Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with White-listed Trojan horse agent_r. AQN


  • Please log in to reply
7 replies to this topic

#1 Smells like money

Smells like money

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:05 AM

Posted 06 January 2012 - 01:18 AM

I am having problems with Google and other search engines redirecting to the following website get-answers.com plus other websites, along with opening multiple tabs and opening new windows(browser) . It does not matter whether I use Firefox or IE, same results.

I ran a scan with AVG, it discovered an infection it can not delete. According to AVG I have a white-listed infection Trojan horse Agent_r. AQN in file C:\Windows/System32/Drivers/afd.sys. I looked at the infected file in Windows to see that it has a lock on it, along with other files in the Drivers folder.

I have done the scans requested in the Preparation Guide prior to posting a topic.

Please help an ole' Plumber with very basic computer skills.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:05 AM

Posted 06 January 2012 - 12:21 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Edited by Broni, 06 January 2012 - 12:21 PM.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Smells like money

Smells like money
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:05 AM

Posted 06 January 2012 - 10:34 PM

Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2012
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

Edited by Smells like money, 06 January 2012 - 10:35 PM.


#4 Smells like money

Smells like money
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:05 AM

Posted 06 January 2012 - 10:37 PM

Farbar Service Scanner
Ran by CC (administrator) on 06-01-2012 at 15:20:38
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of wscsvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of wscsvc. The value does not exist.
Unable to retrieve ServiceDll of wscsvc. The value does not exist.


Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-08-10 16:52] - [2011-06-20 21:34] - 1290624 ____A (Microsoft Corporation) 04E4A7D53A7ACE02E8C55B17A498F631

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by Smells like money, 06 January 2012 - 10:38 PM.


#5 Smells like money

Smells like money
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:05 AM

Posted 06 January 2012 - 10:38 PM

MiniToolBox by Farbar
Ran by CC (administrator) on 06-01-2012 at 15:23:03
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================

NVIDIA nForce 10/100/1000 Mbps Ethernet = Local Area Connection (Connected)
The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Home
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : web-ster.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : web-ster.com
Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet
Physical Address. . . . . . . . . : 00-1F-16-F6-AF-E0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d58e:e351:3461:5fe4%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, January 06, 2012 3:13:48 PM
Lease Expires . . . . . . . . . . : Saturday, January 07, 2012 3:13:48 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 234888982
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0C-BD-EE-57-00-1F-16-F6-AF-E0
DNS Servers . . . . . . . . . . . : 65.182.224.40
65.182.224.50
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.web-ster.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging google.com [74.125.53.147] with 32 bytes of data:
Reply from 74.125.53.147: bytes=32 time=35ms TTL=56
Reply from 74.125.53.147: bytes=32 time=34ms TTL=56

Ping statistics for 74.125.53.147:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 35ms, Average = 34ms

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=80ms TTL=55
Reply from 98.137.149.56: bytes=32 time=50ms TTL=55

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 80ms, Average = 65ms

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
9...00 1f 16 f6 af e0 ......NVIDIA nForce 10/100/1000 Mbps Ethernet
1...........................Software Loopback Interface 1
10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.101 276
192.168.1.101 255.255.255.255 On-link 192.168.1.101 276
192.168.1.255 255.255.255.255 On-link 192.168.1.101 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.101 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.101 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 276 fe80::/64 On-link
9 276 fe80::d58e:e351:3461:5fe4/128
On-link
1 306 ff00::/8 On-link
9 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 07 mswsock.dll [File Not found] ()
Catalog5 08 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/06/2012 03:03:06 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/06/2012 03:01:46 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/06/2012 03:01:40 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/06/2012 03:01:33 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/06/2012 03:01:18 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/06/2012 02:16:09 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2012 06:03:12 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2012 01:01:29 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/05/2012 01:01:29 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/05/2012 01:01:29 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (01/06/2012 03:13:51 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 03:13:48 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 03:13:47 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 02:43:35 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 02:43:22 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 02:43:22 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 02:43:21 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 02:43:19 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/06/2012 02:16:45 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
babgjy

Error: (01/06/2012 02:16:45 PM) (Source: Service Control Manager) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.


Microsoft Office Sessions:
=========================
Error: (01/06/2012 03:03:06 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\PDF995\res\drivedir\copy64.exe

Error: (01/06/2012 03:01:46 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDS_CCPSD.exe

Error: (01/06/2012 03:01:40 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSLoader.exe

Error: (01/06/2012 03:01:33 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe

Error: (01/06/2012 03:01:18 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDScsp.exe

Error: (01/06/2012 02:16:09 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2012 06:03:12 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2012 01:01:29 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"c:\program files\Acer\empowering technology\edatasecurity\x64\eDS_CCPSD.exe

Error: (01/05/2012 01:01:29 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"c:\program files\Acer\empowering technology\edatasecurity\x64\eDStbmngr.exe

Error: (01/05/2012 01:01:29 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"c:\program files\Acer\empowering technology\edatasecurity\x64\eDSLoader.exe


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 1.0.0)
32 Bit HP CIO Components Installer (Version: 1.1.0)
4500_Help (Version: 1.00.0000)
Acer Arcade Live Main Page (Version: 1.1.1819 SP1901)
Acer Assist
Acer DV Magician (Version: 1.5.1730)
Acer DVDivine (Version: 3.2.1730)
Acer eDataSecurity Management (Version: 3.0.3065)
Acer Empowering Technology (Version: 3.0.3016)
Acer HomeMedia (Version: 1.5.0530 SP3001)
Acer HomeMedia Connect (Version: 1.4.5330 SP3001)
Acer HomeMedia Trial Creator (Version: 1.5.0530 SP3001)
Acer Registration
Acer ScreenSaver (Version: 4.01.0718)
Acer SlideShow DVD (Version: 1.5.1730)
Acer VideoMagician (Version: 1.4.2203)
Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader X (10.1.1) (Version: 10.1.1)
Agere Systems PCI-SV92EX Soft Modem
Akamai NetSession Interface Service
Alice Greenfingers
Alien Shooter
AnswerWorks Runtime
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
ArcSoft MediaImpression (Version: 1.2.33.353)
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
AV Input Selection (Version: 1.02.0047)
AVG 2012 (Version: 12.0.1901)
AVG 2012 (Version: 12.0.2109)
AVG 2012 (Version: 2012.0.1901)
AviSynth 2.5
Bonjour (Version: 3.0.0.2)
Bookworm Adventures
BPD_HPSU (Version: 1.00.0000)
bpd_scan (Version: 3.00.0000)
BPDSoftware (Version: 50.0.165.000)
BPDSoftware_Ini (Version: 1.00.0000)
BufferChm (Version: 100.0.170.000)
C:\Program Files\Acer GameZone\GameConsole (Version: 2.0.1.4)
Chicken Invaders 2
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Corel Applications
CustomerResearchQFolder (Version: 1.00.0000)
D3DX10 (Version: 15.4.2368.0902)
Destination Component (Version: 100.0.0.0)
DeviceDiscovery (Version: 100.0.190.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocMgr (Version: 100.0.201.000)
DocProc (Version: 10.0.0.0)
DocProcQFolder (Version: 1.00.0000)
Dream Day First Home
DriveImage XML (Private Edition) (Version: 2.30)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 100.0.187.000)
Free Studio version 5.1.4
Galapago
Go-Go Gourmet
GPBaseService (Version: 100.0.187.000)
H&R Block Deluxe + Efile + State 2009 (Version: 09.04.6901)
H&R Block Oregon 2009 (Version: 1.09.4001)
H&R Block Oregon 2010 (Version: 1.10.2801)
H&R Block Premium + Efile + State 2010 (Version: 10.06.6402)
Haali Media Splitter
Heroes of Hellas
HP Customer Participation Program 10.0 (Version: 10.0)
HP Document Manager 1.0 (Version: 1.0)
HP Imaging Device Functions 10.0 (Version: 10.0)
HP Officejet J4500 Series (Version: 1.0)
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Smart Web Printing (Version: 3.5)
HP Solution Center 10.0 (Version: 10.0)
HP Update (Version: 4.000.007.003)
HPProductAssistant (Version: 100.0.170.000)
IncrediMail (Version: 6.2.9.5079)
IncrediMail 2.0 (Version: 6.2.9.5079)
IncrediMail MediaBar 2 Toolbar (Version: 6.3.30.0)
Internet TV for Windows Media Center (Version: 4.2.2.0)
iTunes (Version: 10.4.1.10)
J4500 (Version: 50.0.165.000)
Java Auto Updater (Version: 2.0.2.1)
Java™ 6 Update 20 (Version: 6.0.200)
Junk Mail filter update (Version: 15.4.3502.0922)
LSI PCI-SV92EX Soft Modem (Version: 2.2.100)
Magic Farm
Magic Match Adventures
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
MarketResearch (Version: 100.0.170.000)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office FrontPage 2003 (Version: 11.0.8173.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Picture It! Photo 2002 (Version: 6.0.0.0000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
Middle School Advantage 2000
Mozilla Firefox 8.0.1 (x86 en-US) (Version: 8.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Mystery Solitaire - Secret Island
Netflix in Windows Media Center (Version: 3.3.101.0)
NTI Backup Now 5 (Version: 5.1.2.616)
NTI Backup Now Standard (Version: 5.1.2.616)
NTI Media Maker 8 (Version: 8.0.2.6509)
NVIDIA Drivers (Version: 1.10.62.40)
NVIDIA ForceWare Network Access Manager (Version: 1.00.6776)
OCR Software by I.R.I.S. 10.0 (Version: 10.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Origin (Version: 8.2.1.458)
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
Photo Notifier and Animation Creator (Version: 1.0.0.1009)
PhotoMail Maker (Version: 6.0.0.1007)
PlayReady PC runtime (Version: 1)
ProductContext (Version: 50.0.165.000)
PSSWCORE (Version: 2.02.0000)
PVSonyDll (Version: 1.00.0001)
QuickTime (Version: 7.70.80.34)
RAW Image Viewer
ReaConverter 6.0 Pro
Realtek High Definition Audio Driver (Version: 6.0.1.5888)
SAMSUNG USB Driver for Mobile Phones (Version: 1.3.550.0)
Scan (Version: 10.1.0.0)
SmartWebPrintingOC (Version: 100.0.189.000)
SolutionCenter (Version: 100.0.175.000)
SPCA1528 PC Driver (Version: 2.2.2.0)
Status (Version: 100.0.175.000)
swMSM (Version: 12.0.0.1)
Toolbox (Version: 100.0.170.000)
TrayApp (Version: 100.0.170.000)
Upgrade Kit (Version: 1.00.3002)
VBA (2720) (Version: 6.01.00.1234)
Verizon Wireless Software Upgrade Assistant - SAMSUNG (TL-PC) (Version: 1.11.0602)
Verizon Wireless Software Upgrade Assistant - Samsung (Version: 1.11.0808)
VideoToolkit01 (Version: 100.0.128.000)
WebReg (Version: 100.0.170.000)
Windows 7 Upgrade Advisor (Version: 2.0.5000.0)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live Family Safety (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)

========================= Memory info: ===================================

Percentage of memory in use: 62%
Total physical RAM: 2814.55 MB
Available physical RAM: 1044.48 MB
Total Pagefile: 5629.1 MB
Available Pagefile: 3832.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1933.1 MB

========================= Partitions: =====================================

1 Drive c: (ACER) (Fixed) (Total:141.04 GB) (Free:95 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:141.04 GB) (Free:140.69 GB) NTFS

========================= Users: ========================================

User accounts for \\HOME

Administrator CC Guest
Mcx1-HOME


**** End of log ****

#6 Smells like money

Smells like money
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:05 AM

Posted 06 January 2012 - 10:42 PM

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.06.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
CC :: HOME [administrator]

1/6/2012 4:09:22 PM
mbam-log-2012-01-06 (16-09-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 272330
Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by Smells like money, 06 January 2012 - 10:44 PM.


#7 Smells like money

Smells like money
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:05 AM

Posted 06 January 2012 - 10:43 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-06 18:42:53
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000065 Hitachi_ rev.ST2O
Running: 2xl4t4mg.exe; Driver: C:\Users\CC\AppData\Local\Temp\ugtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA1D51F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA1D51FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA1D52080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA1D5211C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 83494349 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834CDD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 834D5054 4 Bytes [3C, 1F, D5, A1] {CMP AL, 0x1f; AAD 0xa1}
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 834D5324 8 Bytes [E4, 1F, D5, A1, 80, 20, D5, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 834D5398 4 Bytes [1C, 21, D5, A1] {SBB AL, 0x21; AAD 0xa1}
.text afd.sys!qh_hgd_YTT__DIMKKlwwnbhzbTIHZ__QggccbsO 9113E000 55 Bytes [90, 90, 90, 90, 90, FF, 15, ...]
.text afd.sys!qh_hgd_YTT__DIMKKlwwnbhzbTIHZ__QggccbsO + 38 9113E038 89 Bytes [6A, 00, 6A, 0A, 52, 50, E8, ...]
.text afd.sys!qh_hgd_YTT__DIMKKlwwnbhzbTIHZ__QggccbsO + 92 9113E092 78 Bytes [89, 75, F0, C7, 45, F4, F4, ...]
.text afd.sys!qh_hgd_YTT__DIMKKlwwnbhzbTIHZ__QggccbsO + E1 9113E0E1 181 Bytes [74, 10, 8D, B8, 6C, FF, FF, ...]
.text afd.sys!qh_hgd_YTT__DIMKKlwwnbhzbTIHZ__QggccbsO + 197 9113E197 57 Bytes [77, 08, 74, 18, 8D, 4D, E0, ...]
.text afd.sys!mbccs__e + 13 9113E1D1 146 Bytes CALL 91140861 \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation)
.text afd.sys!mbccs__e + A6 9113E264 182 Bytes [70, E2, 14, 91, FF, 75, F4, ...]
.text afd.sys!mbccs__e + 15D 9113E31B 235 Bytes [10, 2B, E0, 53, 56, 57, A1, ...]
.text afd.sys!ZBYNM_OZM_X__L_y_wglyih_ztkd__q_KQg_ + 3F 9113E407 434 Bytes [2C, C3, 14, 91, 84, C0, 75, ...]
.text afd.sys!xaxcxxlcnia + 7 9113E5BA 41 Bytes [FF, 76, 20, FF, 46, 10, FF, ...]
.text afd.sys!xaxcxxlcnia + 31 9113E5E4 289 Bytes [41, 08, 72, 0B, FF, 75, 0C, ...]
.text afd.sys!xaxcxxlcnia + 153 9113E706 132 Bytes [5B, C3, 8B, 4C, 24, 04, F7, ...]
.text afd.sys!HEJ_YBVR_SYae_i__dcenvz__QTIXrkQ____TJUq_z_imf_bt + C 9113E78B 3 Bytes CALL 9114650B \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation)
.text afd.sys!HEJ_YBVR_SYae_i__dcenvz__QTIXrkQ____TJUq_z_imf_bt + 10 9113E78F 184 Bytes [C0, 33, DB, 33, C9, 33, D2, ...]
.text afd.sys!HEJ_YBVR_SYae_i__dcenvz__QTIXrkQ____TJUq_z_imf_bt + C9 9113E848 191 Bytes [83, F8, 12, 73, 0F, 8B, 04, ...]
.text afd.sys!HEJ_YBVR_SYae_i__dcenvz__QTIXrkQ____TJUq_z_imf_bt + 189 9113E908 112 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text afd.sys!HEJ_YBVR_SYae_i__dcenvz__QTIXrkQ____TJUq_z_imf_bt + 1FA 9113E979 99 Bytes [14, 91, FF, 76, 18, E8, 75, ...]
.text afd.sys!ajvmwqa_PMTBGP_UjuHJbsmyxXFQbv_tNERMBX_xg + 5D 9113E9DD 97 Bytes [83, 3D, 9C, E3, 14, 91, 00, ...]
.text afd.sys!ajvmwqa_PMTBGP_UjuHJbsmyxXFQbv_tNERMBX_xg + BF 9113EA3F 235 Bytes CALL 91146A5B \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation)
.text afd.sys!ajvmwqa_PMTBGP_UjuHJbsmyxXFQbv_tNERMBX_xg + 1AB 9113EB2B 311 Bytes [33, C5, 89, 45, FC, 83, 3D, ...]
.text afd.sys!Iwab_d_i__ksf__EP_Mjnbav_ltzxkruXOXutfS_Q_MHf + F8 9113EC63 110 Bytes [33, C5, 89, 45, FC, 8B, 4D, ...]
.text afd.sys!Iwab_d_i__ksf__EP_Mjnbav_ltzxkruXOXutfS_Q_MHf + 167 9113ECD2 95 Bytes [8D, 85, 60, FF, FF, FF, 89, ...]
.text afd.sys!Iwab_d_i__ksf__EP_Mjnbav_ltzxkruXOXutfS_Q_MHf + 1C7 9113ED32 481 Bytes [FF, FF, FF, 89, 95, 08, FF, ...]
.text afd.sys!Q_Q_YY_WJEO_UWbexo_uWXCLOIMGS + 1C8 9113EF14 58 Bytes [91, 8B, 4D, FC, 5F, 5E, 33, ...]
.text afd.sys!Q_Q_YY_WJEO_UWbexo_uWXCLOIMGS + 203 9113EF4F 16 Bytes [E8, FF, 15, 28, C3, 14, 91, ...]
.text afd.sys!Q_Q_YY_WJEO_UWbexo_uWXCLOIMGS + 214 9113EF60 37 Bytes [02, 00, 00, 75, 52, F6, 46, ...]
.text afd.sys!Q_Q_YY_WJEO_UWbexo_uWXCLOIMGS + 23A 9113EF86 1 Byte [10]
.text afd.sys!Q_Q_YY_WJEO_UWbexo_uWXCLOIMGS + 23A 9113EF86 86 Bytes [10, 00, 00, 8D, 4D, E8, FF, ...]
.text ...
.text afd.sys!yqzhMVK_ZG_M_N_qq_rfxDVWCwjF + 47 9113F278 115 Bytes [8D, 4D, E8, FF, 15, 24, C3, ...]
.text afd.sys!yqzhMVK_ZG_M_N_qq_rfxDVWCwjF + BB 9113F2EC 248 Bytes [73, 18, 03, C8, 51, FF, 15, ...]
.text afd.sys!yqzhMVK_ZG_M_N_qq_rfxDVWCwjF + 1B4 9113F3E5 28 Bytes [1C, FF, 73, 0C, FF, 73, 10, ...]
.text afd.sys!EjqnrFijtRQ_SEsv_fqIcaxfBKJG_i_d_abao_idi_gclze_xk + F 9113F402 88 Bytes [12, E0, 14, 91, 8B, 4D, FC, ...]
.text afd.sys!EjqnrFijtRQ_SEsv_fqIcaxfBKJG_i_d_abao_idi_gclze_xk + 68 9113F45B 84 Bytes [EB, 0B, 83, E8, 24, 33, C9, ...]
.text afd.sys!EjqnrFijtRQ_SEsv_fqIcaxfBKJG_i_d_abao_idi_gclze_xk + BD 9113F4B0 157 Bytes [48, 1C, 89, 78, 20, C6, 40, ...]
.text afd.sys!EjqnrFijtRQ_SEsv_fqIcaxfBKJG_i_d_abao_idi_gclze_xk + 15B 9113F54E 11 Bytes [56, 8B, 75, 28, 57, 33, D2, ...]
.text afd.sys!EjqnrFijtRQ_SEsv_fqIcaxfBKJG_i_d_abao_idi_gclze_xk + 167 9113F55A 94 Bytes [E0, AB, AB, AB, 33, C0, 89, ...]
.text afd.sys!GHYM_Hfi_jPX__DFj + 5 9113F5B9 53 Bytes [50, 68, F8, CF, 14, 91, FF, ...]
.text afd.sys!GHYM_Hfi_jPX__DFj + 3B 9113F5EF 154 Bytes [FF, 35, 04, E4, 14, 91, FF, ...]
.text afd.sys!GHYM_Hfi_jPX__DFj + D6 9113F68A 197 Bytes [85, DB, 74, 0C, B8, D1, AF, ...]
.text afd.sys!GHYM_Hfi_jPX__DFj + 19C 9113F750 156 Bytes [00, 8B, 4D, FC, 33, CD, E8, ...]
.text afd.sys!FBNXwlila_e__moBg_f_ze_rhb___idyje__ + 23 9113F7ED 9 Bytes [8D, 45, EC, 50, 68, F8, CF, ...] {LEA EAX, [EBP-0x14]; PUSH EAX; PUSH 0x9114cff8}
.text afd.sys!FBNXwlila_e__moBg_f_ze_rhb___idyje__ + 2D 9113F7F7 339 Bytes [35, 04, E4, 14, 91, FF, 35, ...]
.text afd.sys!FBNXwlila_e__moBg_f_ze_rhb___idyje__ + 181 9113F94B 350 Bytes [91, 00, 75, 09, A1, 08, E4, ...]
.text afd.sys!pjr__FF_ + 126 9113FAAA 21 Bytes [33, C9, 39, 0D, 9C, E3, 14, ...]
.text afd.sys!pjr__FF_ + 13C 9113FAC0 142 Bytes [E8, 09, 24, 01, 88, 45, C0, ...]
.text afd.sys!pjr__FF_ + 1CB 9113FB4F 83 Bytes [66, 39, 03, 0F, 95, C1, 41, ...]
.text afd.sys!pjr__FF_ + 21F 9113FBA3 13 Bytes [3D, 9C, E3, 14, 91, 00, 75, ...] {CMP EAX, 0x9114e39c; ADD [EBP+0x9], DH; MOV EAX, [0x9114e408]}
.text afd.sys!pjr__FF_ + 22D 9113FBB1 50 Bytes [C0, 74, 30, 83, 7D, 08, 01, ...]
.text ...
.text afd.sys!NXVCDf_f + D 9114116F 59 Bytes [9C, E3, 14, 91, 75, 09, A1, ...]
.text afd.sys!NXVCDf_f + 49 911411AB 54 Bytes [8D, 45, EC, 50, 68, F8, CF, ...]
.text afd.sys!NXVCDf_f + 80 911411E2 2 Bytes [14, 91] {ADC AL, 0x91}
.text afd.sys!NXVCDf_f + 83 911411E5 15 Bytes [35, 04, E4, 14, 91, FF, 35, ...]
.text afd.sys!NXVCDf_f + 93 911411F5 16 Bytes [33, C9, 39, 0D, 9C, E3, 14, ...] {XOR ECX, ECX; CMP [0x9114e39c], ECX; JZ 0x6b; PUSH ESI; MOV ESI, 0x9114c448}
.text ...
.text afd.sys!zp_DNV_SAR__FZR + 23 9114136C 35 Bytes [C2, EB, 02, 33, C0, 51, FF, ...]
.text afd.sys!zp_DNV_SAR__FZR + 47 91141390 159 Bytes [02, 88, 45, F0, 8D, 45, EC, ...]
.text afd.sys!zp_DNV_SAR__FZR + E7 91141430 140 Bytes [89, 85, 00, FF, FF, FF, 8D, ...]
.text afd.sys!zp_DNV_SAR__FZR + 174 911414BD 498 Bytes [0F, B7, 03, EB, 0C, 3B, DE, ...]
.text afd.sys!zp_DNV_SAR__FZR + 367 911416B0 179 Bytes [D2, 89, 55, DC, 8D, 7D, E0, ...]
.text ...
? C:\Windows\system32\drivers\afd.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 77815F18 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 77816A98 5 Bytes JMP 0094000A
.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!KiUserExceptionDispatcher 77817008 5 Bytes JMP 0092000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!LdrLoadDll 778322B8 5 Bytes JMP 627E3690 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C02437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BE5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BE56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C024B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73BF8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73BF4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73BF506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73BF5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73BF6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73BF826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BF87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73BF901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BFE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BF4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [662D11EB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1916] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7502FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 9111E000-9113D000 (126976 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05461635-39B0-CDCC-CB02-9CA890929444}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05461635-39B0-CDCC-CB02-9CA890929444}@hannmjciegifjhab 0x6A 0x61 0x65 0x6A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05461635-39B0-CDCC-CB02-9CA890929444}@ialnjpcgjofehkflfg 0x6A 0x61 0x65 0x6A ...

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB48032$\1674958965 0 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\@ 2048 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\bckfg.tmp 870 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\cfg.ini 558 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\keywords 282 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\L 0 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\L\ozesnhow 338944 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U 0 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB48032$\1674958965\U\80000032.@ 77312 bytes
File C:\Windows\$NtUninstallKB48032$\2851047187 0 bytes

---- EOF - GMER 1.0.15 ----

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:05 AM

Posted 07 January 2012 - 12:03 AM

You have mores serious issues there.
Advanced help will be needed.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users