Problems with excessive slowness & crashing / freezing IE.
I am looking at this problem for a friend.
Disabled a few suspect start up items: eg 'fdobiwogi'
Found that
MBAM & windows defender will not allow updates.
Registry edit tools disabled
Avast Antivirus identified & dealt with 1 threat - no improvement
TFC downloaded & ran OK
MBAM log:
Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 6.0.6002 Service Pack 2
17:54:05 27/11/2010
mbam-log-11-27-2010 (17-54-05).txt
Scan type: Quick Scan
Objects scanned: 37317
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-27 19:28:35
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS543225L9A300 rev.FBEOC40C
Running: gmer.exe; Driver: C:\Users\SARAHB~1\AppData\Local\Temp\uwlyypow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Windows\system32\drivers\mbam.sys ZwCreateSection [0xB0354700]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8ED30BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8ED309D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8ED30B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 820EB978 4 Bytes [00, 47, 35, B0]
PAGE ntkrnlpa.exe!ZwLoadDriver 821AADF0 7 Bytes JMP 8ED30B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8221628F 5 Bytes JMP 8ED2C5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8226F063 5 Bytes JMP 8ED2DFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 82270905 7 Bytes JMP 8ED309D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D090A 7 Bytes JMP 8ED30BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xB033341C]
.clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xB0334000, 0x1000, 0xE0000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[304] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0079000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 007A000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 005A000A
.text C:\Windows\system32\svchost.exe[1216] ole32.dll!CoCreateInstance 77399F3E 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[1216] USER32.dll!GetCursorPos 77770B88 5 Bytes JMP 01FD000A
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1688] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2508] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0230000A
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0231000A
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 01BF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4368] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4636] USER32.dll!TrackPopupMenu 777714F3 5 Bytes JMP 66205CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4864] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5332] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0086000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0087000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 0085000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6024] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ADBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ACF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ACE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ADDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ACFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ACFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ACD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-0 864FB3B2
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskHitachi_HTS543225L9A300_________________FBEOC40C#5&128fa69d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
DDS stuff to follow
I am looking at this problem for a friend.
Disabled a few suspect start up items: eg 'fdobiwogi'
Found that
MBAM & windows defender will not allow updates.
Registry edit tools disabled
Avast Antivirus identified & dealt with 1 threat - no improvement
TFC downloaded & ran OK
MBAM log:
Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 6.0.6002 Service Pack 2
17:54:05 27/11/2010
mbam-log-11-27-2010 (17-54-05).txt
Scan type: Quick Scan
Objects scanned: 37317
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-27 19:28:35
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS543225L9A300 rev.FBEOC40C
Running: gmer.exe; Driver: C:\Users\SARAHB~1\AppData\Local\Temp\uwlyypow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Windows\system32\drivers\mbam.sys ZwCreateSection [0xB0354700]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8ED30BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8ED309D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8ED30B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 820EB978 4 Bytes [00, 47, 35, B0]
PAGE ntkrnlpa.exe!ZwLoadDriver 821AADF0 7 Bytes JMP 8ED30B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8221628F 5 Bytes JMP 8ED2C5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8226F063 5 Bytes JMP 8ED2DFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 82270905 7 Bytes JMP 8ED309D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D090A 7 Bytes JMP 8ED30BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xB033341C]
.clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xB0334000, 0x1000, 0xE0000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[304] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0079000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 007A000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 005A000A
.text C:\Windows\system32\svchost.exe[1216] ole32.dll!CoCreateInstance 77399F3E 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[1216] USER32.dll!GetCursorPos 77770B88 5 Bytes JMP 01FD000A
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1688] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2508] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0230000A
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0231000A
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 01BF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4368] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4636] USER32.dll!TrackPopupMenu 777714F3 5 Bytes JMP 66205CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4864] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5332] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0086000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0087000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 0085000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6024] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ADBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ACF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ACE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ADDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ACFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ACFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ACD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-0 864FB3B2
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskHitachi_HTS543225L9A300_________________FBEOC40C#5&128fa69d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
DDS stuff to follow