0

I suppose this would be an advanced case. I have at least two viruses and some rootkits– the go.google virus and the adoginhispen Trojan/downloader. My internet connection is being rerouted through an external IP address. Search engines results redirect me to random web pages. I have upload and download activity when I expect none to occur, even when Comodo Firewall is set to block all activity.

Basic Stats:
Windows XP, SP 3

I have performed the following actions so far:
Full Malwarebytes Anti-Malware Scan (in Normal boot and Safe mode)
ESET Nod 32 Scan (Normal boot)
SuperAntiSpyware Scan (Done in Safe Mode)
Ran SDFIX (log attached)
Ran GMER (log attached)
Ran RootkitRevealer (log attached)
Ran HostsXpert and restored my original hosts files.

GMER and Rootkit Revealer detected a ton of things that I didn’t know how to fix from within each respective program. Help here would be appreciated, too.

Note:

I am unable to download and install updates to most programs. I can’t connect to the internet for long periods of time (even a few seconds) as

I am unable to use some programs because they are terminated before they start. I think this is a doginhispen symptom.

I cannot connect to many websites related to anti-malware and my connection lasts for what appears to be a few seconds, and only connects at random intervals. About 9.5/10 times, I cannot load any page. Updating my programs does not seem to be an option, so they are all stuck at the default version # offered by the websites. MBAM and Super antispyware are out of date, as a result.

To get anyfiles onto my system I am using a USB drive. I haven’t managed to find out how to install updated definitions for the programs I am using through this method.

I cannot run combofix. The program starts a command prompt and then nothing happens. The command prompt is empty as well.

ALL Logs except SDFixare uptodate – that is, they were run again after their initial run and removal sequence, and what is listed is what remains as of now.

Below is my HJT log.

-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:45 AM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\GoldenSection Notes\GSNotes.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Malwarebytes' Anti-Malware3\m6.exe
C:\Documents and Settings\Andy\Desktop\AV\RootkitBuster2.2.1014\rb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Andy\Application Data\U3\0000060513103059\LaunchPad.exe


O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [GSNotes] C:\Program Files\GoldenSection Notes\GSNotes.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by easyMule - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI699F~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Ima&ge Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: PowerBand - {6DD4D4B2-79D0-4073-B8CA-C87273AEC114} - C:\Program Files\Maxthon2\Plugin\PowerBand\PowerBand.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://www.sc2.org/misc/tvants.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/215efa708af91ca37d19/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093116116703
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181454142343
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BGTQ - Unknown owner - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\BGTQ.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: CXGSKKJRSFCX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\CXGSKKJRSFCX.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Xxamp/xampp/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: OWLRUM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMMAN~1\LOCALS~1\Temp\OWLRUM.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


--
End of file - 14759 bytes
----



Below is my Rootkit Revealer Log:
HKU\S-1-5-21-1060284298-602162358-725345543-1013        0 bytes Error dumping hive: Internal error.
HKLM\SECURITY\Policy\Secrets\SAC*   8/21/2004 2:35 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*   8/21/2004 2:35 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*  7/15/2005 5:40 PM   0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData  11/23/2008 2:00 AM  0 bytes Hidden from Windows API.
HKLM\SOFTWARE\TDSS  11/23/2008 2:00 AM  0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys 11/23/2008 2:46 AM  0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 11/20/2008 5:04 PM  0 bytes Access is denied.
HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys 11/23/2008 3:12 AM  0 bytes Hidden from Windows API.
C:      0 bytes Error mounting volume
F:      0 bytes Error mounting volume


-----


Below is my gmer log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-23 03:03:05
Windows 5.1.2600 Service Pack 3



---- System - GMER 1.0.14 ----


SSDT            spqw.sys                                                                                                                                      ZwCreateKey [0xF73C30E0]
SSDT            spqw.sys                                                                                                                                      ZwEnumerateKey [0xF73E1CA2]
SSDT            spqw.sys                                                                                                                                      ZwEnumerateValueKey [0xF73E2030]
SSDT            spqw.sys                                                                                                                                      ZwOpenKey [0xF73C30C0]
SSDT            spqw.sys                                                                                                                                      ZwQueryKey [0xF73E2108]
SSDT            spqw.sys                                                                                                                                      ZwQueryValueKey [0xF73E1F88]
SSDT            spqw.sys                                                                                                                                      ZwSetValueKey [0xF73E219A]


INT 0x62        ?                                                                                                                                             87364BF8
INT 0x73        ?                                                                                                                                             87118BF8
INT 0x73        ?                                                                                                                                             87118BF8
INT 0x82        ?                                                                                                                                             87364BF8
INT 0x83        ?                                                                                                                                             87364BF8
INT 0x83        ?                                                                                                                                             87364BF8
INT 0x83        ?                                                                                                                                             87118BF8
INT 0xA4        ?                                                                                                                                             87118BF8
INT 0xB4        ?                                                                                                                                             87118BF8


Code            E208C748                                                                                                                                      ZwFlushInstructionCache
Code            AE355EAB                                                                                                                                      pIofCallDriver


---- Kernel code sections - GMER 1.0.14 ----


PAGE            ntoskrnl.exe!ZwFlushInstructionCache                                                                                                          80587BFB 5 Bytes  JMP E208C74C
?               spqw.sys                                                                                                                                      The system cannot find the file specified. !
.text           USBPORT.SYS!DllUnload                                                                                                                         F64E58AC 5 Bytes  JMP 871181D8
?               C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS                                                                                                   The system cannot find the file specified. !


---- User code sections - GMER 1.0.14 ----


.text           C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!closesocket                                                                                           71AB3E2B 5 Bytes  JMP 00C4000A
.text           C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!connect                                                                                               71AB4A07 5 Bytes  JMP 00C3000A
.text           C:\WINDOWS\Explorer.EXE[968] WS2_32.dll!send                                                                                                  71AB4C27 5 Bytes  JMP 00C5000A
.text           C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[3340] kernel32.dll!SetUnhandledExceptionFilter                                            7C8449FD 4 Bytes  [ C2, 04, 00, 00 ]


---- Kernel IAT/EAT - GMER 1.0.14 ----


IAT             \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                                                            873672D8
IAT             pci.sys[ntoskrnl.exe!IoDetachDevice]                                                                                                          [F73F4C4C] spqw.sys
IAT             pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                                                                             [F73F4CA0] spqw.sys
IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                            [F73C4040] spqw.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                    [F73C413C] spqw.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                           [F73C40BE] spqw.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                   [F73C47FC] spqw.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                           [F73C46D2] spqw.sys
IAT             \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                                                          871182D8
IAT             \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                            [F73D4048] spqw.sys
IAT             \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter]                                                                           [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter]                                                                            [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                     [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol]                                                                       [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol]                                                                      [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                                                           [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter]                                                                          [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                    [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                      [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol]                                                                        [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter]                                                                             [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter]                                                                            [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol]                                                                       [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol]                                                                     [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter]                                                                           [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                                                            [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                                                                             [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                                                                              [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                                                                         [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                      [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                                                                        [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                                                                             [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                                                                            [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter]                                                                           [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter]                                                                            [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                     [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol]                                                                       [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                                                                       [F7227950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                     [F7227990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                                                                           [F7227710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                                                                            [F7227770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)


---- User IAT/EAT - GMER 1.0.14 ----


IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]                               [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread]                                 [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA]                             [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]                                 [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]                                 [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]                               [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]                                   [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]                                   [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress]                                 [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread]                                   [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]                                  [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]                                  [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress]                                [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress]                               [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA]                                 [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress]                                 [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA]                                   [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread]                                   [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA]                              [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA]                                  [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread]                                  [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress]                                [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!DeleteObject]                                     [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA]                              [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]                                [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]                                [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]                                  [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread]                                  [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]                                  [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                                [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA]                                  [0060EEC0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW]                                  [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor]                                     [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA]                                  [0060F3F0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW]                                  [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW]                           [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW]                                 [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA]                                 [0060EE20] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSystemMetrics]                                [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!DeleteObject]                                     [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA]                              [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]                                  [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]                                  [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]                                [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread]                                  [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW]                                [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA]                                [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx]                              [0060F7A0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA]                                  [0060EEC0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSystemMetrics]                                [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor]                                     [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW]                                  [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW]                                  [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush]                                [0060EB20] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!FillRect]                                        [0060F8B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl]                                [0060F920] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge]                                        [0060F900] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW]                           [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo]                                   [0060ED10] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW]                                 [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo]                                   [0060EC00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [GDI32.dll!DeleteObject]                                       [0060EAE0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress]                                  [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]                                    [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]                                    [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread]                                    [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]                                  [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]                                  [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW]                             [0060F690] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSystemMetrics]                                  [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor]                                       [0060EA90] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW]                                   [0060ED80] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW]                                    [0060F4B0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW]                                    [0060EF50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW]                                 [0060F9C0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA]                                 [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress]                               [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread]                                 [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]                                [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA]                                  [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA]                                [0060FA00] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW]                                [0060FA50] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread]                                  [0060F360] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA]                              [0060FAA0] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!GetSystemMetrics]                                [0060F570] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA]                                    [0060F980] C:\Program Files\COMODO\Firewall\cfp.exe
IAT             C:\Program Files\COMODO\Firewall\cfp.exe[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress]                                  [0060FB30] C:\Program Files\COMODO\Firewall\cfp.exe


---- Devices - GMER 1.0.14 ----


Device          \FileSystem\Ntfs \Ntfs                                                                                                                        873631F8


AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                        eamon.sys (Amon monitor/ESET)


Device          \FileSystem\Fastfat \FatCdrom                                                                                                                 85CCA500
Device          \FileSystem\Udfs \UdfsCdRom                                                                                                                   86692500
Device          \FileSystem\Udfs \UdfsDisk                                                                                                                    86692500


AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                      cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)


Device          \Driver\usbuhci \Device\USBPDO-0                                                                                                              870A41F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{5DD82455-3003-486A-A40F-76AC3AA88617}                                                                      86681500
Device          \Driver\usbuhci \Device\USBPDO-1                                                                                                              870A41F8
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                     873D51F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                       873D51F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                          873D51F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                         873D51F8
Device          \Driver\usbuhci \Device\USBPDO-2                                                                                                              870A41F8
Device          \Driver\usbuhci \Device\USBPDO-3                                                                                                              870A41F8
Device          \Driver\usbehci \Device\USBPDO-4                                                                                                              870771F8


AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                     cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)


Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                        873651F8


AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                        snapman.sys (Acronis Snapshot API/Acronis)


Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                        873651F8


AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                        snapman.sys (Acronis Snapshot API/Acronis)


Device          \Driver\Cdrom \Device\CdRom0                                                                                                                  8704B1F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                  8704B1F8
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                       86681500
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                              86681500


AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                     cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                   cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)


Device          \Driver\usbuhci \Device\USBFDO-0                                                                                                              870A41F8
Device          \Driver\usbuhci \Device\USBFDO-1                                                                                                              870A41F8
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                             864EF500
Device          \Driver\usbuhci \Device\USBFDO-2                                                                                                              870A41F8
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                   864EF500
Device          \Driver\usbuhci \Device\USBFDO-3                                                                                                              870A41F8
Device          \Driver\usbehci \Device\USBFDO-4                                                                                                              870771F8
Device          \Driver\Ftdisk \Device\FtControl                                                                                                              873651F8
Device          \FileSystem\Fastfat \Fat                                                                                                                      85CCA500


AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                      fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                      eamon.sys (Amon monitor/ESET)


Device          \FileSystem\Cdfs \Cdfs                                                                                                                        864FD500


---- Modules - GMER 1.0.14 ----


Module          \systemroot\system32\drivers\TDSSqawv.sys (*** hidden *** )                                                                                   AE354000-AE366000 (73728 bytes)


---- Threads - GMER 1.0.14 ----


Thread          4:564                                                                                                                                         AE356D66


---- Services - GMER 1.0.14 ----


Service         C:\WINDOWS\system32\drivers\TDSSqawv.sys (*** hidden *** )                                                                                    [SYSTEM] TDSSserv.sys                                                      <-- ROOTKIT !!!


---- Registry - GMER 1.0.14 ----


Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                               1
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                            0xDE 0x85 0x1C 0xEF ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                               0
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                            0x32 0x7A 0xF6 0xD1 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start                                                                                         1
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type                                                                                          1
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group                                                                                         file system
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath                                                                                     \systemroot\system32\drivers\TDSSqawv.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv                                                                              \systemroot\system32\drivers\TDSSqawv.sys
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl                                                                                 \systemroot\system32\TDSSkwtw.dll
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers                                                                           \systemroot\system32\TDSSsrat.dat
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain                                                                              \systemroot\system32\TDSSkrtj.dll
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog                                                                               \systemroot\system32\TDSSqcie.dll
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw                                                                               \systemroot\system32\TDSSogyn.dll
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit                                                                              \systemroot\system32\TDSScnfy.dll
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls                                                                              \systemroot\system32\TDSSnmxh.log
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels                                                                            \systemroot\system32\TDSSulhc.dll
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors                                                                            \systemroot\system32\TDSSkhwj.log
Reg             HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc                                                                              \systemroot\system32\TDSStsrp.log
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                            771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                            285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                            2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                           1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                        0xDE 0x85 0x1C 0xEF ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                           0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                        0x32 0x7A 0xF6 0xD1 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start                                                                                     1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type                                                                                      1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group                                                                                     file system
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath                                                                                 \systemroot\system32\drivers\TDSSqawv.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv                                                                          \systemroot\system32\drivers\TDSSqawv.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl                                                                             \systemroot\system32\TDSSkwtw.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers                                                                       \systemroot\system32\TDSSsrat.dat
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain                                                                          \systemroot\system32\TDSSkrtj.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog                                                                           \systemroot\system32\TDSSqcie.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw                                                                           \systemroot\system32\TDSSogyn.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit                                                                          \systemroot\system32\TDSScnfy.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls                                                                          \systemroot\system32\TDSSnmxh.log
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels                                                                        \systemroot\system32\TDSSulhc.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors                                                                        \systemroot\system32\TDSSkhwj.log
Reg             HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc                                                                          \systemroot\system32\TDSStsrp.log
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                               1
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                            0xDE 0x85 0x1C 0xEF ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                               0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                            0x32 0x7A 0xF6 0xD1 ...
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid                                                                              5
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid                                                                              0
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control                                                                            0x09 0x19 0x1F 0x16 ...
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov                                                                               10010
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver                                                                     pagead2.googlesyndication.com
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged                                                                            1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                            15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                               10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                             yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                            90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                              10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs                                                                    1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Appinit_Dlls                                                                        C:\WINDOWS\system32\guard32.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{12AAC1CE-B1D3-A48A-5EF7-439C990C4A28}\InprocServer32@                                                            C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{12AAC1CE-B1D3-A48A-5EF7-439C990C4A28}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{12AAC1CE-B1D3-A48A-5EF7-439C990C4A28}\ProgID@                                                                    DAO.QueryDef.36
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b                            0xC8 0x28 0x51 0xAF ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b                            0x46 0x47 0x15 0xB0 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016                            0xFF 0x7C 0x85 0xE0 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48                            0x86 0x8C 0x21 0x01 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472                            0xF5 0x1D 0x4D 0x73 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d                            0xB0 0x18 0xED 0xA7 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@                                                            C:\Program Files\Ahead\NeroVision\NeVideoFX.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ThreadingModel                                              Both
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b                            0x31 0x77 0xE1 0xBA ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d                            0x01 0x3A 0x48 0xFC ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3                            0x51 0xFA 0x6E 0x91 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b                            0x3D 0xCE 0xEA 0x26 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6                            0x2A 0xB7 0xCC 0xB5 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel                                              Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                                                            C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2                            0xFA 0xEA 0x66 0x7F ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1FBDEEB-B566-E001-2171-AE73B7D85687}
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1FBDEEB-B566-E001-2171-AE73B7D85687}@mainnphakbhlgmklefpfifcipf    0x6A 0x61 0x6B 0x62 ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1FBDEEB-B566-E001-2171-AE73B7D85687}@naomdmdigafpeofjnbceglbdlcfp  0x6A 0x61 0x6B 0x62 ...


---- EOF - GMER 1.0.14 ----


Below is my SDFix log:


SDFix: Version 1.240 
Run by Andy on Sat 11/22/2008 at 04:13 AM


Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix


Checking Services :



Restoring Default Security Values
Restoring Default Hosts File


Rebooting


Checking Files :


Trojan Files Found:


C:\WINDOWS\system32\E.tmp - Deleted
C:\WINDOWS\updater.exe - Deleted
C:\WINDOWS\system32\TDSSirxy.dll - Deleted
C:\WINDOWS\system32\TDSSrovu.dll - Deleted
C:\WINDOWS\system32\TDSSocun.dll - Deleted
C:\WINDOWS\system32\TDSSqqon.dll - Deleted
C:\WINDOWS\system32\TDSSwupe.dat - Deleted
C:\WINDOWS\system32\TDSSwrwn.log - Deleted



Could Not Remove C:\WINDOWS\system32\TDSSktkl.dll


Removing Temp Files


ADS Check :


C:\WINDOWS
:                                       8
Total size: 8 bytes.
WINDOWS: Access is denied.


Checking for remaining Streams


C:\WINDOWS
:                                       8
Total size: 8 bytes.


Final Check :


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 07:17:02
Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...


disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Andy\ntuser.dat, 0
scanning hidden files ...


disk error: C:\WINDOWS\


please note that you need administrator rights to perform deep scan


Remaining Services :



Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"


Remaining Files :


C:\WINDOWS\system32\TDSSktkl.dll Found


File Backups: - C:\SDFix\backups\backups.zip


----
Below is my most recent MBAM log:


Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3


11/23/2008 4:13:08 AM
mbam-log-2008-11-23 (04-13-08).txt


Scan type: Quick Scan
Objects scanned: 78215
Time elapsed: 44 minute(s), 30 second(s)


Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


Memory Processes Infected:
(No malicious items detected)


Memory Modules Infected:
(No malicious items detected)


Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.


Registry Values Infected:
(No malicious items detected)


Registry Data Items Infected:
(No malicious items detected)


Folders Infected:
(No malicious items detected)


Files Infected:
(No malicious items detected)

Edited by happygeek: fixed formatting

1
Contributor
1
Reply
2
Views
9 Years
Discussion Span
Last Post by AndyBT
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.