1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Generic Host Process for Win32 Services

Discussion in 'Virus & Other Malware Removal' started by Kysier, Feb 21, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

    szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : unknown
    szModVer : 0.0.0.0 offset : 001a532c

    Event viewer:

    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a532c.

    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 73 76 63 ure svc
    0018: 68 6f 73 74 2e 65 78 65 host.exe
    0020: 20 35 2e 31 2e 32 36 30 5.1.260
    0028: 30 2e 35 35 31 32 20 69 0.5512 i
    0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
    0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
    0040: 30 20 61 74 20 6f 66 66 0 at off
    0048: 73 65 74 20 30 30 31 61 set 001a
    0050: 35 33 32 63 532c


    I keep getting this error message every time i start up my computer. I've tried every solution i could find online involving this problem but nothing has worked. All the windows updates, virus scans, messed with registry and closed ports... nothing has even come close to working.

    When error occurs, all windows revert to a classic look (windows 98 style) and my sound devices stop working.


    (Edit im using Windows xp sp3)
     
  2. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
    Please click HERE to download and install HijackThis.

    Run it and select Do a system scan and save a logfile from the Main Menu.

    The log will be saved in Notepad. Copy and paste the log in your next reply.

    IMPORTANT: Do not fix anything
     
  3. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:22:45 AM, on 2/22/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
    C:\WINDOWS\system32\rpcnet.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\taskmgr.exe
    C:\windows\explorer.exe
    C:\windows\system32\ctfmon.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\wscntfy.exe
    C:\windows\system32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flyingincognitosleep.com/cgi-bin/h.pl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - (no file)
    O2 - BHO: (no name) - {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
    O2 - BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: PowerReg Scheduler V3.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Student\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Remote Procedure Call (RPC) LD (rpcld) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe (file missing)
    O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

    --
    End of file - 6308 bytes
     
  4. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
  5. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    Im not even sure how to remove it
     
  6. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
    I'm asking 'cause your log is saying that a file is missing from a Laptop Retriever service.
     
  7. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
    You don't have an active antivirus installed on your computer. Your Internet Explorer entries in HijackThis are showing questionable add-ons. I know you're running Firefox instead but it probably contains the same items.

    Download and install the free version of Malwarebytes' Anti-Malware. Run a Quick Scan and have it Delete whatever it finds.

    Then, please post back the text report from the scan.

    Finally, post a new HijackThis log.
     
  8. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5843

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2/22/2011 3:25:17 PM
    mbam-log-2011-02-22 (15-25-17).txt

    Scan type: Quick scan
    Objects scanned: 179053
    Time elapsed: 25 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)









    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:26:15 PM, on 2/22/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
    C:\WINDOWS\system32\rpcnet.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\taskmgr.exe
    C:\windows\explorer.exe
    C:\windows\system32\ctfmon.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flyingincognitosleep.com/cgi-bin/h.pl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - (no file)
    O2 - BHO: (no name) - {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
    O2 - BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: PowerReg Scheduler V3.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Student\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Remote Procedure Call (RPC) LD (rpcld) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe (file missing)
    O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

    --
    End of file - 6442 bytes
     
  9. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    Dunno if this will help any or has anything to do with it, but as side note my homepage is stuck to http://flyingincognitosleep.com/cgi-bin/h.pl which re-directs to google.

    Also. When error message pops up, internet keeps working, but if i close and re-open laptop (aka let it go on standby or sleep) the internet stops working (it'll look fine, but nothing loads and instead of the host name listed it will say ''access point''
     
  10. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
  11. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-23 13:34:10
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.11.0
    Running: 9tvozyci.exe; Driver: C:\DOCUME~1\Student\LOCALS~1\Temp\awacqkod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    Disk \Device\Harddisk0\DR0 sectors 156301232 (+254): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT spef.sys ZwEnumerateKey [0xF7473DA4]
    SSDT spef.sys ZwEnumerateValueKey [0xF7474132]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 85FABAEA
    Device \Driver\iaStor \Device\Ide\iaStor0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 85FABAEA
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \FileSystem\Ntfs \Ntfs 86BD71F8

    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BEVT-75ZCT2____________________11.01A11#4&1e241ba3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----









    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Student at 13:18:56.85 on Wed 02/23/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.979.617 [GMT -6:00]

    AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    FW: Trend Micro Personal Firewall *Disabled*

    ============== Running Processes ===============

    C:\windows\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\ctfmon.exe
    svchost.exe
    C:\WINDOWS\system32\rpcnet.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\windows\system32\SearchIndexer.exe
    C:\windows\System32\svchost.exe -k HTTPFilter
    C:\windows\system32\wscntfy.exe
    C:\windows\system32\taskmgr.exe
    C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
    C:\windows\System32\svchost.exe -k netsvcs
    C:\Documents and Settings\Student\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://flyingincognitosleep.com/cgi-bin/h.pl
    uSearch Page = hxxp://www.live.com
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

    files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

    files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft

    office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

    shared\windows live\WindowsLiveLogin.dll
    BHO: Updater For My.Freeze.com Toolbar: {c26cd490-5f01-41e3-b150-eb29f19da056} - Updater For My.Freeze.com Toolbar
    BHO: {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - No File
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

    files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\student\local settings\application data\google\update\GoogleUpdate.exe" /c
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\documents and settings\student\start menu\programs\startup\PowerReg Scheduler V3.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\student\start menu\programs\imvu\Run IMVU.lnk
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

    c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

    c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} -

    hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

    hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft

    office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

    search\MSNLNamespaceMgr.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

    office\office12\GrooveShellExtensions.dll
    LSA: Authentication Packages = msv1_0 wvauth

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\student\applic~1\mozilla\firefox\profiles\2bjp90wv.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\student\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

    firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

    c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

    %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} -

    %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Shop to Win: {5835466c-49af-4cbe-b102-a8c8b6313749} - %profile%\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
    FF - user.js: browser.startup.page - 1

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
    R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2010-6-11 15360]
    R2 rpcld;Remote Procedure Call (RPC) LD;c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe -->

    c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe [?]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-10-26 36432]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-16 112512]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-16 109568]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-6-16 232744]
    R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-10-26 339984]
    S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-1-31 16968]
    S3 ldiskl;ldiskl;c:\docume~1\student\locals~1\temp\ldiskl.sys [2008-9-9 31744]
    S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys -->

    c:\windows\system32\drivers\ManyCam.sys [?]
    S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys

    [?]
    S3 qkbdhid;qkbdhid;c:\docume~1\student\locals~1\temp\qkbdhid.sys [2010-12-20 17920]
    S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-10-26 51792]
    S4 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-27 1664248]
    S4 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
    S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
    S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe

    [2009-2-6 443168]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-14 136176]
    S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service

    [?]
    S4 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-10-26 497008]
    S4 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-10-26 689416]

    =============== Created Last 30 ================

    2011-02-22 02:30:36 -------- d-----w- c:\windows\system32\CatRoot2
    2011-02-21 18:27:29 -------- d-----w- c:\docume~1\student\locals~1\applic~1\SvchostViewer
    2011-02-20 03:46:44 -------- d-----w- c:\docume~1\student\applic~1\AskToolbar
    2011-02-20 03:46:39 -------- d-----w- c:\docume~1\student\locals~1\applic~1\AskToolbar
    2011-02-06 04:56:00 -------- d-----w- C:\Perfect World Entertainment
    2011-02-06 04:54:21 258352 ----a-w- c:\windows\system32\unicows.dll
    2011-02-05 06:36:32 -------- d-----w- c:\program files\The Learning Company
    2011-01-31 22:17:03 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-01-31 22:17:01 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-01-31 22:16:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

    ==================== Find3M ====================

    2011-02-23 16:07:38 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2011-02-23 16:07:36 57752 ----a-w- c:\windows\system32\rpcnet.dll
    2011-02-22 02:30:36 575704 ----a-w- c:\windows\system32\wuapi.old
    2011-02-08 17:40:55 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-01-23 20:02:35 21840 ----atw- c:\windows\system32\SIntfNT.dll
    2011-01-23 20:02:35 17212 ----atw- c:\windows\system32\SIntf32.dll
    2011-01-23 20:02:35 12067 ----atw- c:\windows\system32\SIntf16.dll
    2011-01-18 19:27:29 51200 ---ha-w- c:\windows\system32\bootsn32.dll
    2011-01-10 01:55:09 52736 ----a-w- c:\windows\ipuninst.exe
    2011-01-02 15:43:43 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-12-21 07:24:48 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2010-12-13 04:27:53 1409 ----a-w- c:\windows\QTFont.for

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD80 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85FABD01]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x83c4f85b; SUB DWORD [EBP-0x4],

    0x83c4f12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86B2D030]
    3 CLASSPNP[0xF769EFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86A68030]
    [0x85EC2580] -> IRP_MJ_CREATE -> 0x85FABD01
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ;

    REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 ->

    \??\IDE#DiskWDC_WD800BEVT-75ZCT2____________________11.01A11#4&1e241ba3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device

    not found
    detected hooks:
    \Driver\iaStor DriverStartIo -> 0x85FABAEA
    user & kernel MBR OK
    copy of MBR has been found in sector 61 !
    copy of MBR has been found in sector 62 !
    sectors 156301486 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 13:32:12.68 ===============
     

    Attached Files:

  12. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-23 14:04:15
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.11.0
    Running: 9tvozyci.exe; Driver: C:\DOCUME~1\Student\LOCALS~1\Temp\awacqkod.sys


    ---- System - GMER 1.0.15 ----

    SSDT spef.sys ZwCreateKey [0xF745B0E0]
    SSDT spef.sys ZwEnumerateKey [0xF7473DA4]
    SSDT spef.sys ZwEnumerateValueKey [0xF7474132]
    SSDT spef.sys ZwOpenKey [0xF745B0C0]
    SSDT spef.sys ZwQueryKey [0xF747420A]
    SSDT spef.sys ZwQueryValueKey [0xF747408A]
    SSDT spef.sys ZwSetValueKey [0xF747429C]

    INT 0x84 ? 86055BF8
    INT 0x84 ? 86055BF8
    INT 0x84 ? 86055BF8
    INT 0x84 ? 86055BF8
    INT 0x94 ? 86055BF8
    INT 0x94 ? 86055BF8
    INT 0x94 ? 86055BF8
    INT 0xB4 ? 86055BF8
    INT 0xB4 ? 86055BF8
    INT 0xB4 ? 86055BF8
    INT 0xB4 ? 86055BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? spef.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload F5B79934 5 Bytes JMP 860551D8
    .rsrc C:\windows\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xF79CA814]
    ? C:\DOCUME~1\Student\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\windows\system32\SearchIndexer.exe[572] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\windows\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[968] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\windows\Explorer.EXE[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\windows\Explorer.EXE[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\windows\Explorer.EXE[1228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\windows\System32\svchost.exe[3116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D3000A
    .text C:\windows\System32\svchost.exe[3116] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
    .text C:\windows\System32\svchost.exe[3116] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D2000C
    .text C:\windows\System32\svchost.exe[3116] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 008A000A
    .text C:\windows\System32\svchost.exe[3116] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0141000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3688] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0152000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3688] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0140000C

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F746BB90] spef.sys

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[968] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\Explorer.EXE [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [01F0105B] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [01F0105B] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[1228] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [01F01000] C:\windows\system32\bootsn32.dll
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\ctfmon.exe[1652] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[3652] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3688] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\Documents and Settings\Student\Desktop\9tvozyci.exe[3992] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\windows\system32\notepad.exe[4020] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 86BD71F8

    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 85F511F8
    Device \Driver\usbuhci \Device\USBPDO-1 85F511F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 86B6B1F8
    Device \Driver\dmio \Device\DmControl\DmConfig 86B6B1F8
    Device \Driver\dmio \Device\DmControl\DmPnP 86B6B1F8
    Device \Driver\dmio \Device\DmControl\DmInfo 86B6B1F8
    Device \Driver\usbuhci \Device\USBPDO-2 85F511F8
    Device \Driver\usbehci \Device\USBPDO-3 860461F8
    Device \Driver\usbehci \Device\USBPDO-4 860461F8

    AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Driver\usbuhci \Device\USBPDO-5 85F511F8
    Device \Driver\usbuhci \Device\USBPDO-6 85F511F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 86BD91F8
    Device \Driver\usbuhci \Device\USBPDO-7 85F511F8
    Device \Driver\Cdrom \Device\CdRom0 860131F8
    Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 85FABAEA
    Device \Driver\iaStor \Device\Ide\iaStor0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 85FABAEA
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72930B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Driver\usbuhci \Device\USBFDO-0 85F511F8
    Device \Driver\usbuhci \Device\USBFDO-1 85F511F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 855BF1F8
    Device \Driver\usbuhci \Device\USBFDO-2 85F511F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 855BF1F8
    Device \Driver\usbehci \Device\USBFDO-3 860461F8
    Device \Driver\usbuhci \Device\USBFDO-4 85F511F8
    Device \Driver\Ftdisk \Device\FtControl 86BD91F8
    Device \Driver\usbuhci \Device\USBFDO-5 85F511F8
    Device \Driver\usbuhci \Device\USBFDO-6 85F511F8
    Device \Driver\usbehci \Device\USBFDO-7 860461F8
    Device \FileSystem\Cdfs \Cdfs 855AE1F8
    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800BEVT-75ZCT2____________________11.01A11#4&1e241ba3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6F 0xF8 0x18 0xBA ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x48 0xCE 0x33 0x40 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x30 0x30 0x9D 0x63 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6F 0xF8 0x18 0xBA ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6F 0xF8 0x18 0xBA ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    Disk \Device\Harddisk0\DR0 sectors 156301232 (+254): rootkit-like behavior;

    ---- Files - GMER 1.0.15 ----

    ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP21\A0013928.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP21\A0014928.exe:BAK 23040 bytes executable
    File C:\windows\system32\DRIVERS\mouclass.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     
  13. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    please help. you guys are my last hope
     
  14. Kysier

    Kysier Thread Starter

    Joined:
    Feb 21, 2011
    Messages:
    9
    btw if it helps any, internet will stop working after 10 or so minutes of start up
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/982070