HELP: remove Win32/Rootkit.Agent.ODG trojan

All my searches are being redirected to some sites. It's really annoying

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:39, on 6/29/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET Smart Security\egui.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Firefox 3 [Custom]\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\PROGRA~1\WINZIP~1\winzip32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\Internet Explorer\IEPro\iepro.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\PerfectDisk 10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\PerfectDisk 10\PDEngine.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 5468 bytes

 

I don't see any obvious malicious processes in that log.

Download Avenger:
http://swandog46.geekstogo.com/avenger2/doc.html

Download Combofix:
http://www.combofix.org/

Run Avenger first as an admin. Run it without a script. The computer will reboot. Let us know what it finds.

Then run Combofix as an admin. Post the log that it generates.

 

ComboFix and Avenger's log said they couldn't find it. I decided to format my HDD since I had a back-up anyway.

 

If you haven't formatted yet, you could try and install GMER. Run a scan and see if anything shows up. It detects and removes all kinds of nasty rootkits.

 

can u help me with GMER ...i make scan ....but when where i see if it celan something?
========scan window=======
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-07 13:30:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x62 ? 84F8ABF8
INT 0x82 ? 84F8ABF8
INT 0x83 ? 84F8ABF8
INT 0x84 ? 84132BF8
INT 0x94 ? 84132BF8
INT 0xA4 ? 84132BF8
INT 0xB4 ? 84132BF8

Code 8462F010 ZwEnumerateKey
Code 846165E0 ZwFlushInstructionCache
Code 84668EAE IofCallDriver
Code 846650B6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 84668EB3
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 846650BB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 846165E4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 8462F014
? spze.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6F4B8AC 5 Bytes JMP 841321D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0062000A
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text C:\Program Files\RocketDock\RocketDock.exe[1200] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04A0000A
.text C:\WINDOWS\system32\ctfmon.exe[1556] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0493000A
.text ...
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1712] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1768] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\sistray.exe[1876] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\wdfmgr.exe[1956] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0060000A
.text C:\Program Files\Thunderbird-Tray\TBTray.exe[2056] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0098000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73BE042] spze.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73BE13E] spze.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73BE0C0] spze.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73BE800] spze.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73BE6D6] spze.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73CDE9C] spze.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 842B61F8

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 84F881F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CC744E12-4E0F-4ECD-9F36-DF88178812C1} 842241F8
Device \Driver\usbohci \Device\USBPDO-0 841311F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 84F8B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 84F8B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 84F8B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 84F8B1F8
Device \Driver\usbohci \Device\USBPDO-1 841311F8
Device \Driver\usbohci \Device\USBPDO-2 841311F8
Device \Driver\usbehci \Device\USBPDO-3 8410F1F8
Device \Driver\PCI_PNP8022 \Device\00000055 spze.sys
Device \Driver\PCI_PNP8022 \Device\00000055 spze.sys

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume1 84F8C1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 84F8C1F8
Device \Driver\sptd \Device\247929272 spze.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 842241F8
Device \Driver\NetBT \Device\NetbiosSmb 842241F8
Device \Driver\usbohci \Device\USBFDO-0 841311F8
Device \Driver\usbohci \Device\USBFDO-1 841311F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 842801F8
Device \Driver\usbohci \Device\USBFDO-2 841311F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 842801F8
Device \Driver\usbehci \Device\USBFDO-3 8410F1F8
Device \Driver\Ftdisk \Device\FtControl 84F8C1F8
Device \Driver\aa4edw57 \Device\Scsi\aa4edw571Port4Path0Target0Lun0 841001F8
Device \Driver\aa4edw57 \Device\Scsi\aa4edw571 841001F8
Device \FileSystem\Fastfat \Fat 84F881F8

AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 84395500

---- Threads - GMER 1.0.15 ----

Thread System [4:388] 83FD8790

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87DBA6DE-E4F2-7A02-9C26-44237CE7525F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87DBA6DE-E4F2-7A02-9C26-44237CE7525F}@iamlkmageeaoepefne 0x6A 0x61 0x62 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87DBA6DE-E4F2-7A02-9C26-44237CE7525F}@haglamhnmbepjiea 0x69 0x61 0x62 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87DBA6DE-E4F2-7A02-9C26-44237CE7525F}@iaimklhjooenibchlp 0x64 0x61 0x62 0x66 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\hjgruiiqjtpuxs.sys
File C:\WINDOWS\system32\hjgruibmckpkbs.dll
File C:\WINDOWS\system32\hjgruiiwuymfvp.dat
File C:\WINDOWS\system32\hjgruiawvvwnob.dll
File C:\WINDOWS\system32\hjgruiuxcvmdxm.dat
File C:\WINDOWS\Temp\hjgruivbvpxpufdb.tmp
File C:\WINDOWS\Temp\hjgruilecxtccxns.tmp
File C:\WINDOWS\Temp\hjgruiwuccsxaety.tmp
File C:\WINDOWS\Temp\hjgruicbpxtfdivp.tmp
File C:\WINDOWS\Temp\hjgruispfmcchwbu.tmp
File C:\WINDOWS\Temp\hjgruieeibxjqytd.tmp

---- EOF - GMER 1.0.15 ----
===============================

 

Next time, start a new thread for your separate issue.

You've been rooted, those files are malicious. You can delete them with Avenger.
http://swandog46.geekstogo.com/avenger2/cmd2.html

Those also seem questionable. Avenger can delete those reg keys as well. Read the documentation.

 

Hi im experiencing the same problem...
I used GMER and here is the result

Can you tell me which script should I put in Avenger?
I hope someone can resolve this...

My CD drive is broken so I cannot reformat my pc...
please help me..







GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-26 22:39:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86607A60 ZwOpenProcess
SSDT 86607E80 ZwOpenThread
SSDT 86608460 ZwSuspendProcess
SSDT 86608280 ZwSuspendThread
SSDT 86607C90 ZwTerminateProcess
SSDT 866080B0 ZwTerminateThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA80FF498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA80FF4AC]
Code 89CDE1C0 ZwEnumerateKey
Code 89CA5C90 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA80FF470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA80FF484]
Code 898F51BE ZwSaveKey
Code 898D6BA6 ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA80FF4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA80FF4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA80FF45C]
Code 898E316E IofCallDriver
Code 8995AB2E IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 898E3173
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8995AB33
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B683E 5 Bytes JMP 89CA5C94
PAGE ntkrnlpa.exe!NtOpenProcess 805CB438 5 Bytes JMP A80FF474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6C4 5 Bytes JMP A80FF488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE82 5 Bytes JMP A80FF4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1172 7 Bytes JMP A80FF4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1228 5 Bytes JMP A80FF49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1732 5 Bytes JMP A80FF4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29DA 5 Bytes JMP A80FF460 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624020 5 Bytes JMP 89CDE1C4
PAGE ntkrnlpa.exe!ZwSaveKey 80625294 5 Bytes JMP 898F51C2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8062537A 5 Bytes JMP 898D6BAA
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1388] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Threads - GMER 1.0.15 ----

Thread System [4:680] 86606790
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekriybwmtbs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1500] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekriybwmtbs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1976] 0x10000000

---- Files - GMER 1.0.15 ----

File C:\Program Files\Alwil Software\Avast4\DATA\moved\geyekriybwmtbs.dll.2.vir 18432 bytes
File C:\Program Files\Alwil Software\Avast4\DATA\moved\geyekriybwmtbs.dll.vir 18432 bytes
File C:\WINDOWS\system32\geyekriybwmtbs.dll 20992 bytes executable
File C:\WINDOWS\system32\geyekrnqtliaqo.dat 212380 bytes
File C:\WINDOWS\system32\geyekrtxeyxevp.dat 91 bytes
File C:\WINDOWS\system32\geyekryuruwvpj.dll 43520 bytes

---- EOF - GMER 1.0.15 ----