OK, so it took me a while to figure the gmer rootkit thingy out. Everytime I ran it, windows would shut down immediately afterwards (blue screen), so I wasn't able to save the log. But now I got it.
Also, I tried to find the WildTangent thing, but it is not in my programlist, how do I find it and uninstall it?
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-09-06 17:13:35
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Sanna\AppData\Local\Temp\kxldrpob.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8DCC879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8DCC8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8DCC874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8DCC87DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8DCC881F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8DCC8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8DCC8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8DCC87B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8DCC8847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8DCC8833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8DCC878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8DCC8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8DCC880B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8DCC87F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8DCC87C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8DCC8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 81E3D9D2 5 Bytes JMP 8DCC87CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 81FD15B5 5 Bytes JMP 8DCC8823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81FDBB82 5 Bytes JMP 8DCC8766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82002DA3 5 Bytes JMP 8DCC880F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 820224FA 7 Bytes JMP 8DCC87E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 820227BD 5 Bytes JMP 8DCC87F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82026528 5 Bytes JMP 8DCC877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8202BF3D 7 Bytes JMP 8DCC87B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8202E15A 5 Bytes JMP 8DCC8728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82032C08 5 Bytes JMP 8DCC8714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82053E5B 5 Bytes JMP 8DCC87A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 820648D2 5 Bytes JMP 8DCC8837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 82065AD6 5 Bytes JMP 8DCC884B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820A38BF 5 Bytes JMP 8DCC873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820A390A 7 Bytes JMP 8DCC8750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820A43C7 5 Bytes JMP 8DCC878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
C:\Program Files\CyberLink\PowerDVD\000.fcl entry point in "" section [0xAB81F000]
.clc C:\Program Files\CyberLink\PowerDVD\000.fcl unknown last section [0xAB820000, 0x1000, 0x00000000]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 00060F3A
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 00060080
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 000600BD
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 000600AC
.text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 00060F5C
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 00060FD4
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 00060025
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 00060F4B
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 00060F6D
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 00060FAF
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 00060F8A
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 00060036
.text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 0006005B
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 00060F0B
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 0006000A
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 00060FEF
.text C:\Windows\system32\services.exe[660] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 00060091
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 00870F97
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 00870FB9
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 00870000
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 00870FA8
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 00870054
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 0087001B
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 00870FEF
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 00870FCA
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 00850FAD
.text C:\Windows\system32\services.exe[660] msvcrt.dll!system 761B804B 5 Bytes JMP 00850FBE
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 0085001D
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_open 761BD106 5 Bytes JMP 00850FEF
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 0085002E
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 0085000C
.text C:\Windows\system32\services.exe[660] WS2_32.dll!socket 762B36D1 5 Bytes JMP 00860000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 00190F91
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CD19C9 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 001900CD
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 0019010D
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 00190F6C
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 001900AB
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 0019002C
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 00190047
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 00190FAC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 00190084
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 00190062
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 00190073
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 00190FD1
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 001900BC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 00190128
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 0019001B
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 00190000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 001900E8
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 004E0F8D
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 004E0025
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 004E000A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 004E0FA8
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 004E004A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 004E0FD4
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 004E0FC3
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 001A0F7A
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!system 761B804B 5 Bytes JMP 001A0F95
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 001A0FB7
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_open 761BD106 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 001A0FA6
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 001A0FDE
.text C:\Windows\system32\lsass.exe[692] WS2_32.dll!socket 762B36D1 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 004B00B1
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 004B0F61
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 004B00DD
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 004B0F46
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 004B0056
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 004B0FB9
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 004B0014
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 004B0082
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 004B0F7C
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 004B0F97
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 004B0039
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 004B0FA8
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 004B0071
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 004B0F2B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 004B0FCA
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 004B0FE5
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 004B00C2
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 761B7F2F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 004C0033
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 761B804B 5 Bytes JMP 004C0FA8
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 004C0FD4
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 761BD106 5 Bytes JMP 004C000C
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 004C0FC3
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 004C0FEF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 00520F83
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 00520FAF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 00520FE5
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 00520F9E
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 00520040
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 00520000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 00520FCA
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 00520011
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 762B36D1 5 Bytes JMP 00510000
.text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW &nb