Hey, trying to upload the files. Win32kDiag.txt, gmer.log. Let me try here.

Rich
------

Well, since I'm not allowed to attach the gmer.log I'm pasting it here. I hope that's OK.

Rich
-----

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-07 14:18:59
Windows 5.1.2600 Service Pack 3
Running: h9we6y69.exe; Driver: C:\DOCUME~1\RICHUS~1\LOCALS~1\Temp\ugtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA1A9AFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA1A97C80]
SSDT AF4B10FE ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA1A9B580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA1AAF900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA1AAFB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA1AB3B10]
SSDT AF4B10F4 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA1A9B670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA1A98210]
SSDT AF4B1103 ZwDeleteKey
SSDT AF4B110D ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA1AAF280]
SSDT sptd.sys ZwEnumerateKey [0xB7ED3A92]
SSDT sptd.sys ZwEnumerateValueKey [0xB7ED3E20]
SSDT AF4B1112 ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA1AB2F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA1A98070]
SSDT sptd.sys ZwOpenKey [0xB7ECE090]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xA1AB1180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xA1AB0F40]
SSDT sptd.sys ZwQueryKey [0xB7ED3EF8]
SSDT sptd.sys ZwQueryValueKey [0xB7ED3D78]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA1AB36F0]
SSDT AF4B111C ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA1A9ABE0]
SSDT AF4B1117 ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA1A9B190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA1A98440]
SSDT AF4B1108 ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA1AB0200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xA1AB0080]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B3321E8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fastfat \FatCdrom 8817A1E8
Device \Driver\usbstor \Device\000000ce 882A0980
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ELkbd.sys (Intel Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 8A7FE1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B34B1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8B34B1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8B34B1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8B34B1E8
Device \Driver\usbuhci \Device\USBPDO-1 8A7FE1E8
Device \Driver\usbuhci \Device\USBPDO-2 8A7FE1E8
Device \Driver\usbuhci \Device\USBPDO-3 8A7FE1E8
Device \Driver\usbehci \Device\USBPDO-4 8A7CC4E0
Device \Driver\NetBT \Device\NetBT_Tcpip_{C78330C6-ED7F-479B-9C76-FDAF1C7930E3} 88457708
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B3C01E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom0 8A79A980
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B3C01E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\iaStor \Device\Ide\iaStor0 8B34A1E8
Device \Driver\atapi \Device\Ide\IdePort0 [B7D4CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7D4CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7D4CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8B34A1E8
Device \Driver\Cdrom \Device\CdRom1 8A79A980
Device \Driver\Cdrom \Device\CdRom2 8A79A980
Device \Driver\Cdrom \Device\CdRom3 8A79A980
Device \Driver\usbstor \Device\000000b4 882A0980
Device \Driver\usbstor \Device\000000b5 882A0980
Device \Driver\NetBT \Device\NetBt_Wins_Export 88457708
Device \Driver\usbstor \Device\000000b6 882A0980
Device \Driver\usbstor \Device\000000b7 882A0980
Device \Driver\NetBT \Device\NetbiosSmb 88457708
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbstor \Device\000000aa 882A0980
Device \Driver\usbuhci \Device\USBFDO-0 8A7FE1E8
Device \Driver\usbuhci \Device\USBFDO-1 8A7FE1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 882CD528
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 8A7FE1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 882CD528
Device \Driver\usbuhci \Device\USBFDO-3 8A7FE1E8
Device \Driver\usbehci \Device\USBFDO-4 8A7CC4E0
Device \Driver\Ftdisk \Device\FtControl 8B3C01E8
Device \Driver\PCI_NTPNP3676 \Device\0000007f sptd.sys
Device \Driver\axa2fjsp \Device\Scsi\axa2fjsp1Port3Path0Target0Lun0 8A712980
Device \Driver\axa2fjsp \Device\Scsi\axa2fjsp1 8A712980
Device \Driver\usbstor \Device\000000bf 882A0980
Device \FileSystem\Fastfat \Fat 8817A1E8

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Cdfs \Cdfs 882B6980

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 235211622
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 297985943
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAF 0xBD 0xB0 0xB6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xFB 0x38 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAF 0xBD 0xB0 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xFB 0x38 0x88 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAF 0xBD 0xB0 0xB6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xFB 0x38 0x88 ...

---- EOF - GMER 1.0.15 ----

Hey, Rich

Remove Daemon Tools and Zone Alarm and try GMER once again. Copy and paste its report on your next reply.

Hey again,

I removed Daemon tools and Zone Alarm. I got BSOD while running gmer. It occurred when I moved the mouse to wake the system up while running the gmer. I guess I need to make the system not standby/hibernate when running this program. I couldn't see the error because it just flashed for a second before rebooting. After rebooting it automatically directed me to a microsoft site regarding the BSOD caused by drivers. I check device drivers and I seem to have a lot of HID devices listed. I also have a couple of extra monitors listed (I have two). None of these extra devices have yellow exclamation points or red X's and they say "working properly". I'm running gmer again right now. I'm on my notebook typing this. Should I do something else or send you the log file when it completes?

Thanks in advance,

Rich

Lets see what GMER brings in.

here's the gmer copy:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-08 08:31:17
Windows 5.1.2600 Service Pack 3
Running: hibb18sz.exe; Driver: C:\DOCUME~1\RICHUS~1\LOCALS~1\Temp\ugtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA0D45FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA0D42C80]
SSDT AECFA216 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA0D46580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA0D5A900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA0D5AB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA0D5EB10]
SSDT AECFA20C ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA0D46670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA0D43210]
SSDT AECFA21B ZwDeleteKey
SSDT AECFA225 ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA0D5A280]
SSDT sptd.sys ZwEnumerateKey [0xB7ED3A92]
SSDT sptd.sys ZwEnumerateValueKey [0xB7ED3E20]
SSDT AECFA22A ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA0D5DF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA0D43070]
SSDT sptd.sys ZwOpenKey [0xB7ECE090]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xA0D5C180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xA0D5BF40]
SSDT sptd.sys ZwQueryKey [0xB7ED3EF8]
SSDT sptd.sys ZwQueryValueKey [0xB7ED3D78]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA0D5E6F0]
SSDT AECFA234 ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA0D45BE0]
SSDT AECFA22F ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA0D46190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA0D43440]
SSDT AECFA220 ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA0D5B200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xA0D5B080]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B3331E8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 8A7F11E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B3C01E8
Device \Driver\dmio \Device\DmControl\DmConfig 8B3C01E8
Device \Driver\dmio \Device\DmControl\DmPnP 8B3C01E8
Device \Driver\dmio \Device\DmControl\DmInfo 8B3C01E8
Device \Driver\usbuhci \Device\USBPDO-1 8A7F11E8
Device \Driver\usbuhci \Device\USBPDO-2 8A7F11E8
Device \Driver\usbuhci \Device\USBPDO-3 8A7F11E8
Device \Driver\usbehci \Device\USBPDO-4 8A7C41E8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\NetBT \Device\NetBT_Tcpip_{C78330C6-ED7F-479B-9C76-FDAF1C7930E3} 88BA31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B34C1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom0 8A7B1980
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B34C1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\iaStor \Device\Ide\iaStor0 8B3BF1E8
Device \Driver\atapi \Device\Ide\IdePort0 [B7D4CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7D4CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7D4CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8B3BF1E8
Device \Driver\Cdrom \Device\CdRom1 8A7B1980
Device \Driver\usbstor \Device\000000b2 882F6710
Device \Driver\Cdrom \Device\CdRom2 8A7B1980
Device \Driver\usbstor \Device\000000b3 882F6710
Device \Driver\usbstor \Device\000000b4 882F6710
Device \Driver\usbstor \Device\000000a8 882F6710
Device \Driver\usbstor \Device\000000b5 882F6710
Device \Driver\NetBT \Device\NetBt_Wins_Export 88BA31E8
Device \Driver\NetBT \Device\NetbiosSmb 88BA31E8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-0 8A7F11E8
Device \Driver\usbuhci \Device\USBFDO-1 8A7F11E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88301980
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 8A7F11E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88301980
Device \Driver\usbuhci \Device\USBFDO-3 8A7F11E8
Device \Driver\usbehci \Device\USBFDO-4 8A7C41E8
Device \Driver\Ftdisk \Device\FtControl 8B34C1E8
Device \Driver\usbstor \Device\000000bd 882F6710
Device \Driver\usbstor \Device\000000cc 882F6710
Device \FileSystem\Fastfat \Fat 88139980
Device \FileSystem\Fastfat \Fat 997A6297

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Cdfs \Cdfs 88483980

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 235211622
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 297985943
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAF 0xBD 0xB0 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xFB 0x38 0x88 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...

---- EOF - GMER 1.0.15 ----

We still have drivers from both programs that serve as hooks to the system. I would like to see how would the system work without them.

Open a command prompt (Start ->Run, type CMD and click OK) at the prompt type the following and press Enter after each command:

SC Stop sptd
SC Delete sptd

Remove the following folder:

C:\Program Files\DAEMON Tools

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  QUOTE
  :regfind
  vsdatant.sys
  
  :filefind
  Atapi.sys
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Update...

When I enter SC Stop sptd I receive

[SC] ControlService FAILED 1052:
The requested control is not valid for this service.

The SC Delete sptd returns SUCCESS

Should I contiue?

Thanks,

Rich

Here's an addition to post 83...

I don't have a daemon tools folder on C:\.

I searched the whole disk and I'm displaying hidden/system/os files.

Rich
------

Run SystemLook.

Here are the contents of SystemLook.txt...

Thanks in advance,

Rich
-------

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 02:28 on 09/11/2009 by Rich User (Administrator - Elevation successful)

========== regfind ==========

Searching for "vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"

========== filefind ==========

Searching for "Atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys --a--c 95360 bytes [02:12 05/11/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys --a--- 96512 bytes [19:06 19/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 95360 bytes [08:19 12/04/2006] [13:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Wait, I just realized that I didn't uninstall Zone Alarm I just shut it down. In looking back over your instructions, I believe I should uninstall it which I have just done.

Dere are the result for SystemLook now...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 03:25 on 09/11/2009 by Rich User (Administrator - Elevation successful)

========== regfind ==========

Searching for "vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsdatant]
"ImagePath"="System32\vsdatant.sys"

========== filefind ==========

Searching for "Atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys --a--c 95360 bytes [02:12 05/11/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys --a--- 96512 bytes [19:06 19/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 95360 bytes [08:19 12/04/2006] [13:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Now that both programs are removed, does the issue persist? Run GMER and post its report.

Also:

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :Filefind
  svchost*
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Hi again,

I'm posting the Gmer log below and after that the SystemLook file below...

I'm kinda lost now. I don't believe the original symptoms are present, but am I not supposed to re-install Zone Alarm? Should I just refer to the removal tutorials to find out the best advice on what to load?

Thanks in advance and let me know what you find with this latest scan,


Rich
-------

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-10 09:10:06
Windows 5.1.2600 Service Pack 3
Running: ucyd262i.exe; Driver: C:\DOCUME~1\RICHUS~1\LOCALS~1\Temp\ugtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT AFCD21E6 ZwCreateKey
SSDT AFCD21DC ZwCreateThread
SSDT AFCD21EB ZwDeleteKey
SSDT AFCD21F5 ZwDeleteValueKey
SSDT AFCD21FA ZwLoadKey
SSDT AFCD21C8 ZwOpenProcess
SSDT AFCD21CD ZwOpenThread
SSDT AFCD2204 ZwReplaceKey
SSDT AFCD21FF ZwRestoreKey
SSDT AFCD21F0 ZwSetValueKey
SSDT AFCD21D7 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ELkbd.sys (Intel Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAF 0xBD 0xB0 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xFB 0x38 0x88 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x98 0x50 0x43 0x9A ...

---- EOF - GMER 1.0.15 ----


------------------------------------

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:12 on 10/11/2009 by Rich User (Administrator - Elevation successful)

========== Filefind ==========

Searching for "svchost*"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe --a--c 14336 bytes [02:13 05/11/2008] [19:00 10/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [03:04 21/10/2009] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\I386\SVCHOST.EX_ --a--- 7278 bytes [23:47 09/01/2005] [19:00 10/08/2004] 115CAD555F7D81DE53015F018875FA4D
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a--- 8102 bytes [01:32 08/11/2009] [11:06 09/11/2009] C6CEF850B6310763495BD8EA84A22662
C:\WINDOWS\ServicePackFiles\i386\svchost.exe --a--- 14336 bytes [19:13 19/08/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a--- 14336 bytes [23:48 09/01/2005] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

-=End Of File=-
------------------

We need to find out if the services are back on. Do not reactivate Zone Alarm. Without the RPC there isn't that much the system will do. Lets review the settings once again:

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as Query.bat
• Change the Save as Type to All Files
• and Save it on the desktop
• Once saved, double click on the Query.bat file and post its report.