Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Infected by go.google, adoginhispen,and more...

Reply

Join Date: Nov 2008
Posts: 2
Reputation: AndyBT is an unknown quantity at this point 
Solved Threads: 0
AndyBT AndyBT is offline Offline
Newbie Poster

Infected by go.google, adoginhispen,and more...

 
0
  #1
Nov 23rd, 2008
I suppose this would be an advanced case. I have *at least* two viruses and some rootkits– the go.google virus and the adoginhispen Trojan/downloader. My internet connection is being rerouted through an external IP address. Search engines results redirect me to random web pages. I have upload and download activity when I expect none to occur, even when Comodo Firewall is set to block all activity.

Basic Stats:
Windows XP, SP 3

I have performed the following actions so far:
Full Malwarebytes Anti-Malware Scan (in Normal boot and Safe mode)
ESET Nod 32 Scan (Normal boot)
SuperAntiSpyware Scan (Done in Safe Mode)
Ran SDFIX (log attached)
Ran GMER (log attached)
Ran RootkitRevealer (log attached)
Ran HostsXpert and restored my original hosts files.

GMER and Rootkit Revealer detected a ton of things that I didn’t know how to fix from within each respective program. Help here would be appreciated, too.

Note:

I am *unable* to download and install updates to most programs. I can’t connect to the internet for long periods of time (even a few seconds) as

I am unable to use some programs because they are terminated before they start. I think this is a doginhispen symptom.

I cannot connect to many websites related to anti-malware and my connection lasts for what appears to be a few seconds, and only connects at random intervals. About 9.5/10 times, I cannot load *any* page. Updating my programs does not seem to be an option, so they are all stuck at the default version # offered by the websites. MBAM and Super antispyware are out of date, as a result.

To get anyfiles onto my system I am using a USB drive. I haven’t managed to find out how to install updated definitions for the programs I am using through this method.

I cannot run combofix. The program starts a command prompt and then nothing happens. The command prompt is empty as well.

ALL Logs except SDFixare uptodate – that is, they were run again after their initial run and removal sequence, and what is listed is what remains as of now.

Below is my HJT log.
-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:45 AM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\GoldenSection Notes\GSNotes.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Malwarebytes' Anti-Malware3\m6.exe
C:\Documents and Settings\Andy\Desktop\AV\RootkitBuster2.2.1014\rb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Andy\Application Data\U3\0000060513103059\LaunchPad.exe

O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [GSNotes] C:\Program Files\GoldenSection Notes\GSNotes.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by easyMule - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI699F~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Ima&ge Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: PowerBand - {6DD4D4B2-79D0-4073-B8CA-C87273AEC114} - C:\Program Files\Maxthon2\Plugin\PowerBand\PowerBand.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://www.sc2.org/misc/tvants.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/215efa70...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093116116703
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1181454142343
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BGTQ - Unknown owner - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\BGTQ.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: CXGSKKJRSFCX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\CXGSKKJRSFCX.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Xxamp/xampp/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: OWLRUM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\OWLRUM.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 14759 bytes
----


Below is my Rootkit Revealer Log:
HKU\S-1-5-21-1060284298-602162358-725345543-1013 0 bytes Error dumping hive: Internal error.
HKLM\SECURITY\Policy\Secrets\SAC* 8/21/2004 2:35 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/21/2004 2:35 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData 11/23/2008 2:00 AM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\TDSS 11/23/2008 2:00 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys 11/23/2008 2:46 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 11/20/2008 5:04 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys 11/23/2008 3:12 AM 0 bytes Hidden from Windows API.
C: 0 bytes Error mounting volume
F: 0 bytes Error mounting volume

-----

Below is my gmer log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-23 03:03:05
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spqw.sys ZwCreateKey [0xF73C30E0]
SSDT spqw.sys ZwEnumerateKey [0xF73E1CA2]
SSDT spqw.sys ZwEnumerateValueKey [0xF73E2030]
SSDT spqw.sys ZwOpenKey [0xF73C30C0]
SSDT spqw.sys ZwQueryKey [0xF73E2108]
SSDT spqw.sys ZwQueryValueKey [0xF73E1F88]
SSDT spqw.sys ZwSetValueKey [0xF73E219A]

INT 0x62 ? 87364BF8
INT 0x73 ? 87118BF8
INT 0x73 ? 87118BF8
INT 0x82 ? 87364BF8
INT 0x83 ? 87364BF8
INT 0x83 ? 87364BF8
INT 0x83 ? 87118BF8
INT 0xA4 ? 87118BF8
INT 0xB4 ? 87118BF8

Code E208C748 ZwFlushInstructionCache
Code AE355EAB pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP E208C74C
? spqw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F64E58AC 5 Bytes JMP 871181D8
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C5000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[3340] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 873672D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73F4C4C] spqw.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73F4CA0] spqw.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73C4040] spqw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73C413C] spqw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73C40BE] spqw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73C47FC] spqw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73C46D2] spqw.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 871182D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73D4048] spqw.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!DeleteObject] [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [0060EEC0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [0060F3F0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW] [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [0060EE20] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!DeleteObject] [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [0060F7A0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [0060EEC0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW] [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [0060EB20] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!FillRect] [0060F8B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [0060F920] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge] [0060F900] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [0060ED10] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [0060EC00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [GDI32.dll!DeleteObject] [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 873631F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 85CCA500
Device \FileSystem\Udfs \UdfsCdRom 86692500
Device \FileSystem\Udfs \UdfsDisk 86692500

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Driver\usbuhci \Device\USBPDO-0 870A41F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD82455-3003-486A-A40F-76AC3AA88617} 86681500
Device \Driver\usbuhci \Device\USBPDO-1 870A41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 873D51F8
Device \Driver\dmio \Device\DmControl\DmConfig 873D51F8
Device \Driver\dmio \Device\DmControl\DmPnP 873D51F8
Device \Driver\dmio \Device\DmControl\DmInfo 873D51F8
Device \Driver\usbuhci \Device\USBPDO-2 870A41F8
Device \Driver\usbuhci \Device\USBPDO-3 870A41F8
Device \Driver\usbehci \Device\USBPDO-4 870771F8

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Driver\Ftdisk \Device\HarddiskVolume1 873651F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Ftdisk \Device\HarddiskVolume2 873651F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom0 8704B1F8
Device \Driver\Cdrom \Device\CdRom1 8704B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86681500
Device \Driver\NetBT \Device\NetbiosSmb 86681500

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Driver\usbuhci \Device\USBFDO-0 870A41F8
Device \Driver\usbuhci \Device\USBFDO-1 870A41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864EF500
Device \Driver\usbuhci \Device\USBFDO-2 870A41F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 864EF500
Device \Driver\usbuhci \Device\USBFDO-3 870A41F8
Device \Driver\usbehci \Device\USBFDO-4 870771F8
Device \Driver\Ftdisk \Device\FtControl 873651F8
Device \FileSystem\Fastfat \Fat 85CCA500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 864FD500

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSqawv.sys (*** hidden *** ) AE354000-AE366000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:564 AE356D66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSqawv.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0x85 0x1C 0xEF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x32 0x7A 0xF6 0xD1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSqawv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSqawv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSkwtw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSsrat.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSkrtj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSqcie.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSogyn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSScnfy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSulhc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhwj.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStsrp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0x85 0x1C 0xEF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x32 0x7A 0xF6 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSqawv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSqawv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSkwtw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSsrat.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSkrtj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSqcie.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSogyn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSScnfy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSulhc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhwj.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStsrp.log
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0x85 0x1C 0xEF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x32 0x7A 0xF6 0xD1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid 5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Appinit_Dlls C:\WINDOWS\system32\guard32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{12AAC1CE-B1D3-A48A-5EF7-439C990C4A28}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{12AAC1CE-B1D3-A48A-5EF7-439C990C4A28}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{12AAC1CE-B1D3-A48A-5EF7-439C990C4A28}\ProgID@ DAO.QueryDef.36
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ C:\Program Files\Ahead\NeroVision\NeVideoFX.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1FBDEEB-B566-E001-2171-AE73B7D85687}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1FBDEEB-B566-E001-2171-AE73B7D85687}@mainnphakbhlgmklefpfifcipf 0x6A 0x61 0x6B 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1FBDEEB-B566-E001-2171-AE73B7D85687}@naomdmdigafpeofjnbceglbdlcfp 0x6A 0x61 0x6B 0x62 ...

---- EOF - GMER 1.0.14 ----

Below is my SDFix log:

SDFix: Version 1.240
Run by Andy on Sat 11/22/2008 at 04:13 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\E.tmp - Deleted
C:\WINDOWS\updater.exe - Deleted
C:\WINDOWS\system32\TDSSirxy.dll - Deleted
C:\WINDOWS\system32\TDSSrovu.dll - Deleted
C:\WINDOWS\system32\TDSSocun.dll - Deleted
C:\WINDOWS\system32\TDSSqqon.dll - Deleted
C:\WINDOWS\system32\TDSSwupe.dat - Deleted
C:\WINDOWS\system32\TDSSwrwn.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSktkl.dll



Removing Temp Files

ADS Check :

C:\WINDOWS
: 8
Total size: 8 bytes.
WINDOWS: Access is denied.

Checking for remaining Streams

C:\WINDOWS
: 8
Total size: 8 bytes.




Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 07:17:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Andy\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:Enabled:Flashget"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:Enabled:Windows Live Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:Enabled:Google Talk"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:Enabled:Windows Live Messenger"

Remaining Files :

C:\WINDOWS\system32\TDSSktkl.dll Found

File Backups: - C:\SDFix\backups\backups.zip

----
Below is my most recent MBAM log:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/23/2008 4:13:08 AM
mbam-log-2008-11-23 (04-13-08).txt

Scan type: Quick Scan
Objects scanned: 78215
Time elapsed: 44 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 2
Reputation: AndyBT is an unknown quantity at this point 
Solved Threads: 0
AndyBT AndyBT is offline Offline
Newbie Poster

Re: Infected by go.google, adoginhispen,and more...

 
0
  #2
Nov 23rd, 2008
Subscribing to thread.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC