Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Generic Host Process for Win32 Services

(New)
(!)

Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
21-Feb-2011, 11:08 PM #1
Generic Host Process for Win32 Services
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : unknown
szModVer : 0.0.0.0 offset : 001a532c

Event viewer:

Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a532c.

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
0040: 30 20 61 74 20 6f 66 66 0 at off
0048: 73 65 74 20 30 30 31 61 set 001a
0050: 35 33 32 63 532c


I keep getting this error message every time i start up my computer. I've tried every solution i could find online involving this problem but nothing has worked. All the windows updates, virus scans, messed with registry and closed ports... nothing has even come close to working.

When error occurs, all windows revert to a classic look (windows 98 style) and my sound devices stop working.


(Edit im using Windows xp sp3)
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,318 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
22-Feb-2011, 12:11 AM #2
Please click HERE to download and install HijackThis.

Run it and select Do a system scan and save a logfile from the Main Menu.

The log will be saved in Notepad. Copy and paste the log in your next reply.

IMPORTANT: Do not fix anything
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
22-Feb-2011, 02:23 AM #3
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:45 AM, on 2/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
C:\WINDOWS\system32\rpcnet.exe
C:\windows\system32\svchost.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskmgr.exe
C:\windows\explorer.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flyingincognitosleep.com/cgi-bin/h.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - (no file)
O2 - BHO: (no name) - {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
O2 - BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Student\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messen.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Remote Procedure Call (RPC) LD (rpcld) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

--
End of file - 6308 bytes
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,318 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
22-Feb-2011, 10:08 AM #4
Have you recently tried to remove Laptop Retriever from your computer?
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
22-Feb-2011, 12:39 PM #5
Im not even sure how to remove it
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,318 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
22-Feb-2011, 12:44 PM #6
I'm asking 'cause your log is saying that a file is missing from a Laptop Retriever service.
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,318 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
22-Feb-2011, 12:55 PM #7
You don't have an active antivirus installed on your computer. Your Internet Explorer entries in HijackThis are showing questionable add-ons. I know you're running Firefox instead but it probably contains the same items.

Download and install the free version of Malwarebytes' Anti-Malware. Run a Quick Scan and have it Delete whatever it finds.

Then, please post back the text report from the scan.

Finally, post a new HijackThis log.
__________________

Please read instructions and questions carefully, and reply in a timely manner... Thank you.

Why don't you just Google it?
If your problem is solved, please click on the Mark Solved button.
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
22-Feb-2011, 05:26 PM #8
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5843

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/22/2011 3:25:17 PM
mbam-log-2011-02-22 (15-25-17).txt

Scan type: Quick scan
Objects scanned: 179053
Time elapsed: 25 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:15 PM, on 2/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
C:\WINDOWS\system32\rpcnet.exe
C:\windows\system32\svchost.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskmgr.exe
C:\windows\explorer.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flyingincognitosleep.com/cgi-bin/h.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - (no file)
O2 - BHO: (no name) - {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
O2 - BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Student\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messen.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Remote Procedure Call (RPC) LD (rpcld) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

--
End of file - 6442 bytes
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
22-Feb-2011, 07:49 PM #9
Dunno if this will help any or has anything to do with it, but as side note my homepage is stuck to http://flyingincognitosleep.com/cgi-bin/h.pl which re-directs to google.

Also. When error message pops up, internet keeps working, but if i close and re-open laptop (aka let it go on standby or sleep) the internet stops working (it'll look fine, but nothing loads and instead of the host name listed it will say ''access point''
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,318 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
22-Feb-2011, 09:06 PM #10
I would click on Report and kindly ask to be moved to the Virus & Other Malware Removal forum. Be sure to provide the appropriate reports in that forum after reading THIS. From there, be patient. You should get an answer within the next 48 hours. The malware removal experts are really busy!

http://www.urlvoid.com/scan/flyingincognitosleep.com
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
23-Feb-2011, 03:36 PM #11
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-23 13:34:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.11.0
Running: 9tvozyci.exe; Driver: C:\DOCUME~1\Student\LOCALS~1\Temp\awacqkod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sectors 156301232 (+254): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT spef.sys ZwEnumerateKey [0xF7473DA4]
SSDT spef.sys ZwEnumerateValueKey [0xF7474132]

---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 85FABAEA
Device \Driver\iaStor \Device\Ide\iaStor0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 85FABAEA
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \FileSystem\Ntfs \Ntfs 86BD71F8

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BEVT-75ZCT2____________________11.01A11#4&1e241ba3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----









DDS (Ver_10-12-12.02) - NTFSx86
Run by Student at 13:18:56.85 on Wed 02/23/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.979.617 [GMT -6:00]

AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled*

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\SearchIndexer.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\windows\system32\wscntfy.exe
C:\windows\system32\taskmgr.exe
C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Student\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://flyingincognitosleep.com/cgi-bin/h.pl
uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Updater For My.Freeze.com Toolbar: {c26cd490-5f01-41e3-b150-eb29f19da056} - Updater For My.Freeze.com Toolbar
BHO: {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - No File
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\student\local settings\application data\google\update\GoogleUpdate.exe" /c
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\student\start menu\programs\startup\PowerReg Scheduler V3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\student\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} -

hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft

office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\student\applic~1\mozilla\firefox\profiles\2bjp90wv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\student\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} -

%profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Shop to Win: {5835466c-49af-4cbe-b102-a8c8b6313749} - %profile%\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - user.js: browser.startup.page - 1

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2010-6-11 15360]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe -->

c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe [?]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-10-26 36432]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-16 112512]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-16 109568]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-6-16 232744]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-10-26 339984]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-1-31 16968]
S3 ldiskl;ldiskl;c:\docume~1\student\locals~1\temp\ldiskl.sys [2008-9-9 31744]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys -->

c:\windows\system32\drivers\ManyCam.sys [?]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys

[?]
S3 qkbdhid;qkbdhid;c:\docume~1\student\locals~1\temp\qkbdhid.sys [2010-12-20 17920]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-10-26 51792]
S4 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-27 1664248]
S4 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe

[2009-2-6 443168]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-14 136176]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service

[?]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-10-26 497008]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-10-26 689416]

=============== Created Last 30 ================

2011-02-22 02:30:36 -------- d-----w- c:\windows\system32\CatRoot2
2011-02-21 18:27:29 -------- d-----w- c:\docume~1\student\locals~1\applic~1\SvchostViewer
2011-02-20 03:46:44 -------- d-----w- c:\docume~1\student\applic~1\AskToolbar
2011-02-20 03:46:39 -------- d-----w- c:\docume~1\student\locals~1\applic~1\AskToolbar
2011-02-06 04:56:00 -------- d-----w- C:\Perfect World Entertainment
2011-02-06 04:54:21 258352 ----a-w- c:\windows\system32\unicows.dll
2011-02-05 06:36:32 -------- d-----w- c:\program files\The Learning Company
2011-01-31 22:17:03 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-31 22:17:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-31 22:16:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

==================== Find3M ====================

2011-02-23 16:07:38 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-02-23 16:07:36 57752 ----a-w- c:\windows\system32\rpcnet.dll
2011-02-22 02:30:36 575704 ----a-w- c:\windows\system32\wuapi.old
2011-02-08 17:40:55 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-01-23 20:02:35 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-01-23 20:02:35 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-01-23 20:02:35 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-01-18 19:27:29 51200 ---ha-w- c:\windows\system32\bootsn32.dll
2011-01-10 01:55:09 52736 ----a-w- c:\windows\ipuninst.exe
2011-01-02 15:43:43 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-21 07:24:48 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-12-13 04:27:53 1409 ----a-w- c:\windows\QTFont.for

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85FABD01]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x83c4f85b; SUB DWORD [EBP-0x4],

0x83c4f12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86B2D030]
3 CLASSPNP[0xF769EFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86A68030]
[0x85EC2580] -> IRP_MJ_CREATE -> 0x85FABD01
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ;

REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 ->

\??\IDE#DiskWDC_WD800BEVT-75ZCT2____________________11.01A11#4&1e241ba3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device

not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x85FABAEA
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:32:12.68 ===============
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
23-Feb-2011, 04:05 PM #12
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-23 14:04:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.11.0
Running: 9tvozyci.exe; Driver: C:\DOCUME~1\Student\LOCALS~1\Temp\awacqkod.sys


---- System - GMER 1.0.15 ----

SSDT spef.sys ZwCreateKey [0xF745B0E0]
SSDT spef.sys ZwEnumerateKey [0xF7473DA4]
SSDT spef.sys ZwEnumerateValueKey [0xF7474132]
SSDT spef.sys ZwOpenKey [0xF745B0C0]
SSDT spef.sys ZwQueryKey [0xF747420A]
SSDT spef.sys ZwQueryValueKey [0xF747408A]
SSDT spef.sys ZwSetValueKey [0xF747429C]

INT 0x84 ? 86055BF8
INT 0x84 ? 86055BF8
INT 0x84 ? 86055BF8
INT 0x84 ? 86055BF8
INT 0x94 ? 86055BF8
INT 0x94 ? 86055BF8
INT 0x94 ? 86055BF8
INT 0xB4 ? 86055BF8
INT 0xB4 ? 86055BF8
INT 0xB4 ? 86055BF8
INT 0xB4 ? 86055BF8

---- Kernel code sections - GMER 1.0.15 ----

? spef.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F5B79934 5 Bytes JMP 860551D8
.rsrc C:\windows\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xF79CA814]
? C:\DOCUME~1\Student\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\SearchIndexer.exe[572] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\windows\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[968] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\windows\Explorer.EXE[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\windows\Explorer.EXE[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\windows\Explorer.EXE[1228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\windows\System32\svchost.exe[3116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D3000A
.text C:\windows\System32\svchost.exe[3116] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\windows\System32\svchost.exe[3116] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D2000C
.text C:\windows\System32\svchost.exe[3116] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 008A000A
.text C:\windows\System32\svchost.exe[3116] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0141000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3688] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0152000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3688] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0140000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F746BB90] spef.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\Explorer.EXE [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [01F0105B] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [01F0105B] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86BD71F8

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 85F511F8
Device \Driver\usbuhci \Device\USBPDO-1 85F511F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86B6B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86B6B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86B6B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86B6B1F8
Device \Driver\usbuhci \Device\USBPDO-2 85F511F8
Device \Driver\usbehci \Device\USBPDO-3 860461F8
Device \Driver\usbehci \Device\USBPDO-4 860461F8

AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 85F511F8
Device \Driver\usbuhci \Device\USBPDO-6 85F511F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86BD91F8
Device \Driver\usbuhci \Device\USBPDO-7 85F511F8
Device \Driver\Cdrom \Device\CdRom0 860131F8
Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 85FABAEA
Device \Driver\iaStor \Device\Ide\iaStor0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 85FABAEA
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 85F511F8
Device \Driver\usbuhci \Device\USBFDO-1 85F511F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 855BF1F8
Device \Driver\usbuhci \Device\USBFDO-2 85F511F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 855BF1F8
Device \Driver\usbehci \Device\USBFDO-3 860461F8
Device \Driver\usbuhci \Device\USBFDO-4 85F511F8
Device \Driver\Ftdisk \Device\FtControl 86BD91F8
Device \Driver\usbuhci \Device\USBFDO-5 85F511F8
Device \Driver\usbuhci \Device\USBFDO-6 85F511F8
Device \Driver\usbehci \Device\USBFDO-7 860461F8
Device \FileSystem\Cdfs \Cdfs 855AE1F8
Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BEVT-75ZCT2____________________11.01A11#4&1e241ba3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@hdf12 0x6F 0xF8 0x18 0xBA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@hdf12 0x48 0xCE 0x33 0x40 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0@hdf12 0x30 0x30 0x9D 0x63 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@hdf12 0x6F 0xF8 0x18 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@hdf12 0x6F 0xF8 0x18 0xBA ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sectors 156301232 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP21\A0013928.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP21\A0014928.exe:BAK 23040 bytes executable
File C:\windows\system32\DRIVERS\mouclass.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
27-Feb-2011, 12:47 AM #13
please help. you guys are my last hope
Kysier's Avatar
Kysier Kysier is offline
Junior Member with 9 posts.
THREAD STARTER
 
Join Date: Feb 2011
06-Mar-2011, 09:09 PM #14
btw if it helps any, internet will stop working after 10 or so minutes of start up
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
error, generic, services, svchost, win32

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑