Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible trojan: afd.sys


  • This topic is locked This topic is locked
3 replies to this topic

#1 randomgene

randomgene

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 31 May 2011 - 05:14 AM

I have used several cleaners to sweep my pc but an internet redirect program keeps sneaking in, taking me to other search sites. The google page is ok and if I quickly hit enter over the address bar when my pages are opening I can get around the bogus pages, but I just want to get rid of it as it worries me and seems to be slowing down my web browsing.

Have used Malwarebytes, avg and Hitman but it always comes back. AVG was disabled when I did the scans. Hitman has tried unsuccessfully to replace afd.sys with the original windows version but everytime it was unsuccessful. I had system restore disabled when I did the scans and removals.

Here is the OTL files:

OTL logfile created on: 31/05/2011 3:35:24 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.25 Gb Total Physical Memory | 2.49 Gb Available Physical Memory | 76.59% Memory free
5.09 Gb Paging File | 4.46 Gb Available in Paging File | 87.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 214.01 Gb Free Space | 71.80% Space Free | Partition Type: NTFS
Drive D: | 518.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 372.61 Gb Total Space | 290.63 Gb Free Space | 78.00% Space Free | Partition Type: NTFS

Computer Name: USER-DE12537D5A | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/31 15:34:17 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2011/05/31 15:20:13 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\User\Desktop\9j4zolcy.exe
PRC - [2011/05/25 17:08:25 | 001,011,768 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/04/18 17:40:08 | 002,334,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/04/14 21:30:46 | 003,588,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgui.exe
PRC - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 05:33:42 | 000,272,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2011/01/28 17:36:42 | 000,526,336 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
PRC - [2009/09/12 23:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2009/09/12 23:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2009/02/23 22:45:16 | 005,637,632 | ---- | M] () -- C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
PRC - [2008/07/07 17:34:59 | 000,167,936 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2008/06/11 22:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2008/04/14 22:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 22:00:00 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\conime.exe


----------------------

OTL Extras logfile created on: 31/05/2011 3:35:24 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.25 Gb Total Physical Memory | 2.49 Gb Available Physical Memory | 76.59% Memory free
5.09 Gb Paging File | 4.46 Gb Available in Paging File | 87.56% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 214.01 Gb Free Space | 71.80% Space Free | Partition Type: NTFS
Drive D: | 518.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 372.61 Gb Total Space | 290.63 Gb Free Space | 78.00% Space Free | Partition Type: NTFS

Computer Name: USER-DE12537D5A | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
"C:\Program Files\楽天ツールバー\TroubleShooter.exe" = C:\Program Files\楽天ツールバー\TroubleShooter.exe:*:Enabled:楽天ツールバー (Helper) -- (FreeCause Inc.)
"C:\Program Files\楽天ツールバー\ToolbarUpdate.exe" = C:\Program Files\楽天ツールバー\ToolbarUpdate.exe:*:Enabled:楽天ツールバー (Update) -- (FreeCause Inc.)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Raptr\raptr.exe" = C:\Program Files\Raptr\raptr.exe:*:Enabled:Raptr Client
"C:\Program Files\Raptr\raptr_im.exe" = C:\Program Files\Raptr\raptr_im.exe:*:Enabled:Raptr IM
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze -- (Vuze Inc.)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\USBSetup.exe" = C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\USBSetup.exe:LocalSubNet:Enabled:HP Device Setup -- (Hewlett-Packard Co.)
"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{00E10F93-500A-D5F9-D785-F6EA2DE1263A}" = CCC Help Danish
"{01C44D76-09B5-4CA1-0922-533F987643F1}" = CCC Help Japanese
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{06A1BE8A-4CA4-4A39-B9E4-E815AA8FE05C}" = Sony Noise Reduction Plug-In 2.0h
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0886900B-B2F3-452C-B580-60F1253F7F80}" = Native Instruments Controller Editor
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0A8C45BB-5AB8-CF5B-9E9F-FD7F13235CAB}" = CCC Help Czech
"{0B8565BA-BAD5-4732-B122-5FD78EFC50A9}" = Native Instruments Service Center
"{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{164B63A3-2639-1556-A6A8-49D5058EBFA4}" = CCC Help Korean
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{230E8DDC-FB78-4F9F-8461-22ED20DBC3BA}" = AVG 2011
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2379D3D4-2BE3-A0C5-F32C-5C3DDB2532DE}" = CCC Help Chinese Standard
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x32
"{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java™ 6 Update 13
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 24
"{2E376AD9-5C49-4F7D-A0BA-6A44E8FA5A3B}" = Next Generation Visualisations
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3360F95B-C10A-B4DE-1334-FE8209A4C0F6}" = CCC Help Finnish
"{3436FD5A-3154-A950-8660-FFBC9664FD70}" = CCC Help Dutch
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{43475674-3C02-6476-770D-71D4F23837D8}" = CCC Help Italian
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AEA9A23-D627-4699-8A0F-FC474308C2E6}" = Sony Sound Forge 9.0
"{4B78B2D5-E455-AD54-9B11-716F02732F95}" = CCC Help Russian
"{4ED583A3-A530-42D7-A51C-5DE0D41150B7}" = Max 5.1.5
"{5033F411-4848-49D6-BAC2-DAA06AFA0AFC}" = HP Deskjet 2050 J510 series Basic Device Software
"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.22
"{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{59304B51-ED05-EDE5-3CA9-59898BC47694}" = Catalyst Control Center Graphics Full Existing
"{60B8DE54-593B-A699-9850-B0D5ADD309DB}" = CCC Help Polish
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63C760E0-5867-CB5C-564C-19F6F568ECAA}" = CCC Help French
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{64240CEB-91D8-4497-A18F-476E70C69D3E}" = CCC Help Hungarian
"{65AA5B18-A330-4F35-BCDF-EA85EC888906}" = AVOX Evo VST
"{65EE5324-78AF-B66C-42C3-D86603BD38A1}" = CCC Help Norwegian
"{65F6D129-8EB6-4DC1-A5C0-E5EB1C6755AB}" = INQ1 Modem
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BF488AF-6726-4DD5-FA0D-3F7A05B3C5BD}" = CCC Help Thai
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{76183AE4-F30E-1AFB-B3CB-23E47F14C48F}" = CCC Help Chinese Traditional
"{761CB6D1-F804-3162-ABAF-CC1D09B41D29}" = CCC Help Greek
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{79EA8EB9-45A8-6FAF-7C8B-6FB79E05CE85}" = Catalyst Control Center Graphics Light
"{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}" = HP Deskjet 2050 J510 series Help
"{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{854F1DBC-F3A6-0902-0788-5BB628FE5EF5}" = CCC Help Turkish
"{8F66047B-1AF3-40D9-80D7-106E2EDC2C2A}" = EPU-4 Engine
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9551DD73-10A7-828B-8E76-C6A17693FEB6}" = CCC Help English
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C344D4A-69B8-430E-B463-BAA1A83D7F68}" = HP Deskjet 2050 J510 series Product Improvement Study
"{9DDD0B95-1F3E-453E-9F12-EACB0DD6B6CF}" = Dealio Toolbar v4.3
"{9FA1CBC5-E656-879C-158E-4DC9C7BE7B15}" = ccc-core-static
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3C12ED1-665D-3840-68BA-8CCE3CFB089F}" = CCC Help Portuguese
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{AFE829B5-2701-FD39-E15C-0576184BD3E3}" = Skins
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3E8CDD5-E044-139C-FA49-147B5E3A43F4}" = CCC Help German
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BABA6734-23CF-42AC-9E4C-EA2C7C80AA4E}" = AVG 2011
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C0467622-B130-4981-B9CE-34B94F8006D2}" = Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C1B51FA5-5470-D3B5-B58D-DCCB08EF38E8}" = Catalyst Control Center Core Implementation
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C7FAFC98-5ECC-40FC-B440-A5D5FE3A6A6E}" = Native Instruments Guitar Rig 4
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CC5ED19E-FCEC-B68C-C10E-F8FDFB50DB61}" = ccc-utility
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
"{E1D4F62A-837D-9488-63E6-07444A4945FF}" = Catalyst Control Center Graphics Full New
"{E40CE517-0D42-4198-96B4-C8232B257EB5}" = Data Lifeguard Diagnostic for Windows
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E49913D6-A707-CC24-D453-E5D07F88D492}" = CCC Help Swedish
"{E51CFC4F-9DCC-9BA2-B601-06F848DD077F}" = Catalyst Control Center Localization All
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2F6D931-062C-6383-F3D0-5A8BEA32DAEC}" = CCC Help Spanish
"{F6F4DFCB-7DAF-E07F-3673-4B97201452B2}" = ccc-core-preinstall
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FC09B548-11D0-4478-8852-1E449153F30E}" = My First abc's & Spelling
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FFF74EC9-1FF4-4456-99E3-4F05129F4FAB}" = Antares Auto-Tune Evo VST
"3448AA55E35CFBCE2DBCEED25E4046660049CDBD" = Windows Driver Package - Amoi Incorporated (INQ1usbser) Ports (01/01/2007 2.0.5.0)
"75F6C4F084A18C2A71179397570DD3BE34BA2679" = Windows Driver Package - Amoi Incorporated (INQ1usbser) Modem (01/01/2007 2.0.5.0)
"8461-7759-5462-8226" = Vuze
"Addictive Drums" = Addictive Drums
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"All ATI Software" = ATI - Software Uninstall Utility
"ALUpdate_is1" = ALTools Update
"ALZip_is1" = ALZip
"Antares Harmony Engine VST RTAS_is1" = Antares Harmony Engine VST RTAS v1.0
"ARP2600 V" = ARP2600 V
"ATI Display Driver" = ATI Display Driver
"AudioRealism" = AudioRealism Bass Line 2 (remove only)
"Automap Universal ReWire_is1" = Automap ReWire 1.0
"AVG" = AVG 2011
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Comical_is1" = Comical 0.8
"conduitEngine" = Conduit Engine
"dBpoweramp [Arrange Audio] Codec" = dBpoweramp [Arrange Audio] Codec
"dBpoweramp [Audio Info] Codec" = dBpoweramp [Audio Info] Codec
"dBpoweramp [Channel Split] Codec" = dBpoweramp [Channel Split] Codec
"dBpoweramp [ID Tag Update] Codec" = dBpoweramp [ID Tag Update] Codec
"dBpoweramp [Length Split] Codec" = dBpoweramp [Length Split] Codec
"dBpoweramp [Multi Encoder] Codec" = dBpoweramp [Multi Encoder] Codec
"dBpoweramp [ReplayGain] Codec" = dBpoweramp [ReplayGain] Codec
"dBpoweramp [Tag From Filename] Codec" = dBpoweramp [Tag From Filename] Codec
"dBpoweramp DSP Effects" = dBpoweramp DSP Effects
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Windows Media Audio 10 Codec" = dBpoweramp Windows Media Audio 10 Codec
"Devine Machine Lucifer_is1" = Devine Machine Lucifer VST v2.1
"D-i-v-X - AVI Codec Pack Pro" = D-i-v-X AVI Codec Pack Pro 2.4.0
"EMS Synthi A-vs DEMO" = EMS Synthi A-vs DEMO 1.0
"FabFilter Simplon_is1" = FabFilter Simplon VST RTAS v1.01
"FabFilter Volcano VST RTAS_is1" = FabFilter Volcano VST RTAS v2.02
"Free Convert XVID DIVX MP4 VOB FLV MOV Converter_is1" = Free Convert XVID DIVX MP4 VOB FLV MOV Converter 5.8
"Guitar Pro 5_is1" = Guitar Pro 5.0
"HitmanPro35" = Hitman Pro 3.5
"ie8" = Windows Internet Explorer 8
"JAIELangPack" = Japanese Language Support
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.0.0 (Full)
"Line 6 Edit" = Line 6 Edit (remove only)
"Line 6 Uninstaller" = Line 6 Uninstaller
"Live 8.0.4" = Live 8.0.4
"Live 8.0.6" = Live 8.0.6
"Live 8.2" = Live 8.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 4.0.1 (x86 en-GB)" = Mozilla Firefox 4.0.1 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Native Instruments Controller Editor" = Native Instruments Controller Editor
"Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS" = Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
"Native Instruments Guitar Rig 4" = Native Instruments Guitar Rig 4
"Native Instruments Reaktor 5.1.1" = N.I. Reaktor v5.1.1
"Native Instruments Service Center" = Native Instruments Service Center
"Novation USB Audio Driver_is1" = Novation USB Audio Driver 1.9b1
"Ohmicide VST" = Ohm Force - Ohmicide VST
"PHONICS" = Jump Ahead Phonics 2000
"PowerISO" = PowerISO
"PSP 84 v1.0" = PSP 84 v1.0
"PSP Audioware MasterQ DX VST v1.0" = PSP Audioware MasterQ DX VST v1.0
"PSP VintageWarmer v1.5d" = PSP VintageWarmer v1.5d
"PSP_Nitro" = PSP Nitro VST and DX 1.0
"Reader Rabbit Kindergarten" = Reader Rabbit Kindergarten
"Reason4_is1" = Reason 4.0
"rgc:audio z3ta+ VSTi_is1" = rgc:audio z3ta+ VSTi v1.4
"Rob Papen Albino 3" = Rob Papen Albino 3
"Rob Papen BLUE Version 1.7.0_is1" = Rob Papen BLUE Version 1.7.0
"Sonic Charge オTonic VST" = Sonic Charge オTonic VST
"Sony Inflator RTAS v1.0" = Sony Inflator RTAS v1.0
"Soulseek2" = SoulSeek 157 NS 13e
"USB_AUDIO_DEusb-audio.deTascam" = US-122L / US-144 driver
"VLC media player" = VideoLAN VLC media player 0.8.6i
"VN_VUIns_Rhine_D-Link" = D-Link PCI Fast Ethernet Adapter
"Vuze_Remote Toolbar" = Vuze_Remote Toolbar
"Waves Diamond Bundle 4.05" = Waves Diamond Bundle 4.05
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Zero-G Sounds of the 70s" = Zero-G Sounds of the 70s
"楽天ツールバー" = 楽天ツールバー

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"The Echo Nest BPM Explorer" = The Echo Nest BPM Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/05/2011 10:13:10 AM | Computer Name = USER-DE12537D5A | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5755, faulting
module cryptui.dll, version 5.131.2600.5512, fault address 0x000128e3.

Error - 27/05/2011 10:15:50 AM | Computer Name = USER-DE12537D5A | Source = Application Error | ID = 1004
Description = Faulting application services.exe, version 5.1.2600.5755, faulting
module cryptui.dll, version 5.131.2600.5512, fault address 0x000128e3.

Error - 27/05/2011 7:09:29 PM | Computer Name = USER-DE12537D5A | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
chrome.dll, version 12.0.742.68, fault address 0x0000c2a9.

Error - 29/05/2011 4:24:30 AM | Computer Name = USER-DE12537D5A | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module gdiplus.dll, version 5.2.6002.22509, fault address 0x000e04ec.

Error - 29/05/2011 4:24:41 AM | Computer Name = USER-DE12537D5A | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 29/05/2011 4:26:01 AM | Computer Name = USER-DE12537D5A | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 29/05/2011 5:35:01 AM | Computer Name = USER-DE12537D5A | Source = MsiInstaller | ID = 1013
Description = Product: AVG 2011 -- Installation cannot be done using this package,
because a higher version of the product is already installed. Please either download
and run the latest installation package or go to Start menu/Control Panel/Programs
and Features (Add or Remove Programs) and run Change action on AVG product.

Error - 29/05/2011 5:38:06 AM | Computer Name = USER-DE12537D5A | Source = MsiInstaller | ID = 1013
Description = Product: AVG 2011 -- Installation cannot be done using this package,
because a higher version of the product is already installed. Please either download
and run the latest installation package or go to Start menu/Control Panel/Programs
and Features (Add or Remove Programs) and run Change action on AVG product.

Error - 29/05/2011 5:41:23 AM | Computer Name = USER-DE12537D5A | Source = MsiInstaller | ID = 11921
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error
1921. SA_Error1921: StandardAction(0xC0070781): Service 'AVGIDSAgent' (AVGIDSAgent)
could not be stopped. Verify that you have sufficient privileges to stop system
services.

Error - 29/05/2011 5:43:44 AM | Computer Name = USER-DE12537D5A | Source = MsiInstaller | ID = 1013
Description = Product: AVG 2011 -- Installation cannot be done using this package,
because a higher version of the product is already installed. Please either download
and run the latest installation package or go to Start menu/Control Panel/Programs
and Features (Add or Remove Programs) and run Change action on AVG product.

[ System Events ]
Error - 31/05/2011 12:53:22 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:26:19 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:26:19 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:26:19 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:26:20 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:33:30 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:33:59 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:34:01 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:34:01 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 31/05/2011 1:34:12 AM | Computer Name = USER-DE12537D5A | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127


< End of report >




Here is the GMER file:


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-05-31 20:13:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3320613AS rev.CC2J
Running: 9j4zolcy.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kfayrfob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA441738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA4417DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA441878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA441914]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB5A09000, 0x1BDC70, 0xE8000020]
.text afd.sys A8A0D000 7 Bytes [A0, A8, 6A, 00, FF, 73, 0C] {MOV AL, [0xff006aa8]; JAE 0x13}
.text afd.sys A8A0D009 3 Bytes [A8, D5, A0]
.text afd.sys A8A0D00D 118 Bytes [89, 73, 0C, 8B, CF, 8B, 75, ...]
.text afd.sys A8A0D084 35 Bytes [00, C3, 90, 90, 90, 90, 90, ...]
.text afd.sys A8A0D0A9 3 Bytes [AC, D5, A0] {LODSB ; AAD 0xa0}
.text ...
? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2656] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010
IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5408] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A4761D20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \Driver\Disk \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 BA1FE8B0

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) BA208000-BA213000 (45056 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:564] BA20D830
Thread System [4:568] BA20D830
Thread System [4:580] BA1FF710
Thread System [4:584] BA1FF710

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:23 PM

Posted 09 June 2011 - 10:33 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:23 PM

Posted 11 June 2011 - 09:13 AM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:23 PM

Posted 12 June 2011 - 12:22 PM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users