Hey free help of course I'm going to be patient. I learned a ton myself. Any idea on what the file was doing?

Yeah I agree make sure the root kit is terminated first before the network issue.

Going to be a busy week...and weekend this week for me. Maybe tonight. Possibly Monday or Tuesday I can post a GMER log. Autoscan or Malware? Or both?

Arc

Both, please. I'm really looking to see if GMER still sees the hidden items, and if so, we will try to delete them using GMER. I'm puzzled why IceSword didn't see them.

GMER 1.0.14.14316 - http://www.gmer.net
Rootkit scan 2008-05-06 01:05:43
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xB7A1CC90] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xB7A1D0C0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB727A1C2] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwConnectPort [0xB7A1C580] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB727A0AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB7279184] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB78D1CB8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreatePort [0xB7A1C440] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB7278A36] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB7279B4C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreateThread [0xB7A1B580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteFile [0xB7A1EC30] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteKey [0xB7A1E050] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB78D212A] <-- ROOTKIT !!!
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xBFEA4B23] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78D18AA] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateKey [0xB7A1E5B0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateValueKey [0xB7A1E5C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadDriver [0xB7A1CB00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadKey [0xB7A1FD50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB72796AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB78D1D2E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78D17C8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwOpenSection [0xB7A1AE00] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB78D183C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xB7A1CE00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwQueryKey [0xB7A1E590] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB78D1E42] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwReplaceKey [0xB7A1E210] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xB7A1C7D0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB78D1E02] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwResumeThread [0xB7A1C1C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSaveKey [0xB7A1E580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSetContextThread [0xB7A1BCC0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB7279ED8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB78D1F84] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwShutdownSystem [0xB7A1CA40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSuspendThread [0xB7A1C060] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSystemDebugControl [0xB7A1BF40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateProcess [0xB7A1B430] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateThread [0xB7A1BB50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB7279E10] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xB7A1CF60] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINNT\system32\drivers\OAnet.sys Access is denied.
? C:\WINNT\system32\drivers\OADriver.sys Access is denied.
? C:\WINNT\TEMP\mc21.tmp The system cannot find the file specified. !
? C:\WINNT\system32\drivers\OAmon.sys Access is denied.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BFEA4A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BFEA4979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BFEA448A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BFEA448A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BFEA4979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BFEA4A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EB563760] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [EB563760] \??\C:\WINNT\system32\drivers\OAnet.sys

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys
Device \Driver\Tcpip \Device\Tcp OAmon.sys

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp OAmon.sys
Device \Driver\Tcpip \Device\RawIp OAmon.sys
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys

---- Services - GMER 1.0.14 ----

Service (*** hidden *** ) NDMONPROTO <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO

---- Files - GMER 1.0.14 ----

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14316 - http://www.gmer.net
Autostart scan 2008-05-06 01:09:02
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
PCANotify@DLLName = PCANotify.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart@ = C:\WINNT\system32\ati2sgag.exe
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C-DillaSrv@ = C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
F-Prot Antivirus Update Monitor@ = "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /*file not found*/
PPPoEService@ = C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
RemoteRegistry@ = %SystemRoot%\system32\regsvc.exe
StiSvc@ = %systemroot%\system32\stisvc.exe
SvcOnlineArmor@ = "C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@NeroCheckC:\WINNT\System32\NeroCheck.exe = C:\WINNT\System32\NeroCheck.exe
@IPInSightLAN 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
@IPInSightMonitor 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@OnlineArmor GUI"C:\Program Files\Tall Emu\Online Armor\oaui.exe" = "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
@Motive SmartBridgeC:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
@MSConfigC:\DL\MSCONFIG.EXE /auto = C:\DL\MSCONFIG.EXE /auto

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@msnmsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@Yahoo! PagerC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

HKLM\Software\Classes\.hta@ =

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{4F07DA45-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
@{1E2CDF40-419B-11D2-A5A1-002018648BA7} /*AVG Shell Extension*/(null) =
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINNT\system32\AcSignIcon.dll = C:\WINNT\system32\AcSignIcon.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/(null) =
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/(null) =
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
@{4F07DA46-8170-4859-9B5F-037EF2970034} /*Online Armor Shell Extension*/C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
FRISK@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} =
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
InventorMenu@{6FDE7A70-351B-11d6-988B-0010B57A8BB7} = C:\Program Files\Autodesk\Inventor 9\Bin\DT.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{65D886A2-7CA7-479B-BB95-14D1EFB7946A}C:\Program Files\Yahoo!\Common\YIeTagBm.dll = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
@{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Page =
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Page =
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\X\Start Menu\Programs\Startup = ERUNT AutoBackup.lnk

---- EOF - GMER 1.0.14 ----

Grrrhhhhh double post!

Hi,

Well, GMER still sees the service and the registry items. Let's kill them manually. Double-Click on GMER.exe
Click the Rootkit tab and click the Scan button.
When the scan has completed, please follow the following steps.
We need to delete the following Service
NDMONPROTO
Right-Click on the service, Click on and Ok any prompts.

If any of these four items appear in the scan:

Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO

Delete them as well.

Reboot your computer

Run GMER again and post the same two scan reports. Let's see whether that takes care of them.

Well that was interesting.

I tried to delete the service and gmer couldn't do it. A few errors came up and another option to delete it came up same thing.

I tried again. No luck.

I tired to delete the registry keys and nothing!

So I tried to disable the NDPRONTO service and it crashed gmer.

Hummmmm .... I need to kick this around with my colleagues, and perhaps ask GMER to check into this topic. Most strange. One thought, try this again in Safe Mode first. I don't think that will make any difference, but it is worth trying.

Might have to wait on this until next week as I'll be going away for a bit. Sorry.

I'll let you know early next week. Thanks.

Arc

Hi there. I'm not sure if this is the right place to post this, but I'm having the same problem with NDMONPROTO, which I found recently when I switched from AVG (didn't like v8) to Avast. As you might imagine, I'm interested in the fix for this problem, which Google only found here.

@LeSteve: You will need to post your own topic in this forum. We do not deal with multiple members/issues in a single topic.

Okay I'm back!

Lesteve sorry about your luck this thing is murder!

In fact save yourself some time and reformat you computer right now.

Which brings me to my next thing...

PC I was trying to fix my internet again and a few other things and having my patience reach the breaking point I formatted my computer and reinstalled windows. Take that rootkit! Argh!

Apologies. Don't worry at least I learned a lot and I'm going to reinstall some of the afore mentioned tools and other things you had me do. So at least it's not a total loss.

I may still have some internet questions but I guess I can start a new thread for that correct?

Again thanks for all your help.

Regards,

Arc

Hi,

Sigh! Well we tried, anyway. I can understand your thinking, and I have just about run out of ideas anyway, so perhaps this is for the best.

I am locking this topic and marking it [Done].