Question

How to stop IE dialogue box '' windows explorer has to close.....''

Asked by: boybsm

this dialogue box appears almost everytime when surfing.whenyou click close everything disappears leaving just the desktop

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-29 at 14:45:45ID24771769
Topic

Anti-Virus

Participating Experts
3
Points
125
Comments
45

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. 'Show Desktop' restriction dialogue box
    I recently used a registry tweak to remove the icons from my desktop: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoDesktop(DWORD Value (1)) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDesktop(DWORD Value (1)) I...
  2. "Save As" and Save dialogue windows---View prob…
    When I save a document in MS Word, the resulting dialogue box which opens is never sorted alphabetically. My default location for saving is to Desktop. I'm always met with a random (as far as I can tell) display, which is not sorted by file/folder name nor does it appear to ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: optomaPosted on 2009-09-30 at 01:27:52ID: 25456508

Could you run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Within Autoruns,select file and save its file.
Attach that file here ( through attach file section) and rename autoruns.arn to autoruns.txt to upload

Also run Hijackthis http://free.antivirus.com/hijackthis/
and attach its file here

 

by: boybsmPosted on 2009-09-30 at 08:37:23ID: 25460003

thankyou optoma. I d/loaded both progs and regarded them with great interest but neither is for me, they need a level of computing way beyond mine. I am not even sure that the annoying.....''windows explorer has to close etc '' is a virus or parasite, only that it is annoying and prevents ordinary use and enjoyment of my computer. There is something I came across by googling....'' remove d/box etc '' that put me onto Ex Exchange and is why I am trying this way. And even this I am finding a bit long-winded and involved and was hoping for a simpler explanation or answer

 

by: optomaPosted on 2009-09-30 at 08:59:30ID: 25460251

Those two applications:
You only have to run them and save their logfiles.
They will give us more info to try and help solve your problem.

You dont have to make any changes or adjustments in them :)

 

by: warturtlePosted on 2009-10-01 at 14:43:02ID: 25473476

Download MalwareBytes Anti-Malware (www.malwarebytes.org) or SuperAntiSpyware (www.superantispyware.com) and do a full scan with either one of them and report back with findings.

These programs are free (the trial version is the free version).

Hope it helps.

 

by: boybsmPosted on 2009-10-05 at 16:08:48ID: 25500703

my computer has been in a mess. sorry for lack of reply but this present page is not showing a reply sent 2 days ago. anyway the IE 'have to close box' has disappeared probably due to my desperate battles with Backdoor TSSD parasites,that I have cleared with a combination of 2 spyware progs and a Mcafee rootkit cleaner. now my main problem is that System Restore won't work. it will neither restore or create new points

 

by: optomaPosted on 2009-10-05 at 16:53:42ID: 25500948

It still maybe wise to run those two programs which i suggested and upload their logfiles here to be checked out.

Regarding system restore:
Hit start , then run , type sysdm.cpl , hit ok.

Is system restore tab there?

 

by: boybsmPosted on 2009-10-06 at 12:43:42ID: 25509027

tried to attach autorun (huge) file. did not know how,after much bother got your system to start uploading the file, which ended after say 90 secs stating the file did not have an acceptable ext. this is par for the course with computers and their experts for me. so I have an autorun file but can't attach it.I have managed to attach the Hijack one. the upload files box shows , in red, 13KB REMOVE  (required).Of course I don't know what that means either.I don't think you experts realise what a gulf in knowledge there is  between us. ref SYS RESTORE yes tab is there and disable box is unticked

 

by: warturtlePosted on 2009-10-06 at 12:59:07ID: 25509203

I think it might be worth doing the Avast boot scan mode, here are instructions on how to access this mode:

http://www.techiecorner.com/166/avast-how-to-schedule-boot-time-scan-before-window-start/

That will load before Windows loads and might be able to find malicious files that load at Windows startup.

 

by: optomaPosted on 2009-10-06 at 13:21:25ID: 25509500

For the hijackthis log upload it to http://www.hijackthis.de/
It analyzes the logfile.
Any entries with a "X" you can remove.
To remove them run hijackthis again and within it put a tick in the boxes, relevant to the analyzed logfile.
Then hit "fix checked"

Try that first and we'll try more after :)

Also did you run Warturtle's suggestions?

 

by: boybsmPosted on 2009-10-06 at 15:54:09ID: 25510758

optoma+Warturtle..ran Avast boot scan. found 7 infections 'gasfky........ etc also called 2:Alureon-DD(Rtk). deleted all. these I understand are BackdoorTSSD parasites and have been plagueing my PC for the last 3 wks. each time I have found a program to attack them, each time I thought them gone,obviously not so. earlier this evening my PC could not access the Net (I am doing this on my wife's laptop). have just checked my PC and can now get on the net. Optoma I will try the Hijack ploy but will send this first.............I am most grateful for the help I am receiving

 

by: optomaPosted on 2009-10-06 at 16:05:29ID: 25510846

Hold on for a minute!

 

by: optomaPosted on 2009-10-06 at 16:09:04ID: 25510875

Disregard hijackthis for the moment.
Can you download this live botable cd from that laptop and once the cd is created, boot that cd in the infected machine and run a scan.
The software that you will download is in an iso format.
I can talk you through it
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

 

by: boybsmPosted on 2009-10-06 at 16:41:59ID: 25511023

optoma I am on my PC and have d/loaded the kav thing . what now

 

by: optomaPosted on 2009-10-06 at 23:43:25ID: 25512643

Hi Boybsm,
What you have downloaded is a anti-virus rescue cd which is in an iso(image) format.

What you need to do with it is to burn that onto a cd using burning software.
Most burning software has a section to create a cd from an iso(image) file.

Once the cd is created, get the infected machine to boot to that cd, ie , dont boot into windows.

When your machine has booted into kaspersky, there is an option to update its virus definations-do that and then scan your system.

 

by: boybsmPosted on 2009-10-07 at 02:17:45ID: 25513358

optoma hi    
have burnt a CD_RW successfully, it says. sorry but I don't know how how to boot it as instructed.

 

by: optomaPosted on 2009-10-07 at 02:32:35ID: 25513424

No prob.
On the machine with the infection, you will have to change its boot device priorty--ie--
You have to get your machine to boot to the cd /dvd drive.

When your machine starts up you may see an option similar to this---- to press "F12" to select boot device options---If you have that option then you can pick to boot from the cd drive.

If you dont have that option you will see another option to boot into the bios/cmos:
It is usually either the "F1" key , "F2" key or "delete" key.
Once in the bios look for the settings to change the "boot (device) order.
Make the cd/dvd first preference and save and exit.
NB-dont make any other changes within the bios.

Hope this helps..

 

by: warturtlePosted on 2009-10-07 at 03:19:22ID: 25513724

Normally every computer has CD-ROM set as the first boot device. You can try without changing anything and see if it works if not, then you can change the order within BIOS by following optoma's instructions.

Its good to see though that the rootkit's files are history now, all you need to do is to remove everything else that is bad and all should be good :-).

 

by: boybsmPosted on 2009-10-07 at 03:25:38ID: 25513746

optoma
did not go as you indicated,nothing does on this PC.  it said Enter to boot K rescue disk but got stuck immediately and said type 'rescue-safe. masses started happening but has come to a halt ( for 4 mins now....black screen but in very top left corner (in red)  'avrescue'...........and a hash mark

 

by: optomaPosted on 2009-10-07 at 03:55:37ID: 25513905

OK. You can try rebooting to it again if you want and see will it run correctly.
If it dosn't, let your system boot normally as Warturtle's suggestions have already remove the rootkits.

When back in your system rerun hijackthis and follow instructions above on how to remove the "bad" entries (ID:25509500)

 

by: boybsmPosted on 2009-10-07 at 05:43:31ID: 25514709

optoma,
I ran the rescue disk and at the end ran a scan of the boot and C disks. 1 infection has been q'teened.
I have normal control it seems, internet, email I've used. the only thing still refusing to work is sys. restore. no restore points, no restore. have defragged and cleaned the registry (max reg cleaner).
I am most grateful to you and warturtle . I have been into areas I know nothing about and your patience and persistence has been tremendous. Thankyou again

 

by: optomaPosted on 2009-10-07 at 05:55:09ID: 25514796

You're welcome Boybsm.
Have you ran Hijackthis?

Could you describe what happens when you try system restore:
NB:Only try to create a restore point
Any error messages?
Anything greyed out?
Things like that...

 

by: boybsmPosted on 2009-10-07 at 06:37:53ID: 25515163

optoma
not run hijack yet stil checking around-nothing untoward as yet.
S.R. has no restore pts only todays date highlit. nothing greyed out. attempt to creat a pt brings box--SR unable to create, restart and run again. this action changes nothing. Sys. properties- turn off UNTICKED Disk space = max..12%

 

by: optomaPosted on 2009-10-07 at 07:37:50ID: 25515982

It would be still advisable to rerun Hijackthis!
After thats done I have a solution that might fix system restore :)

 

by: boybsmPosted on 2009-10-07 at 08:23:58ID: 25516535

optoma
have run hijack, had it analysed and fixed 9 items. only2 were nasty such as a search hook. ihave only just restarted after the fix, all seems well

 

by: optomaPosted on 2009-10-07 at 09:02:45ID: 25516916

Ok.
For trying to fix system restore would you have your installation media?
What version of windows are you running?

 

by: boybsmPosted on 2009-10-07 at 15:02:30ID: 25520562

optoma
home edition of XP with  service packs 1,2and3
I have XP instalation disk+serv pk 2 disk

 

by: optomaPosted on 2009-10-07 at 15:17:30ID: 25520690

Ok,
Download dialafix:
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles
(Its in a zip format so unzip it once downloaded)

Run dialafix(ignore internet explorer message,if any)

Within dialafix locate the hammer icon and hit it

Scroll to ,and highlight "reinstall system restore"
Hit go
.
When completed, restart machine and try create restore point

 

by: boybsmPosted on 2009-10-07 at 15:55:40ID: 25521027

optoma hi
MAGIC (I think). all went as you said and on restarting, with trepidation I clicked 'creat etc...' and Lo and Behold I am now the proud owner of a Restore Point  7 OCT. Don't want to tempt fate but at this moment I think I am also the proud owner of a PC that has little or no nasties on it. Again I am most grateful for all the help, on way could I have scratched the surface of what has taken place in the last 3/4 days. I do not understand the signifigance the Point Value indicated above but if the 500 pts are in my gift I would willingly allocate the lot to you .Please advise.

 

by: optomaPosted on 2009-10-07 at 16:29:47ID: 25521247

Its good that all is well again!
Unfortunately there is never an "easy" method to fixing issues but in the long process we all gain experience through working out problems!

The following links is the guideline on how to close a question and how points work
http://www.experts-exchange.com/help.jsp?hi=407
http://www.experts-exchange.com/help.jsp?hi=407#hs=8&hi=504

If you have any questions regarding them dont hesitate to ask!

Warm regards,
Optoma

 

by: warturtlePosted on 2009-10-08 at 00:34:19ID: 25522900

Its great to see that the problem has been resolved :-).

 

by: optomaPosted on 2009-10-08 at 13:28:41ID: 25529730

Hello again Boybsm.
Its very generous that you accepted my solution but Warturtle's suggestions also aided in getting your machine up and running again.

I'll get a moderator to reopen this thread and you can reassign accepted solutions :)

 

by: warturtlePosted on 2009-10-08 at 13:53:16ID: 25529968

Thanks optoma :-).

 

by: optomaPosted on 2009-10-08 at 14:47:15ID: 25530506

No prob!

 

by: boybsmPosted on 2009-10-09 at 08:01:46ID: 25535720

Sorry if not doing the right thing..Optoma was 90% my main contact and it was on his directions I always acted. Warturtles comments appeared 3/4 times but appeared to be observations I do not know your heirarchy but note W is a Guru and looking back I do see he was monitoring progress and suggesting moves.Whatever I am most grateful for the help, I had no idea how to deal with the mess.. Whoever decides now please feel free in my name to apportion credit. From my point of view 70% at least would go to Optoma

 

by: optomaPosted on 2009-10-09 at 09:28:41ID: 25536480

Not to worry Boybsm and no need to apologise!
Have a quick read of these
http://www.experts-exchange.com/help.jsp?hi=407
http://www.experts-exchange.com/help.jsp?hi=407#hs=8&hi=100

You can accept multiple solutions or one accepted solution with assisted solutions.

The main thing is your problem is resolved!

 

by: boybsmPosted on 2009-10-24 at 13:29:38ID: 25654139

I would think anyone reading mine of the 9th Oct would be able to end this session. Your processes are rather involved and having read the appropriate notes I could not see easily what to do and I said so above. It's probably I'm thick or it might be your methods and instructions are too involved  or unclear. I think the latter. I am most greatful for expertise way beyond my competence but please end this now as I do not intend to do anything further

 

by: optomaPosted on 2009-10-24 at 13:50:34ID: 25654259

No prob Boybsm, just accept multiple solutions tab and split the points!
Everything still going well I hope!

 

by: boybsmPosted on 2009-10-24 at 15:59:18ID: 31635100

Hello optoma
Done the above.
Unfortunately things not OK, a Rootkit scan is showing some disturbing results but I don't understand them and daren't muck about in the Registry myself. thanks again for your help above

 

by: boybsmPosted on 2009-10-25 at 14:42:35ID: 25658505

thankyou optoma
I have a further Q that is related to the above i reckon.
A mcafee rootkit scan has shown some disturbing data, with several items showing ''DLL\global root\system32\gasfkyllovmthf.dll '' and i recognise that final scramble of letters in a malware scan a week or so ago. I am not capable of dealing with this or even rscognising it as an infection. Can I get some help or do i have to start again to get some points in the offing

 

by: optomaPosted on 2009-10-25 at 15:34:33ID: 25658796

Could you attach the rootkit's log

 

by: boybsmPosted on 2009-10-25 at 17:06:16ID: 25659073


McAfee(R) Rootkit Detective 1.1 scan report
On 05-10-2009 at 13:02:18
OS-Version 5.1.2600
Service Pack 3.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwClose
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteValueKey
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwDuplicateObject
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenThread
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwQueryValueKey
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwRestoreKey
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: C:\WINDOWS\system32\drivers\aswSP.sys

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: Registry-key
Object-Name: EnumINDOWS\system32\drivers\prcmondrv1041.sys
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: DataEM\ControlSet001\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Process
Object-Name: GoogleToolbarNo
Pid: 4060
Object-Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleUpdate.ex
Pid: 216
Object-Path: C:\Documents and Settings\new\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyrubrvwsi.sys
Pid: n/a
Object-Path: C:\WINDOWS\system32\drivers\gasfkyrubrvwsi.sys
Status: Hidden

Object-Type: File/Folder
Object-Name: gasfkyweetskjb.dll
Pid: n/a
Object-Path: C:\WINDOWS\system32\gasfkyweetskjb.dll
Status: Hidden

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1364
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: Amoumain.exe
Pid: 3008
Object-Path: C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
Status: Visible

Object-Type: Process
Object-Name: iTunesHelper.ex
Pid: 3752
Object-Path: C:\Program Files\iTunes\iTunesHelper.exe
Status: Visible

Object-Type: Process
Object-Name: jqs.exe
Pid: 528
Object-Path: C:\Program Files\Java\jre6\bin\jqs.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1056
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 468
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 840
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: KService.exe
Pid: 1336
Object-Path: C:\Program Files\Kontiki\KService.exe
Status: Visible

Object-Type: Process
Object-Name: Ikeymain.exe
Pid: 2980
Object-Path: C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: iexplore.exe
Pid: 1524
Object-Path: C:\Program Files\Internet Explorer\iexplore.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 2548
Object-Path: C:\Documents and Settings\new\My Documents\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: DAP.exe
Pid: 348
Object-Path: C:\Program Files\DAP\DAP.EXE
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyolkmqpeq.dll
Pid: n/a
Object-Path: C:\WINDOWS\system32\gasfkyolkmqpeq.dll
Status: Hidden

Object-Type: Process
Object-Name: hkcmd.exe
Pid: 3232
Object-Path: C:\WINDOWS\system32\hkcmd.exe
Status: Visible

Object-Type: Process
Object-Name: TeaTimer.exe
Pid: 3976
Object-Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Status: Visible

Object-Type: Process
Object-Name: NBService.exe
Pid: 1620
Object-Path: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2148
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkywufxdpak.dat
Pid: n/a
Object-Path: C:\WINDOWS\system32\gasfkywufxdpak.dat
Status: Hidden

Object-Type: Process
Object-Name: csrss.exe
Pid: 444
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 692
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleCrashHand
Pid: 816
Object-Path: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyovmtiomtth.tmp
Pid: n/a
Object-Path: C:\WINDOWS\Temp\gasfkyovmtiomtth.tmp
Status: Hidden

Object-Type: Process
Object-Name: jusched.exe
Pid: 2956
Object-Path: C:\Program Files\Java\jre6\bin\jusched.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1840
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 880
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: eEBSvc.exe
Pid: 1872
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
Status: Visible

Object-Type: Process
Object-Name: ashServ.exe
Pid: 1160
Object-Path: C:\Program Files\Alwil Software\Avast4\ashServ.exe
Status: Visible

Object-Type: Process
Object-Name: MaxRCSystemTray
Pid: 3580
Object-Path: C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
Status: Visible

Object-Type: Process
Object-Name: aswUpdSv.exe
Pid: 1100
Object-Path: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
Status: Visible

Object-Type: Process
Object-Name: Directcd.exe
Pid: 3488
Object-Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 388
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 512
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyxsxjcbrh.sys
Pid: n/a
Object-Path: C:\WINDOWS\system32\drivers\gasfkyxsxjcbrh.sys
Status: Hidden

Object-Type: Process
Object-Name: Launchy.exe
Pid: 1536
Object-Path: C:\Program Files\Launchy\Launchy.exe
Status: Visible

Object-Type: Process
Object-Name: ashMaiSv.exe
Pid: 2776
Object-Path: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyptxjkroj.sys
Pid: n/a
Object-Path: C:\WINDOWS\system32\drivers\gasfkyptxjkroj.sys
Status: Hidden

Object-Type: File/Folder
Object-Name: gasfkysnqvdmlk.dat
Pid: n/a
Object-Path: C:\WINDOWS\system32\gasfkysnqvdmlk.dat
Status: Hidden

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 3956
Object-Path: C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 980
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: Eraser.exe
Pid: 3988
Object-Path: C:\Program Files\Eraser\eraser.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 764
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2376
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyllovmthf.dll
Pid: n/a
Object-Path: C:\WINDOWS\system32\gasfkyllovmthf.dll
Status: Hidden

Object-Type: Process
Object-Name: GM_DevUpdate.ex
Pid: 2160
Object-Path: C:\Program Files\USB all-in-one game controller\GM_DevUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: realsched.exe
Pid: 3804
Object-Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Status: Visible

Object-Type: Process
Object-Name: ashWebSv.exe
Pid: 2812
Object-Path: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Status: Visible

Object-Type: Process
Object-Name: ashDisp.exe
Pid: 2844
Object-Path: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Status: Visible

Object-Type: Process
Object-Name: soundman.exe
Pid: 2968
Object-Path: C:\WINDOWS\SOUNDMAN.EXE
Status: Visible

Object-Type: Process
Object-Name: iexplore.exe
Pid: 3588
Object-Path: C:\Program Files\Internet Explorer\iexplore.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2100
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: File/Folder
Object-Name: gasfkyndbcrpyxft.tmp
Pid: n/a
Object-Path: C:\WINDOWS\Temp\gasfkyndbcrpyxft.tmp
Status: Hidden

Object-Type: Process
Object-Name: explorer.exe
Pid: 1636
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Object-Type: Process
Object-Name: igfxpers.exe
Pid: 3280
Object-Path: C:\WINDOWS\system32\igfxpers.exe
Status: Visible

Object-Type: Process
Object-Name: DRAGDIAG.EXE
Pid: 3404
Object-Path: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 3528
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: SAgent2.exe
Pid: 180
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
Status: Visible

Object-Type: Process
Object-Name: iPodService.exe
Pid: 2568
Object-Path: C:\Program Files\iPod\bin\iPodService.exe
Status: Visible

Object-Type: Process
Object-Name: ctfmon.exe
Pid: 3840
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 524
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: AppleMobileDevi
Pid: 152
Object-Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Status: Visible

Object-Type: Process
Object-Name: KHost.exe
Pid: 3904
Object-Path: C:\Program Files\Kontiki\KHost.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleUpdate.ex
Pid: 432
Object-Path: C:\Program Files\Google\Update\GoogleUpdate.exe
Status: Visible

Scan complete. Found hidden Processes and Files: 10  .
Total files scanned: 98338
McAfee(R) Rootkit Detective 1.1 scan report
On 23-10-2009 at 23:03:10
OS-Version 5.1.2600
Service Pack 3.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: Registry-key
Object-Name: mainINDOWS\system32\drivers\prcmondrv1041.sys
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet001\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\ControlSet001\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulescontrolset002\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\controlset002\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet003\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\gasfkynostymey
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet003\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\gasfkynostymey
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: DataEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 4092
Object-Path: C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 744
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleUpdate.ex
Pid: 372
Object-Path: C:\Program Files\Google\Update\GoogleUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: KService.exe
Pid: 1272
Object-Path: C:\Program Files\Kontiki\KService.exe
Status: Visible

Object-Type: Process
Object-Name: NMSAccessU.exe
Pid: 2264
Object-Path: C:\Program Files\CDBurnerXP\NMSAccessU.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1056
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: soundman.exe
Pid: 2856
Object-Path: C:\WINDOWS\SOUNDMAN.EXE
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2360
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 532
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 812
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1556
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: avgemc.exe
Pid: 2424
Object-Path: C:\Program Files\AVG\AVG9\avgemc.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2332
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: avgchsvx.exe
Pid: 876
Object-Path: C:\Program Files\AVG\AVG9\avgchsvx.exe
Status: Visible

Object-Type: Process
Object-Name: Directcd.exe
Pid: 2892
Object-Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 940
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: NBService.exe
Pid: 1684
Object-Path: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Status: Visible

Object-Type: Process
Object-Name: GM_DevUpdate.ex
Pid: 2212
Object-Path: C:\Program Files\USB all-in-one game controller\GM_DevUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 476
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: eEBSvc.exe
Pid: 1716
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1160
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: Amoumain.exe
Pid: 2184
Object-Path: C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
Status: Visible

Object-Type: Process
Object-Name: avgtray.exe
Pid: 2556
Object-Path: C:\PROGRA~1\AVG\AVG9\avgtray.exe
Status: Visible

Object-Type: Process
Object-Name: ctfmon.exe
Pid: 2308
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 696
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 852
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: hkcmd.exe
Pid: 2248
Object-Path: C:\WINDOWS\system32\hkcmd.exe
Status: Visible

Object-Type: Process
Object-Name: MaxRCSystemTray
Pid: 2496
Object-Path: C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
Status: Visible

Object-Type: Process
Object-Name: notepad.exe
Pid: 3860
Object-Path: C:\WINDOWS\system32\NOTEPAD.EXE
Status: Visible

Object-Type: Process
Object-Name: avgnsx.exe
Pid: 1256
Object-Path: C:\Program Files\AVG\AVG9\avgnsx.exe
Status: Visible

Object-Type: Process
Object-Name: TeaTimer.exe
Pid: 2652
Object-Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Status: Visible

Object-Type: Process
Object-Name: explorer.exe
Pid: 3800
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Object-Type: Process
Object-Name: DRAGDIAG.EXE
Pid: 2684
Object-Path: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
Status: Visible

Object-Type: Process
Object-Name: DAP.exe
Pid: 3428
Object-Path: C:\Program Files\DAP\DAP.EXE
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 452
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: avgwdsvc.exe
Pid: 1940
Object-Path: C:\Program Files\AVG\AVG9\avgwdsvc.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 3708
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: avgrsx.exe
Pid: 888
Object-Path: C:\Program Files\AVG\AVG9\avgrsx.exe
Status: Visible

Object-Type: Process
Object-Name: avgcsrvx.exe
Pid: 1136
Object-Path: C:\Program Files\AVG\AVG9\avgcsrvx.exe
Status: Visible

Object-Type: Process
Object-Name: avgcsrvx.exe
Pid: 2996
Object-Path: C:\Program Files\AVG\AVG9\avgcsrvx.exe
Status: Visible

Object-Type: Process
Object-Name: realsched.exe
Pid: 2752
Object-Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 396
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 520
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: SAgent2.exe
Pid: 2008
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 1668
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
Status: Visible

Object-Type: Process
Object-Name: igfxpers.exe
Pid: 3156
Object-Path: C:\WINDOWS\system32\igfxpers.exe
Status: Visible

Object-Type: Process
Object-Name: Ikeymain.exe
Pid: 2196
Object-Path: C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleToolbarNo
Pid: 2352
Object-Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Status: Visible

Object-Type: Process
Object-Name: HijackThis.exe
Pid: 3344
Object-Path: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 3748
Object-Path: C:\Documents and Settings\new\My Documents\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleCrashHand
Pid: 432
Object-Path: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
Status: Visible

Scan complete. Hidden registry keys/values: 52  
McAfee(R) Rootkit Detective 1.1 scan report
On 24-10-2009 at 21:48:31
OS-Version 5.1.2600
Service Pack 3.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: Registry-key
Object-Name: mainINDOWS\system32\drivers\prcmondrv1041.sys
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet001\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\ControlSet001\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulescontrolset002\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\controlset002\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet003\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\gasfkynostymey
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet003\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\gasfkynostymey
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: DataEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Process
Object-Name: eEBSvc.exe
Pid: 1704
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 2820
Object-Path: C:\Documents and Settings\new\My Documents\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: explorer.exe
Pid: 2604
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Object-Type: Process
Object-Name: Ikeymain.exe
Pid: 2232
Object-Path: C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
Status: Visible

Object-Type: Process
Object-Name: realsched.exe
Pid: 2976
Object-Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 868
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 528
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleToolbarNo
Pid: 2420
Object-Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 808
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: soundman.exe
Pid: 1460
Object-Path: C:\WINDOWS\SOUNDMAN.EXE
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 3104
Object-Path: C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 996
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1060
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: KService.exe
Pid: 1216
Object-Path: C:\Program Files\Kontiki\KService.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 472
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: avgemc.exe
Pid: 2488
Object-Path: C:\Program Files\AVG\AVG9\avgemc.exe
Status: Visible

Object-Type: Process
Object-Name: MaxRCSystemTray
Pid: 3108
Object-Path: C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
Status: Visible

Object-Type: Process
Object-Name: TeaTimer.exe
Pid: 2396
Object-Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Status: Visible

Object-Type: Process
Object-Name: avgwdsvc.exe
Pid: 1932
Object-Path: C:\Program Files\AVG\AVG9\avgwdsvc.exe
Status: Visible

Object-Type: Process
Object-Name: DAP.exe
Pid: 2428
Object-Path: C:\Program Files\DAP\DAP.EXE
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 692
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: hkcmd.exe
Pid: 972
Object-Path: C:\WINDOWS\system32\hkcmd.exe
Status: Visible

Object-Type: Process
Object-Name: SAgent2.exe
Pid: 1996
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
Status: Visible

Object-Type: Process
Object-Name: avgchsvx.exe
Pid: 880
Object-Path: C:\Program Files\AVG\AVG9\avgchsvx.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1500
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: DRAGDIAG.EXE
Pid: 2152
Object-Path: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 448
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleUpdate.ex
Pid: 356
Object-Path: C:\Program Files\Google\Update\GoogleUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 3736
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: GM_DevUpdate.ex
Pid: 3240
Object-Path: C:\Program Files\USB all-in-one game controller\GM_DevUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleCrashHand
Pid: 420
Object-Path: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
Status: Visible

Object-Type: Process
Object-Name: Amoumain.exe
Pid: 1660
Object-Path: C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
Status: Visible

Object-Type: Process
Object-Name: avgcsrvx.exe
Pid: 3180
Object-Path: C:\Program Files\AVG\AVG9\avgcsrvx.exe
Status: Visible

Object-Type: Process
Object-Name: avgtray.exe
Pid: 3120
Object-Path: C:\PROGRA~1\AVG\AVG9\avgtray.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 392
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 516
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: avgrsx.exe
Pid: 888
Object-Path: C:\Program Files\AVG\AVG9\avgrsx.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1168
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: avgcsrvx.exe
Pid: 1140
Object-Path: C:\Program Files\AVG\AVG9\avgcsrvx.exe
Status: Visible

Object-Type: Process
Object-Name: ctfmon.exe
Pid: 2412
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible

Object-Type: Process
Object-Name: igfxpers.exe
Pid: 3312
Object-Path: C:\WINDOWS\system32\igfxpers.exe
Status: Visible

Object-Type: Process
Object-Name: avgnsx.exe
Pid: 1236
Object-Path: C:\Program Files\AVG\AVG9\avgnsx.exe
Status: Visible

Object-Type: Process
Object-Name: NBService.exe
Pid: 1608
Object-Path: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2352
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 3716
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 740
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: NMSAccessU.exe
Pid: 2260
Object-Path: C:\Program Files\CDBurnerXP\NMSAccessU.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2384
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
Status: Visible

Object-Type: Process
Object-Name: Directcd.exe
Pid: 2136
Object-Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Status: Visible

Scan complete. Hidden registry keys/values: 52  
McAfee(R) Rootkit Detective 1.1 scan report
On 25-10-2009 at 00:07:52
OS-Version 5.1.2600
Service Pack 3.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\WINDOWS\system32\drivers\prcmondrv1041.sys

Object-Type: Registry-key
Object-Name: mainINDOWS\system32\drivers\prcmondrv1041.sys
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet001\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\ControlSet001\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulescontrolset002\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\controlset002\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet003\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\gasfkynostymey
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: mainEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\main
Status: Hidden

Object-Type: Registry-key
Object-Name: modulesControlSet003\Services\gasfkynostymey\main
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey\modules
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gasfkynostymey
Status: Hidden

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet003\Services\gasfkynostymey
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-value
Object-Name: imagepath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxibobqjxj
Status: Hidden

Object-Type: Registry-key
Object-Name: DataEM\ControlSet003\Services\rotscxibobqjxj
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegSetValueW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegSetValueExW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegSetValueExA =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegSetValueA =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegOpenKeyW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegOpenKeyExW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegOpenKeyExA =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegOpenKeyA =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegDeleteValueW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegDeleteValueA =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegDeleteKeyW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegDeleteKeyA =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegCreateKeyW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 1516
Details: Export : Function  : ADVAPI32.dll!RegCreateKeyA =>
Object-Path:
Status: Hooked

Object-Type: Process
Object-Name: avgemc.exe
Pid: 2448
Object-Path: C:\Program Files\AVG\AVG9\avgemc.exe
Status: Visible

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 744
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: avgtray.exe
Pid: 2852
Object-Path: C:\PROGRA~1\AVG\AVG9\avgtray.exe
Status: Visible

Object-Type: Process
Object-Name: DAP.exe
Pid: 3224
Object-Path: C:\Program Files\DAP\DAP.EXE
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 528
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: igfxpers.exe
Pid: 1428
Object-Path: C:\WINDOWS\system32\igfxpers.exe
Status: Visible

Object-Type: Process
Object-Name: avgcsrvx.exe
Pid: 2948
Object-Path: C:\Program Files\AVG\AVG9\avgcsrvx.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleToolbarNo
Pid: 3072
Object-Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: NBService.exe
Pid: 2052
Object-Path: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Status: Visible

Object-Type: Process
Object-Name: TeaTimer.exe
Pid: 3044
Object-Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 472
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 876
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 816
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: soundman.exe
Pid: 1312
Object-Path: C:\WINDOWS\SOUNDMAN.EXE
Status: Visible

Object-Type: Process
Object-Name: NMSAccessU.exe
Pid: 2212
Object-Path: C:\Program Files\CDBurnerXP\NMSAccessU.exe
Status: Visible

Object-Type: Process
Object-Name: SAgent2.exe
Pid: 1004
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1160
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2028
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 448
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 696
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleUpdate.ex
Pid: 1440
Object-Path: C:\Program Files\Google\Update\GoogleUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: avgcsrvx.exe
Pid: 1132
Object-Path: C:\Program Files\AVG\AVG9\avgcsrvx.exe
Status: Visible

Object-Type: Process
Object-Name: GM_DevUpdate.ex
Pid: 3364
Object-Path: C:\Program Files\USB all-in-one game controller\GM_DevUpdate.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2280
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: Ikeymain.exe
Pid: 1288
Object-Path: C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleCrashHand
Pid: 1568
Object-Path: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
Status: Visible

Object-Type: Process
Object-Name: KService.exe
Pid: 1816
Object-Path: C:\Program Files\Kontiki\KService.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2932
Object-Path: C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 980
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: DRAGDIAG.EXE
Pid: 1228
Object-Path: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 392
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 516
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: avgchsvx.exe
Pid: 888
Object-Path: C:\Program Files\AVG\AVG9\avgchsvx.exe
Status: Visible

Object-Type: Process
Object-Name: Amoumain.exe
Pid: 1260
Object-Path: C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
Status: Visible

Object-Type: Process
Object-Name: hkcmd.exe
Pid: 1508
Object-Path: C:\WINDOWS\system32\hkcmd.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 2564
Object-Path: C:\Documents and Settings\new\My Documents\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: avgnsx.exe
Pid: 1820
Object-Path: C:\Program Files\AVG\AVG9\avgnsx.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2316
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
Status: Visible

Object-Type: Process
Object-Name: ctfmon.exe
Pid: 3060
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible

Object-Type: Process
Object-Name: Directcd.exe
Pid: 2132
Object-Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Status: Visible

Object-Type: Process
Object-Name: eEBSvc.exe
Pid: 304
Object-Path: C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
Status: Visible

Object-Type: Process
Object-Name: avgwdsvc.exe
Pid: 864
Object-Path: C:\Program Files\AVG\AVG9\avgwdsvc.exe
Status: Visible

Object-Type: Process
Object-Name: VideoAccelerato
Pid: 2476
Object-Path: C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
Status: Visible

Object-Type: Process
Object-Name: SpyHunter3.exe
Pid: 3500
Object-Path: C:\Program Files\spyhunter-enigma\SpyHunter\SpyHunter3.exe
Status: Visible

Object-Type: Process
Object-Name: avgrsx.exe
Pid: 896
Object-Path: C:\Program Files\AVG\AVG9\avgrsx.exe
Status: Visible

Object-Type: Process
Object-Name: explorer.exe
Pid: 1516
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 3624
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: realsched.exe
Pid: 2136
Object-Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1052
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
I think you mean this.
Object-Type: Process
Object-Name: MaxRCSystemTray
Pid: 2788
Object-Path: C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
Status: Visible

Scan complete. Hidden registry keys/values: 52  

 

by: rpggamergirlPosted on 2009-10-25 at 21:38:06ID: 25659680

The log is showing 2 variants of TDSS rootkits, run Combofix and show us the log as we may need to use its script function.


Please download ComboFix by sUBs: It's a lot better to install the Recovery Console as well.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

<<" with several items showing ''DLL\global root\system32\gasfkyllovmthf.dll '' >>>

The log is so long... I can't find the "global" bit you mentioned, I need to see it.

 

by: rpggamergirlPosted on 2009-10-25 at 21:45:47ID: 25659701

"I am most greatful for expertise way beyond my competence but please end this now as I do not intend to do anything further"

boybsm,

At this very moment this question is closed... do you want it to remain closed or re-opened?

 

by: boybsmPosted on 2009-10-26 at 05:41:13ID: 25661616

rpggamergirl
thanks for your suggestions but I am going to to take another path, clearing everything and start again from scratch. These present moves are beyond me.
Thankyou and all your colleagues for your help.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...