCE, 0xE8000020]
?         C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                                                      The system cannot find the file specified. !
?         C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys                                                                                  The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtCreateFile + 6                                                          7C90D096 4 Bytes  [28, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtCreateFile + B                                                          7C90D09B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtMapViewOfSection + 6                                                    7C90D506 1 Byte  [28]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtMapViewOfSection + 6                                                    7C90D506 4 Bytes  [28, 03, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtMapViewOfSection + B                                                    7C90D50B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenFile + 6                                                            7C90D586 4 Bytes  [68, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenFile + B                                                            7C90D58B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcess + 6                                                         7C90D5E6 4 Bytes  [A8, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcess + B                                                         7C90D5EB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessToken + 6                                                    7C90D5F6 4 Bytes  CALL 7B90EBFC 
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessToken + B                                                    7C90D5FB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessTokenEx + 6                                                  7C90D606 4 Bytes  [A8, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessTokenEx + B                                                  7C90D60B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThread + 6                                                          7C90D646 4 Bytes  [68, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThread + B                                                          7C90D64B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadToken + 6                                                     7C90D656 4 Bytes  [68, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadToken + B                                                     7C90D65B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadTokenEx + 6                                                   7C90D666 4 Bytes  CALL 7B90EC6D 
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadTokenEx + B                                                   7C90D66B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryAttributesFile + 6                                                 7C90D6F6 4 Bytes  [A8, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryAttributesFile + B                                                 7C90D6FB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryFullAttributesFile + 6                                             7C90D796 4 Bytes  CALL 7B90ED9B 
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryFullAttributesFile + B                                             7C90D79B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationFile + 6                                                  7C90DC46 4 Bytes  [28, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationFile + B                                                  7C90DC4B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationThread + 6                                                7C90DC96 4 Bytes  [28, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationThread + B                                                7C90DC9B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtUnmapViewOfSection + 6                                                  7C90DEF6 1 Byte  [68]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtUnmapViewOfSection + 6                                                  7C90DEF6 4 Bytes  [68, 03, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtUnmapViewOfSection + B                                                  7C90DEFB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtCreateFile + 6                                                          7C90D096 4 Bytes  [28, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtCreateFile + B                                                          7C90D09B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtMapViewOfSection + 6                                                    7C90D506 1 Byte  [28]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtMapViewOfSection + 6                                                    7C90D506 4 Bytes  [28, 03, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtMapViewOfSection + B                                                    7C90D50B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenFile + 6                                                            7C90D586 4 Bytes  [68, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenFile + B                                                            7C90D58B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcess + 6                                                         7C90D5E6 4 Bytes  [A8, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcess + B                                                         7C90D5EB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessToken + 6                                                    7C90D5F6 4 Bytes  CALL 7B90EBFC 
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessToken + B                                                    7C90D5FB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessTokenEx + 6                                                  7C90D606 4 Bytes  [A8, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessTokenEx + B                                                  7C90D60B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThread + 6                                                          7C90D646 4 Bytes  [68, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThread + B                                                          7C90D64B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadToken + 6                                                     7C90D656 4 Bytes  [68, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadToken + B                                                     7C90D65B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadTokenEx + 6                                                   7C90D666 4 Bytes  CALL 7B90EC6D 
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadTokenEx + B                                                   7C90D66B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryAttributesFile + 6                                                 7C90D6F6 4 Bytes  [A8, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryAttributesFile + B                                                 7C90D6FB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryFullAttributesFile + 6                                             7C90D796 4 Bytes  CALL 7B90ED9B 
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryFullAttributesFile + B                                             7C90D79B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationFile + 6                                                  7C90DC46 4 Bytes  [28, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationFile + B                                                  7C90DC4B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationThread + 6                                                7C90DC96 4 Bytes  [28, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationThread + B                                                7C90DC9B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtUnmapViewOfSection + 6                                                  7C90DEF6 1 Byte  [68]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtUnmapViewOfSection + 6                                                  7C90DEF6 4 Bytes  [68, 03, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtUnmapViewOfSection + B                                                  7C90DEFB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtCreateFile + 6                                                          7C90D096 4 Bytes  [28, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtCreateFile + B                                                          7C90D09B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtMapViewOfSection + 6                                                    7C90D506 1 Byte  [28]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtMapViewOfSection + 6                                                    7C90D506 4 Bytes  [28, 03, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtMapViewOfSection + B                                                    7C90D50B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenFile + 6                                                            7C90D586 4 Bytes  [68, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenFile + B                                                            7C90D58B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcess + 6                                                         7C90D5E6 4 Bytes  [A8, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcess + B                                                         7C90D5EB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessToken + 6                                                    7C90D5F6 4 Bytes  CALL 7B90EBFC 
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessToken + B                                                    7C90D5FB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessTokenEx + 6                                                  7C90D606 4 Bytes  [A8, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessTokenEx + B                                                  7C90D60B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThread + 6                                                          7C90D646 4 Bytes  [68, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThread + B                                                          7C90D64B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadToken + 6                                                     7C90D656 4 Bytes  [68, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadToken + B                                                     7C90D65B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadTokenEx + 6                                                   7C90D666 4 Bytes  CALL 7B90EC6D 
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadTokenEx + B                                                   7C90D66B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryAttributesFile + 6                                                 7C90D6F6 4 Bytes  [A8, 00, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryAttributesFile + B                                                 7C90D6FB 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryFullAttributesFile + 6                                             7C90D796 4 Bytes  CALL 7B90ED9B 
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryFullAttributesFile + B                                             7C90D79B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationFile + 6                                                  7C90DC46 4 Bytes  [28, 01, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationFile + B                                                  7C90DC4B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationThread + 6                                                7C90DC96 4 Bytes  [28, 02, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationThread + B                                                7C90DC9B 1 Byte  [E2]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtUnmapViewOfSection + 6                                                  7C90DEF6 1 Byte  [68]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtUnmapViewOfSection + 6                                                  7C90DEF6 4 Bytes  [68, 03, 16, 00]
.text     C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtUnmapViewOfSection + B                                                  7C90DEFB 1 Byte  [E2]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                              [B7EB6042] spmg.sys
IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                      [B7EB613E] spmg.sys
IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                             [B7EB60C0] spmg.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                     [B7EB6800] spmg.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                             [B7EB66D6] spmg.sys
IAT       \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                              [B7EC5B90] spmg.sys
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfAcquireSpinLock]                                                            18C4830E
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!READ_PORT_UCHAR]                                                              1C959E88
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KeGetCurrentIrql]                                                             9E880000
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfRaiseIrql]                                                                  00001CB1
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfLowerIrql]                                                                  0E798366
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!HalGetInterruptVector]                                                        74AAB000
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!HalTranslateBusAddress]                                                       8986C636
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KeStallExecutionProcessor]                                                    1A00001C
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfReleaseSpinLock]                                                            1C8B86C6
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                      C6020000
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!READ_PORT_USHORT]                                                             001C9686
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                     86C60200
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                             00001CB2
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[WMILIB.SYS!WmiSystemControl]                                                          8800001C
IAT       \SystemRoot\System32\Drivers\acea12ax.SYS[WMILIB.SYS!WmiCompleteRequest]                                                        001CB99E

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                                          8AD101F8
Device    \Driver\usbuhci \Device\USBPDO-0                                                                                                8A9C2500
Device    \Driver\usbuhci \Device\USBPDO-1                                                                                                8A9C2500
Device    \Driver\usbuhci \Device\USBPDO-2                                                                                                8A9C2500
Device    \Driver\usbuhci \Device\USBPDO-3                                                                                                8A9C2500
Device    \Driver\usbehci \Device\USBPDO-4                                                                                                8A9C1500
Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                                          8ACA21F8
Device    \Driver\Cdrom \Device\CdRom0                                                                                                    8AA13500
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                              [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                              sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device    \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                                     [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                                     sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device    \Driver\atapi \Device\Ide\IdePort1                                                                                              [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdePort1                                                                                              sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device    \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e                                                                                     [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e                                                                                     sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device    \Driver\Cdrom \Device\CdRom1                                                                                                    8AA13500
Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                                         8AA8B500
Device    \Driver\NetBT \Device\NetbiosSmb                                                                                                8AA8B500
Device    \Driver\PCI_PNP2894 \Device\0000005d                                                                                            spmg.sys
Device    \Driver\sptd \Device\803007894                                                                                                  spmg.sys
Device    \Driver\usbuhci \Device\USBFDO-0                                                                                                8A9C2500
Device    \Driver\usbuhci \Device\USBFDO-1                                                                                                8A9C2500
Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                               8AA9A1F8
Device    \Driver\usbuhci \Device\USBFDO-2                                                                                                8A9C2500
Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                     8AA9A1F8
Device    \Driver\usbuhci \Device\USBFDO-3                                                                                                8A9C2500
Device    \Driver\usbehci \Device\USBFDO-4                                                                                                8A9C1500
Device    \Driver\Ftdisk \Device\FtControl                                                                                                8ACA21F8
Device    \Driver\acea12ax \Device\Scsi\acea12ax1Port2Path0Target0Lun0                                                                    8AAA0500
Device    \Driver\acea12ax \Device\Scsi\acea12ax1Port2Path0Target0Lun0                                                                    sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device    \Driver\acea12ax \Device\Scsi\acea12ax1                                                                                         8AAA0500
Device    \Driver\acea12ax \Device\Scsi\acea12ax1                                                                                         sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device    \FileSystem\Cdfs \Cdfs                                                                                                          8940F1F8

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                            
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                 C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                 0x00 0x00 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                 0
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                              0x85 0xAF 0xA3 0x10 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                   
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                        0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                     0xEC 0x25 0x5D 0x0E ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)              
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                0x1D 0x45 0x6C 0x64 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                            
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                 C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                 0x00 0x00 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                 0
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                              0x1A 0xDE 0x03 0x08 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                   
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                        0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                     0xEC 0x25 0x5D 0x0E ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)              
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                0x1D 0x45 0x6C 0x64 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                              771343423
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                              285507792
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                              1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                             C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                             0x00 0x00 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                             0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                          0x74 0xA8 0x30 0x19 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                       
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                    0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                 0xEC 0x25 0x5D 0x0E ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                  
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                            0xAB 0xCE 0xCB 0x88 ...
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                            
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                 C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                 0x00 0x00 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                 0
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                              0xEC 0x35 0x38 0xDF ...
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                   
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                        0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                     0xEC 0x25 0x5D 0x0E ...
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)              
Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                0x9A 0x2A 0x36 0xF8 ...

---- Disk sectors - GMER 1.0.15 ----

Disk      \Device\Harddisk0\DR0                                                                                                           MBR read error
Disk      \Device\Harddisk0\DR0                                                                                                           MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

I hope this helps you

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 07 July 2011 - 07:04 PM

Please. repost all logs without wrapping them in code.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 July 2011 - 04:37 PM

Okay,

Sec Check
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 8.3.0
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````


Minitool box
MiniToolBox by Farbar
Ran by Administrator (administrator) on 07-07-2011 at 01:00:40
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Postal

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-15-C5-54-0D-4D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : July 6, 2011 3:19:08 PM

Lease Expires . . . . . . . . . . : July 7, 2011 3:19:08 PM

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.91.105, 74.125.91.147, 74.125.91.104, 74.125.91.103
74.125.91.99, 74.125.91.106



Pinging google.com [74.125.91.104] with 32 bytes of data:



Reply from 74.125.91.104: bytes=32 time=44ms TTL=52

Reply from 74.125.91.104: bytes=32 time=41ms TTL=52



Ping statistics for 74.125.91.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 44ms, Average = 42ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=97ms TTL=53

Reply from 72.30.2.43: bytes=32 time=96ms TTL=53



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 96ms, Maximum = 97ms, Average = 96ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 54 0d 4d ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 20
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 20
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 20
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/06/2011 02:01:02 AM) (Source: Application Error) (User: )
Description: Faulting application teatimer.exe, version 1.6.6.32, faulting module kernel32.dll, version 5.1.2600.5512, fault address 0x00012aeb.
Processing media-specific event for [teatimer.exe!ws!]

Error: (06/21/2011 05:16:34 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.120, faulting module skype.exe, version 5.3.0.120, fault address 0x005183e8.
Processing media-specific event for [skype.exe!ws!]

Error: (06/20/2011 09:21:29 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.111, faulting module skype.exe, version 5.3.0.111, fault address 0x0018ec62.
Processing media-specific event for [skype.exe!ws!]

Error: (06/07/2011 00:12:29 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.111, faulting module skype.exe, version 5.3.0.111, fault address 0x005dd938.
Processing media-specific event for [skype.exe!ws!]

Error: (06/07/2011 06:36:17 AM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 5.3.0.111, faulting module skype.exe, version 5.3.0.111, fault address 0x005dd938.
Processing media-specific event for [skype.exe!ws!]

Error: (05/31/2011 09:14:44 PM) (Source: Application Error) (User: )
Description: Faulting application left4dead.exe, version 0.0.0.0, faulting module studiorender.dll, version 0.0.0.0, fault address 0x0000d128.
Processing media-specific event for [left4dead.exe!ws!]

Error: (05/01/2011 10:48:03 PM) (Source: Application Hang) (User: )
Description: Hanging application Setup.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/27/2011 07:43:17 PM) (Source: Application Error) (User: )
Description: Faulting application hl2.exe, version 0.0.0.0, faulting module materialsystem.dll, version 0.0.0.0, fault address 0x0000ab06.
Processing media-specific event for [hl2.exe!ws!]

Error: (04/26/2011 02:37:11 AM) (Source: Application Error) (User: )
Description: Faulting application hl2.exe, version 0.0.0.0, faulting module materialsystem.dll, version 0.0.0.0, fault address 0x0000ab06.
Processing media-specific event for [hl2.exe!ws!]

Error: (04/26/2011 02:20:54 AM) (Source: Application Error) (User: )
Description: Faulting application hl2.exe, version 0.0.0.0, faulting module client.dll, version 0.0.0.0, fault address 0x000d1375.
Processing media-specific event for [hl2.exe!ws!]


System errors:
=============
Error: (07/02/2011 06:01:11 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/30/2011 05:57:13 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/28/2011 05:53:00 AM) (Source: Dhcp) (User: )
Description: The IP address lease 99.236.74.7 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/21/2011 05:15:56 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 0015C5540D4D has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (06/19/2011 00:13:03 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the libusbd service.

Error: (06/14/2011 04:53:24 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
APPDRV
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
PSSDK42
RasAcd
Rdbss
Tcpip

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Error: (06/14/2011 04:53:00 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (07/06/2011 02:01:02 AM) (Source: Application Error)(User: )
Description: teatimer.exe1.6.6.32kernel32.dll5.1.2600.551200012aeb

Error: (06/21/2011 05:16:34 PM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.120skype.exe5.3.0.120005183e8

Error: (06/20/2011 09:21:29 PM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.111skype.exe5.3.0.1110018ec62

Error: (06/07/2011 00:12:29 PM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.111skype.exe5.3.0.111005dd938

Error: (06/07/2011 06:36:17 AM) (Source: Application Error)(User: )
Description: skype.exe5.3.0.111skype.exe5.3.0.111005dd938

Error: (05/31/2011 09:14:44 PM) (Source: Application Error)(User: )
Description: left4dead.exe0.0.0.0studiorender.dll0.0.0.00000d128

Error: (05/01/2011 10:48:03 PM) (Source: Application Hang)(User: )
Description: Setup.exe1.0.0.1hungapp0.0.0.000000000

Error: (04/27/2011 07:43:17 PM) (Source: Application Error)(User: )
Description: hl2.exe0.0.0.0materialsystem.dll0.0.0.00000ab06

Error: (04/26/2011 02:37:11 AM) (Source: Application Error)(User: )
Description: hl2.exe0.0.0.0materialsystem.dll0.0.0.00000ab06

Error: (04/26/2011 02:20:54 AM) (Source: Application Error)(User: )
Description: hl2.exe0.0.0.0client.dll0.0.0.0000d1375


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 51%
Total physical RAM: 2046.39 MB
Available physical RAM: 991.86 MB
Total Pagefile: 3938.81 MB
Available Pagefile: 3107.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.38 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:93.16 GB) (Free:2.42 GB) NTFS
3 Drive e: (RSHIELD_CD2) (CDROM) (Total:0.66 GB) (Free:0 GB) CDFS

================= Users: ==================================================

User accounts for \\POSTAL

-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
SUPPORT_388945a0
The command completed successfully.

================= End of Users ============================================


Malwarebytes,

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7032

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/07/2011 1:04:48 AM
mbam-log-2011-07-07 (01-04-48).txt

Scan type: Quick scan
Objects scanned: 145426
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and finally,

Gmer,
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-07 01:26:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS721010G9SA00 rev.MCZOC10H
Running: 9bzsnjy6.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB811887E]
SSDT spmg.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spmg.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spmg.sys ZwOpenKey [0xB7EB50C0]
SSDT spmg.sys ZwQueryKey [0xB7ECE20A]
SSDT spmg.sys ZwQueryValueKey [0xB7ECE08A]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8118BFE]
SSDT \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA56ED620]

INT 0x62 ? 8AD11BF8
INT 0x74 ? 8AA7FF00
INT 0x82 ? 8AD11BF8
INT 0x84 ? 8AA7FF00
INT 0x94 ? 8AA7FF00

Code \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spmg.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6ED4360, 0x33AACD, 0xE8000020]
.text USBPORT.SYS!DllUnload B6E698AC 5 Bytes JMP 8AA7F4E0
.text acea12ax.SYS B6D7C386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text acea12ax.SYS B6D7C3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text acea12ax.SYS B6D7C3C4 3 Bytes [00, 80, 02]
.text acea12ax.SYS B6D7C3C9 1 Byte [30]
.text acea12ax.SYS B6D7C3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB4982280]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xB82E2E34]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB3BC5300, 0x3AF78, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8480300, 0x1BCE, 0xE8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtMapViewOfSection + 6 7C90D506 1 Byte [28]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EBFC
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EC6D
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90ED9B
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 1 Byte [68]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2092] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtMapViewOfSection + 6 7C90D506 1 Byte [28]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EBFC
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EC6D
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90ED9B
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 1 Byte [68]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[2400] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtMapViewOfSection + 6 7C90D506 1 Byte [28]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EBFC
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EC6D
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90ED9B
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 1 Byte [68]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\SRWare Iron\iron.exe[3084] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spmg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spmg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spmg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spmg.sys
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\acea12ax.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AD101F8
Device \Driver\usbuhci \Device\USBPDO-0 8A9C2500
Device \Driver\usbuhci \Device\USBPDO-1 8A9C2500
Device \Driver\usbuhci \Device\USBPDO-2 8A9C2500
Device \Driver\usbuhci \Device\USBPDO-3 8A9C2500
Device \Driver\usbehci \Device\USBPDO-4 8A9C1500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ACA21F8
Device \Driver\Cdrom \Device\CdRom0 8AA13500
Device \Driver\atapi \Device\Ide\IdePort0 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Cdrom \Device\CdRom1 8AA13500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AA8B500
Device \Driver\NetBT \Device\NetbiosSmb 8AA8B500
Device \Driver\PCI_PNP2894 \Device\0000005d spmg.sys
Device \Driver\sptd \Device\803007894 spmg.sys
Device \Driver\usbuhci \Device\USBFDO-0 8A9C2500
Device \Driver\usbuhci \Device\USBFDO-1 8A9C2500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AA9A1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A9C2500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AA9A1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A9C2500
Device \Driver\usbehci \Device\USBFDO-4 8A9C1500
Device \Driver\Ftdisk \Device\FtControl 8ACA21F8
Device \Driver\acea12ax \Device\Scsi\acea12ax1Port2Path0Target0Lun0 8AAA0500
Device \Driver\acea12ax \Device\Scsi\acea12ax1Port2Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\acea12ax \Device\Scsi\acea12ax1 8AAA0500
Device \Driver\acea12ax \Device\Scsi\acea12ax1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Cdfs \Cdfs 8940F1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x85 0xAF 0xA3 0x10 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEC 0x25 0x5D 0x0E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0x45 0x6C 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0xDE 0x03 0x08 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEC 0x25 0x5D 0x0E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0x45 0x6C 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0xA8 0x30 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEC 0x25 0x5D 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAB 0xCE 0xCB 0x88 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0x35 0x38 0xDF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEC 0x25 0x5D 0x0E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9A 0x2A 0x36 0xF8 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----


I hope this helps you

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 08 July 2011 - 04:52 PM

I don't see any AV program running.
Please download and install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

==============================================

Download and run HAMeb_check.exe
Post the contents of the resulting log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 July 2011 - 05:00 PM

Heres the Hameb check log,

C:\Documents and Settings\Administrator\My Documents\Downloads\HAMeb_check.exe
08/07/2011 at 17:54:15.46

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys spmg.sys >>UNKNOWN [0x8ACC2938]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 9 !
copy of MBR has been found in sector 0x0BA50E41

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5916:TCP"=5916:TCP:*:Enabled:Services
"3708:TCP"=3708:TCP:*:Enabled:Services
"2587:TCP"=2587:TCP:*:Enabled:Services
"3674:TCP"=3674:TCP:*:Enabled:Services
"5618:TCP"=5618:TCP:*:Enabled:Services
"9736:TCP"=9736:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5916:TCP"=5916:TCP:*:Enabled:Services
"3708:TCP"=3708:TCP:*:Enabled:Services
"2587:TCP"=2587:TCP:*:Enabled:Services
"3674:TCP"=3674:TCP:*:Enabled:Services
"9736:TCP"=9736:TCP:*:Enabled:Services
"5618:TCP"=5618:TCP:*:Enabled:Services


~~ EOF ~~

performing full scan as we speak from avast.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 08 July 2011 - 05:04 PM

OK....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 July 2011 - 06:25 PM

Avast came up as clean except for one PUP,

Win32:MIRC-Z for a copy of mirc i installed, i quarentined it just to be safe...

Other than that a clean bill of health from an AVAST full scan

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 08 July 2011 - 06:30 PM

Good :)

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 July 2011 - 06:38 PM

Done,

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB6ED4000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6254592 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 179.48 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6070272 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 179.48 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB48C6000 C:\WINDOWS\system32\drivers\monfilt.sys 1392640 bytes (Creative Technology Ltd., Creative WDM Audio Driver (32-bit))
0xB4A1A000 C:\WINDOWS\system32\drivers\sthda.sys 1171456 bytes (SigmaTel, Inc., NDRC)
0xB4795000 C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys 1011712 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB7EB4000 PCI_PNP2894 995328 bytes
0xB7EB4000 spmg.sys 995328 bytes
0xB7EB4000 sptd 995328 bytes
0xB6CB0000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 835584 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xB46DF000 C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys 745472 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB7D3D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB44F8000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB6BD2000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB462B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB3B23000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xB6DD8000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xB6B84000 C:\WINDOWS\system32\drivers\btaudio.sys 319488 bytes (Broadcom Corporation., Bluetooth Audio Device)
0x8E4E5000 C:\WINDOWS\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
0xB3BC5000 C:\WINDOWS\system32\DRIVERS\atksgt.sys 274432 bytes
0xB30BF000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB488C000 C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys 237568 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB6D7C000 C:\WINDOWS\System32\Drivers\acea12ax.SYS 233472 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB347E000 C:\WINDOWS\system32\DRIVERS\ctoss2k.sys 196608 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xB6C58000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB7E6E000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB3C08000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7D10000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB249A000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB4590000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB440E000 C:\WINDOWS\system32\DRIVERS\V0350Vid.sys 172032 bytes (Creative Technology Ltd., Video Capture Device Driver)
0xB6E98000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB4603000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB34AE000 C:\WINDOWS\system32\drivers\ctusfsyn.sys 159744 bytes (Creative Technology Ltd., Creative SoundFont Synthesizer)
0xB3458000 C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 155648 bytes (Creative Technology Ltd, SoundFont® Manager (WDM))
0xB45DD000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB6B60000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB6E51000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xA3B20000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 143360 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB6DB5000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB3650000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB45BB000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA56E3000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7E06000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7E3E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7CE5000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA3B43000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdapow.sys 102400 bytes
0xB7E26000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB43F6000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB7E9C000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0x8E52F000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xB7DDD000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB6C99000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB35EB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB6E29000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0xB6E3D000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB6EC0000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB4684000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7DCA000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7DF4000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7E5D000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB6C88000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB7CFF000 sfdrv01.sys 69632 bytes (Protection Technology, StarForce Protection Environment Driver)
0xB82C8000 C:\WINDOWS\System32\Drivers\btwusb.sys 65536 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xB82F8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB81B8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB8168000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xB80A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB8228000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xB753B000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB8118000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xB81C8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB3A7B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB82B8000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xB8138000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB80B8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB82D8000 C:\WINDOWS\System32\Drivers\oz776.sys 57344 bytes (O2Micro, O2Micro USB CCID SmartCard Reader)
0xB8188000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0xB8108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB8198000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB8258000 C:\WINDOWS\system32\drivers\libusb0.sys 53248 bytes (http://libusb-win32.sourceforge.net, LibUSB-Win32 - Kernel Driver)
0xB8238000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB8208000 C:\WINDOWS\system32\Drivers\pssdk42.sys 49152 bytes (microOLAP Technologies LTD, PSSDK Driver Protocol v4.2 32bit)
0xB8288000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB8248000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB81A8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB8268000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB80C8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB750B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB754B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA0C64000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 36864 bytes (AVAST Software, avast! TDI Filter Driver)
0x8F1E4000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB8298000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB74FB000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB23FA000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xB82A8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB8218000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB81F8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB83C8000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys 32768 bytes
0xB8398000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB83F8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8340000 sfhlp02.sys 32768 bytes (Protection Technology, StarForce Protection Helper Driver)
0xB8400000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8448000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB83E0000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xACD8A000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xB8478000 C:\WINDOWS\system32\drivers\btserial.sys 24576 bytes (Broadcom Corporation., Bluetooth Serial Driver for Windows 2000)
0xB8458000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB2172000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys 24576 bytes
0xB8450000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xACDBA000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xB8338000 sfsync02.sys 24576 bytes (Protection Technology, StarForce Protection Synchronization Driver)
0xB83B8000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xB8440000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB83E8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB83D8000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xB8480000 C:\WINDOWS\system32\DRIVERS\lirsgt.sys 20480 bytes
0xB83F0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8378000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8380000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB83D0000 C:\WINDOWS\system32\SAVRKBootTasks.sys 20480 bytes (Sophos Plc, Sophos boot tasks for Windows 2000)
0xB8358000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8418000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB6C40000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xB84C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB858C000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB6C44000 C:\WINDOWS\system32\drivers\fanio.sys 16384 bytes (Christian Diefer, I8k Fan I/O)
0xB46CB000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xB3C45000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xB7C84000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB3F61000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB6B54000 C:\WINDOWS\System32\Drivers\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xB3BB9000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB46CF000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB6C30000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB6B5C000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7CB1000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB8590000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB8588000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xB866A000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB85CC000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB8668000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB866C000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB85FA000 C:\WINDOWS\system32\drivers\MSPCLOCK.sys 8192 bytes (Microsoft Corporation, MS Proxy Clock)
0xB864E000 C:\WINDOWS\system32\drivers\MSPQM.sys 8192 bytes (Microsoft Corporation, MS Proxy Quality Manager)
0xB214A000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xB866E000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xA7041000 C:\WINDOWS\system32\DRIVERS\s1018cm.sys 8192 bytes (MCCI Corporation, Windows 2000/XP support functions)
0xB862E000 C:\WINDOWS\system32\DRIVERS\s1018wh.sys 8192 bytes (MCCI Corporation, Windows 2000/XP support functions)
0xB85AC000 speedfan.sys 8192 bytes
0xB85CA000 C:\WINDOWS\system32\drivers\splitter.sys 8192 bytes (Microsoft Corporation, Microsoft Kernel Audio Splitter)
0xB8640000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB8660000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85B4000 C:\WINDOWS\system32\DRIVERS\V0350VFx.sys 8192 bytes (EyePower Games Pte. Ltd., Advanced Video FX Filter
Driver (Win2K based))
0xB85AA000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB86C4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB8777000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB8671000 giveio.sys 4096 bytes
0xB8758000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xB8683000 C:\WINDOWS\system32\DRIVERS\s1018cr.sys 4096 bytes (MCCI Corporation, Ericsson Mobile Platform S1018 USB WMC Extended Ethernet (WDM class registry for Windows 2000))
0x8AD101F8 unknown_irp_handler 3592 bytes
0x8ACA21F8 unknown_irp_handler 3592 bytes
0x8AA9A1F8 unknown_irp_handler 3592 bytes
0x8940F1F8 unknown_irp_handler 3592 bytes
0x8AAA0500 unknown_irp_handler 2816 bytes
0x8AA13500 unknown_irp_handler 2816 bytes
0x8A9C2500 unknown_irp_handler 2816 bytes
0x8AA8B500 unknown_irp_handler 2816 bytes
0x8A9C1500 unknown_irp_handler 2816 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 08 July 2011 - 06:43 PM

Looks good.

What are the current issues?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 July 2011 - 06:55 PM

Looks good.

What are the current issues?

recurrent infections it seems, Ive tooken sinowal off my system three times in the past few months, I remove one generic trojan and soon another generic one occurs, it started with browser redirecting on firefox, then progressed to worse problems (cpu going to 100 percent usage "randomly" while idling, no active processes or autoscan/update nothing), till i thought i nailed that down, random suspicions made me check a few months later, found sinowal again, another random trojan et cetera, I zapped that set again, then just this past week, repeated the process, got suspicious when random popups started coming up. Sinowal again, another generic trojan, trukyrpt.gen or something, there was another user seeing this same issue. Right now at the moment i dont see any obvious signs other than alot of outgoing traffic that appears to be considered malacious from MALMB active scan.....I'm confused if my system is back in the clear or ive just zapped the appearent issues, only to find sinowal again on my pc later down the road.

note for fact, I practice fairly safe browsing habits i believe, and the sites i primarily visit are well established as safe for browsing, so i am confused as to how the infections keep on occuring....

Edited by dworblack, 08 July 2011 - 06:56 PM.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:50 AM

Posted 08 July 2011 - 07:00 PM

Well, one the main reasons you kept getting infected was a lack of any AV program.
You have one now, so you'll be definitely safer.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 dworblack

dworblack
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 July 2011 - 07:09 PM

even in consideration that i mainly download media files from p2p and keep my exe file downloads (mostly game patches and the such) to trusted sites (cnet/fileplanet/steam), i would still need an Active A/V solution?, I am not trying to be ignorant here, i just thought that safe browsing practices would equate in less infections overall...

results of log,

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-14 16:54:42
-----------------------------
16:54:42.703 OS Version: Windows 5.1.2600 Service Pack 3
16:54:42.703 Number of processors: 2 586 0xF06
16:54:42.703 ComputerName: BRUTAL UserName:
16:54:45.406 Initialize success
16:54:47.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:54:47.187 Disk 0 Vendor: Hitachi_HTS721010G9SA00 MCZOC10H Size: 95396MB BusType: 3
16:54:49.234 Disk 0 MBR read successfully
16:54:49.234 Disk 0 MBR scan
16:54:49.234 Disk 0 Windows XP default MBR code
16:54:51.281 Disk 0 scanning sectors +195366465
16:54:51.296 Disk 0 scanning C:\WINDOWS\system32\drivers
16:54:57.968 Service scanning
16:54:59.437 Disk 0 trace - called modules:
16:54:59.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys PCIIDEX.SYS
16:54:59.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac8bab8]
16:54:59.468 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000080[0x8ac48158]
16:54:59.468 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac47d98]
16:54:59.468 \Driver\atapi[0x8ac489f8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xb8338d60]
16:54:59.468 Scan finished successfully
16:55:17.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\downloads\MBR.dat"
16:55:17.593 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\downloads\aswMBR.txt"


aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-08 20:06:06
-----------------------------
20:06:06.234 OS Version: Windows 5.1.2600 Service Pack 3
20:06:06.234 Number of processors: 2 586 0xF06
20:06:06.234 ComputerName: POSTAL UserName:
20:06:06.828 Initialize success
20:06:06.906 AVAST engine defs: 11070801
20:06:16.328 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:06:16.328 Disk 0 Vendor: Hitachi_HTS721010G9SA00 MCZOC10H Size: 95396MB BusType: 3
20:06:16.328 Disk 0 MBR read error 0
20:06:16.328 Disk 0 MBR scan
20:06:16.328 Disk 0 unknown MBR code
20:06:16.328 MBR BIOS signature not found 0
20:06:16.343 Disk 0 scanning sectors +195366465
20:06:16.343 Disk 0 scanning C:\WINDOWS\system32\drivers
20:06:31.359 Service scanning
20:06:32.390 Disk 0 trace - called modules:
20:06:32.421 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys spmg.sys >>UNKNOWN [0x8acc2938]<<
20:06:32.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8abfdab8]
20:06:32.421 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000081[0x8ac0df18]
20:06:32.421 5 ACPI.sys[b7e74620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac7b770]
20:06:32.421 \Driver\atapi[0x8ac09838] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xb8338d60]
20:06:32.421 Scan finished successfully
20:06:43.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\downloads\MBR.dat"
20:06:43.656 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\downloads\aswMBR.txt"

Edited by dworblack, 08 July 2011 - 07:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users