GMER 1.0.14.14316 - http://www.gmer.net
Autostart scan 2008-04-26 21:03:11
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
PCANotify@DLLName = PCANotify.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart@ = C:\WINNT\system32\ati2sgag.exe
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
BBDemon@ = C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe -service /*file not found*/
C-DillaSrv@ = C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
F-Prot Antivirus Update Monitor@ = "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /*file not found*/
PPPoEService@ = C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
RemoteRegistry@ = %SystemRoot%\system32\regsvc.exe
StiSvc@ = %systemroot%\system32\stisvc.exe
SvcOnlineArmor@ = "C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@NeroCheckC:\WINNT\System32\NeroCheck.exe = C:\WINNT\System32\NeroCheck.exe
@IPInSightLAN 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
@IPInSightMonitor 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@OnlineArmor GUI"C:\Program Files\Tall Emu\Online Armor\oaui.exe" = "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
@Motive SmartBridgeC:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@msnmsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@Yahoo! PagerC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

HKLM\Software\Classes\.hta@ =

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{4F07DA45-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
@{1E2CDF40-419B-11D2-A5A1-002018648BA7} /*AVG Shell Extension*/(null) =
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINNT\system32\AcSignIcon.dll = C:\WINNT\system32\AcSignIcon.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/(null) =
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/(null) =
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
@{4F07DA46-8170-4859-9B5F-037EF2970034} /*Online Armor Shell Extension*/C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
FRISK@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} =
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
InventorMenu@{6FDE7A70-351B-11d6-988B-0010B57A8BB7} = C:\Program Files\Autodesk\Inventor 9\Bin\DT.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{65D886A2-7CA7-479B-BB95-14D1EFB7946A}C:\Program Files\Yahoo!\Common\YIeTagBm.dll = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
@{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Page =
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Page =
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\X\Start Menu\Programs\Startup = ERUNT AutoBackup.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup = NetAssistant.lnk

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14316 - http://www.gmer.net
Rootkit scan 2008-04-26 20:59:50
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xB7A1CC90] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xB7A1D0C0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB727A1C2] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwConnectPort [0xB7A1C580] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB727A0AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB7279184] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB78D1CB8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreatePort [0xB7A1C440] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB7278A36] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB7279B4C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreateThread [0xB7A1B580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteFile [0xB7A1EC30] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteKey [0xB7A1E050] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB78D212A] <-- ROOTKIT !!!
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xBFEA4B23] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78D18AA] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateKey [0xB7A1E5B0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateValueKey [0xB7A1E5C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadDriver [0xB7A1CB00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadKey [0xB7A1FD50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB72796AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB78D1D2E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78D17C8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwOpenSection [0xB7A1AE00] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB78D183C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xB7A1CE00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwQueryKey [0xB7A1E590] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB78D1E42] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwReplaceKey [0xB7A1E210] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xB7A1C7D0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB78D1E02] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwResumeThread [0xB7A1C1C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSaveKey [0xB7A1E580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSetContextThread [0xB7A1BCC0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB7279ED8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB78D1F84] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwShutdownSystem [0xB7A1CA40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSuspendThread [0xB7A1C060] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSystemDebugControl [0xB7A1BF40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateProcess [0xB7A1B430] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateThread [0xB7A1BB50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB7279E10] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xB7A1CF60] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINNT\system32\drivers\OAnet.sys Access is denied.
? C:\WINNT\system32\drivers\OADriver.sys Access is denied.
? C:\WINNT\TEMP\mc21.tmp The system cannot find the file specified. !
? C:\WINNT\system32\drivers\OAmon.sys Access is denied.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BFEA4A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BFEA4979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BFEA448A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BFEA448A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BFEA4979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BFEA4A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EB563760] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [EB563760] \??\C:\WINNT\system32\drivers\OAnet.sys

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys
Device \Driver\Tcpip \Device\Tcp OAmon.sys

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp OAmon.sys
Device \Driver\Tcpip \Device\RawIp OAmon.sys
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys

---- Services - GMER 1.0.14 ----

Service (*** hidden *** ) NDMONPROTO <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO

---- Files - GMER 1.0.14 ----

---- EOF - GMER 1.0.14 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:59 PM, on 26/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PRDIE - {A8FA9135-E1DD-4AA8-971A-1FE4DCEE6365} - C:\Program Files\Privacy Defender\prd.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194763853046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT5\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\MDT5\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT5\AcPreview.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINNT\System32\ad_elmd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - Unknown owner - C:\Program Files\FSI\F-Prot\fpavupdm.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O24 - Desktop Component 0: (no name) - C:\DL\Training\Schedule.htm

--
End of file - 11921 bytes

Hi,

Sorry for the delay in getting back to you. This weekend was totally taken up by family activities.

Well, I have some good news, and some bad news. ComboFix did kill the remaining traces, but after the reboot, GMER found the same traces again. Logically, that tells me that something is recreating them, and it isn't the MBR rootkit either because that is still gone. That suggests something else, probably another hidden rootkit, is recreating them, but GMER doesn't see anything even close to that type of thing..

So, I want to try another tool to see what it might find. Go here:

http://www.antirootkit.com/software/IceSword.htm

and download IceSword. This is a zip file, there is no installer. Create a new folder c:\Program Files\IceSword and unzip the download into that folder. Next create a shortcut to IceSword on your desktop. Then run IceSword. I want to know if there are any red entries in two sections. You will see the sections on the left side of the IceSword window. The two I am interested in are Processes and Services. Please post any in either that are in red.

Hey no worries.

Man this thing is uber nasty!

I'll download icesword and post tonight.

I'll be using my laptop to connect and usb to transfer the info back and forth. Now since this thing is still active I guess it won't jump to the laptop? Yes no maybe? I'll worry about fixing my net connection on my main comp later.

Thanks again.

Arc

I don't think it will jump. There isn't any hint at the moment of a USB infection. You can reformat the USB stick after each transfer and that will help limit it. Did we turn off AutoPlay? If so, it really can't jump with that turned off.

Good! I'm just a little paranoid. Yes I turned off auto run like you instructed.

Okay I ran Icesword...or I think I ran it correctly.

I clicked on Process and no red, I clicked Win32 Services and no red.

Then I though I might as well click the rest of them and none of them except SSDT had any red.

It however has 40 or so red entries. Granted some of these seem like duplicates. Most look like driver files or a system file. I'm unsure of how to post it though. I tried hitting the log button but nothing came up. I could do a good screen shot but I don't know if I'm allowed to post files here?

I'm a bit afraid to hit other buttons in this program because I'm not sure what they'll do. The read me file and the help in IceSword are...kinda lacking.

Arc

Those shou,d all be driver and similar files. And, yes, you can post screenshots, so go ahead and let me see what it found. To make sure look at the list to the right hand bottom of each page, and there is a list of what you can and cannot do in a particular forum and topic.

Okay here is it. I think these are all the different types but as I said there are 40 or so entries.

IceSword001.jpg
Description:
Filesize:	151.69 KB
Viewed:	47 Time(s)

Sorry if you're busy, have you had a chance to look at the Ice-Sword jpeg?...any idea what I should do now? Thanks.

Arc

PCBuiser has experienced some hardware problems and is offline for a short time. Please be patient. He will return very soon to continue his assistance.

Don't worry I'm very patient.

Thanks for the update Abu.

Hi,

I apologize for the delay, but I had a major hardware failure. It was one real royal PITA. Bottom line, a USB port on the front panel of my case shorted out, and took the MB with it. When the MB shorted out, it killed one stick of RAM. And, when the system crashed, it killed most of my running software including all my security software, so all that had to be completely cleaned out (including the registry, much of which required manual editing) and freshly reinstalled. Three full days of diagnosis, a new case, RAM and motherboard, two builds, and a ton of software to reinstall.

Bah, I hate computers!

Those entries in IceSword are nothing. OAdriver.sys is OnlineArmor. aswmon.sys is Avast! If all the other entries are the same, then IceSword is giving us a clean bill of health. Please do a quick rerun of IceSword and tell me if NDMONPRONTO appears anywhere in the screens, even if it isn't colored Red. If so, post a screen shot of where it appears.

I need to look back over your logs and see what we may have missed. I'll post back tomorrow. Sorry, but the delay was out of my hands.

I hate computers too! We need magic internet boxes that you can play games on...and maybe do some work.

Sucks about your hardware going kaboom!

Back to icesword for one second. What about the file aswSP.sys ...probably nothing just thought I should mention it as it was in the jpeg I posted.

I ran Ice Sword again and didn't find NDMondopainintheass anywhere on my pc.

FYI, Avast doesn't run on start up anymore. Not sure why? I may reinstall.

Should I start another thread for my internet problems? Granted I'll do that after you say we're done with the rootkit etc. Plus I want to give it one more crack myself.