I suppose this would be an advanced case. I have at least two viruses and some rootkits– the go.google virus and the adoginhispen Trojan/downloader. My internet connection is being rerouted through an external IP address. Search engines results redirect me to random web pages. I have upload and download activity when I expect none to occur, even when Comodo Firewall is set to block all activity.
Basic Stats:
Windows XP, SP 3
I have performed the following actions so far:
Full Malwarebytes Anti-Malware Scan (in Normal boot and Safe mode)
ESET Nod 32 Scan (Normal boot)
SuperAntiSpyware Scan (Done in Safe Mode)
Ran SDFIX (log attached)
Ran GMER (log attached)
Ran RootkitRevealer (log attached)
Ran HostsXpert and restored my original hosts files.
GMER and Rootkit Revealer detected a ton of things that I didn’t know how to fix from within each respective program. Help here would be appreciated, too.
Note:
I am unable to download and install updates to most programs. I can’t connect to the internet for long periods of time (even a few seconds) as
I am unable to use some programs because they are terminated before they start. I think this is a doginhispen symptom.
I cannot connect to many websites related to anti-malware and my connection lasts for what appears to be a few seconds, and only connects at random intervals. About 9.5/10 times, I cannot load any page. Updating my programs does not seem to be an option, so they are all stuck at the default version # offered by the websites. MBAM and Super antispyware are out of date, as a result.
To get anyfiles onto my system I am using a USB drive. I haven’t managed to find out how to install updated definitions for the programs I am using through this method.
I cannot run combofix. The program starts a command prompt and then nothing happens. The command prompt is empty as well.
ALL Logs except SDFixare uptodate – that is, they were run again after their initial run and removal sequence, and what is listed is what remains as of now.
Below is my HJT log.
-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:45 AM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\GoldenSection Notes\GSNotes.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Malwarebytes' Anti-Malware3\m6.exe
C:\Documents and Settings\Andy\Desktop\AV\RootkitBuster2.2.1014\rb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Andy\Application Data\U3\0000060513103059\LaunchPad.exe
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [GSNotes] C:\Program Files\GoldenSection Notes\GSNotes.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by easyMule - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI699F~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Ima&ge Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: PowerBand - {6DD4D4B2-79D0-4073-B8CA-C87273AEC114} - C:\Program Files\Maxthon2\Plugin\PowerBand\PowerBand.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://www.sc2.org/misc/tvants.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/215efa708af91ca37d19/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093116116703
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181454142343
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BGTQ - Unknown owner - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\BGTQ.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: CXGSKKJRSFCX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\CXGSKKJRSFCX.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Xxamp/xampp/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: OWLRUM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\OWLRUM.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 14759 bytes
----
Below is my Rootkit Revealer Log:
HKU\S-1-5-21-1060284298-602162358-725345543-1013 0 bytes Error dumping hive: Internal error.
HKLM\SECURITY\Policy\Secrets\SAC* 8/21/2004 2:35 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/21/2004 2:35 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 7/15/2005 5:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData 11/23/2008 2:00 AM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\TDSS 11/23/2008 2:00 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys 11/23/2008 2:46 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 11/20/2008 5:04 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys 11/23/2008 3:12 AM 0 bytes Hidden from Windows API.
C: 0 bytes Error mounting volume
F: 0 bytes Error mounting volume
-----
Below is my gmer log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-23 03:03:05
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT spqw.sys ZwCreateKey [0xF73C30E0]
SSDT spqw.sys ZwEnumerateKey [0xF73E1CA2]
SSDT spqw.sys ZwEnumerateValueKey [0xF73E2030]
SSDT spqw.sys ZwOpenKey [0xF73C30C0]
SSDT spqw.sys ZwQueryKey [0xF73E2108]
SSDT spqw.sys ZwQueryValueKey [0xF73E1F88]
SSDT spqw.sys ZwSetValueKey [0xF73E219A]
INT 0x62 ? 87364BF8
INT 0x73 ? 87118BF8
INT 0x73 ? 87118BF8
INT 0x82 ? 87364BF8
INT 0x83 ? 87364BF8
INT 0x83 ? 87364BF8
INT 0x83 ? 87118BF8
INT 0xA4 ? 87118BF8
INT 0xB4 ? 87118BF8
Code E208C748 ZwFlushInstructionCache
Code AE355EAB pIofCallDriver
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP E208C74C
? spqw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F64E58AC 5 Bytes JMP 871181D8
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C5000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[3340] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 873672D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73F4C4C] spqw.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73F4CA0] spqw.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73C4040] spqw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73C413C] spqw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73C40BE] spqw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73C47FC] spqw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73C46D2] spqw.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 871182D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73D4048] spqw.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!DeleteObject] [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [0060EEC0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [0060F3F0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW] [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [0060EE20] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!DeleteObject] [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [0060F7A0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [0060EEC0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW] [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [0060EB20] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!FillRect] [0060F8B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [0060F920] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge] [0060F900] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [0060ED10] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [0060EC00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [GDI32.dll!DeleteObject] [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!GetSystemMetrics] [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 873631F8
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \FileSystem\Fastfat \FatCdrom 85CCA500
Device \FileSystem\Udfs \UdfsCdRom 86692500
Device \FileSystem\Udfs \UdfsDisk 86692500
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
Device \Driver\usbuhci \Device\USBPDO-0 870A41F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD82455-3003-486A-A40F-76AC3AA88617} 86681500
Device \Driver\usbuhci \Device\USBPDO-1 870A41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 873D51F8
Device \Driver\dmio \Device\DmControl\DmConfig 873D51F8
Device \Driver\dmio \Device\DmControl\DmPnP 873D51F8
Device \Driver\dmio \Device\DmControl\DmInfo 873D51F8
Device \Driver\usbuhci \Device\USBPDO-2 870A41F8
Device \Driver\usbuhci \Device\USBPDO-3 870A41F8
Device \Driver\usbehci \Device\USBPDO-4 870771F8
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
Device \Driver\Ftdisk \Device\HarddiskVolume1 873651F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Ftdisk \Device\HarddiskVolume2 873651F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom0 8704B1F8
Device \Driver\Cdrom \Device\CdRom1 8704B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86681500
Device \Driver\NetBT \Device\NetbiosSmb 86681500
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
Device \Driver\usbuhci \Device\USBFDO-0 870A41F8
Device \Driver\usbuhci \Device\USBFDO-1 870A41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864EF500
Device \Driver\usbuhci \Device\USBFDO-2 870A41F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 864EF500
Device \Driver\usbuhci \Device\USBFDO-3 870A41F8
Device \Driver\usbehci \Device\USBFDO-4 870771F8
Device \Driver\Ftdisk \Device\FtControl 873651F8
Device \FileSystem\Fastfat \Fat 85CCA500
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
Device \FileSystem\Cdfs \Cdfs 864FD500
---- Modules - GMER 1.0.14 ----
Module \systemroot\system32\drivers\TDSSqawv.sys (*** hidden *** ) AE354000-AE366000 (73728 bytes)
---- Threads - GMER 1.0.14 ----
Thread 4:564 AE356D66
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\drivers\TDSSqawv.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0x85 0x1C 0xEF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x32 0x7A 0xF6 0xD1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSqawv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSqawv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSkwtw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSsrat.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSkrtj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSqcie.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSogyn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSScnfy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSulhc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhwj.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStsrp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0x85 0x1C 0xEF ...
Reg HKLM\SYSTE