Internet explorer re-direct using paypal

**Shaba** · 2008-06-01, 16:58

Hi

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

**lt1bird** · 2008-06-01, 17:36

Hi!

Got this warning message while running through winzip during scan:
GMER has found root system modifications caused by rootkit activity

-------------------------------------------------------------------

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-01 11:34:09
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xF0A8D7A6]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF0A8A794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xF0A8AF1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xF0A8E1F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xF0A8E42A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xF0A8F12A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xF0A8E83C]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xF0A89D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF0A89384]

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F75024B2 4 Bytes [ B4, 8F, 6B, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F75024BD 4 Bytes [ 3A, 4F, 6B, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F75024C8 4 Bytes [ C6, 8F, 6B, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F75024CF 4 Bytes [ BA, 8F, 6B, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F75024D6 4 Bytes [ C0, 8F, 6B, 86 ]
PAGE ...
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\RUNDLL32.EXE[112] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 3A, 84 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[112] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[112] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[112] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\WinZip\winzip32.exe[364] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1A, 84 ]
.text C:\PROGRA~1\WinZip\winzip32.exe[364] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\PROGRA~1\WinZip\winzip32.exe[364] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\WinZip\winzip32.exe[364] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Citrix\GoToMyPC\g2pre.exe[556] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BD, 83 ]
.text C:\Program Files\Citrix\GoToMyPC\g2pre.exe[556] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Citrix\GoToMyPC\g2pre.exe[556] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[624] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6D, 84 ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[624] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[624] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[664] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, D8, 84 ]
.text C:\WINDOWS\system32\csrss.exe[664] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[664] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[688] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, AE, 84 ]
.text C:\WINDOWS\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 63, 84 ]
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 7C, 84 ]
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 48, 84 ]
.text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 59, 84 ]
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1016] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 43, A1, C3, 83 ]
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6C, 85 ]
.text C:\WINDOWS\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Citrix\GoToMyPC\g2tray.exe[1116] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6B, 86 ]
.text C:\Program Files\Citrix\GoToMyPC\g2tray.exe[1116] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Citrix\GoToMyPC\g2tray.exe[1116] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 24, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 45, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text c:\program files\oem\msaspgh\msaspghost.exe[1500] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 50, 87 ]
.text c:\program files\oem\msaspgh\msaspghost.exe[1500] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text c:\program files\oem\msaspgh\msaspghost.exe[1500] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\ehtray.exe[1516] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BD, 83 ]
.text C:\WINDOWS\ehome\ehtray.exe[1516] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\ehome\ehtray.exe[1516] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\ehtray.exe[1516] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1568] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 74, 84 ]
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton antivirus\vptray.exe[1632] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 0B, 84 ]
.text C:\Program Files\Norton antivirus\vptray.exe[1632] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Norton antivirus\vptray.exe[1632] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton antivirus\vptray.exe[1632] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1644] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BA, 83 ]
.text C:\WINDOWS\eHome\ehmsas.exe[1644] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\eHome\ehmsas.exe[1644] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1644] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1B, 84 ]
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton antivirus\rtvscan.exe[1688] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 55, 89 ]
.text C:\Program Files\Norton antivirus\rtvscan.exe[1688] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton antivirus\rtvscan.exe[1688] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, B3, 84 ]
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 00EA2C2D
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 00EA2BEA
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 00EA2BAE
.text C:\WINDOWS\Explorer.EXE[1724] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1724] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!send 71AB428A 5 Bytes JMP 00EA2A1F
.text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00EA2B11
.text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00EA2A57
.text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00EA2A8F
.text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00EA2B93
.text C:\WINDOWS\system32\nvsvc32.exe[1744] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, F3, 83 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1744] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1744] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton antivirus\defwatch.exe[1808] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 52, 84 ]
.text C:\Program Files\Norton antivirus\defwatch.exe[1808] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton antivirus\defwatch.exe[1808] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[1828] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 67, 84 ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1828] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[1828] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehSched.exe[1852] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 19, 84 ]
.text C:\WINDOWS\eHome\ehSched.exe[1852] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehSched.exe[1852] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Dan\LOCALS~1\Temp\gmer.exe[1900] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, B9, 83 ]
.text C:\DOCUME~1\Dan\LOCALS~1\Temp\gmer.exe[1900] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\DOCUME~1\Dan\LOCALS~1\Temp\gmer.exe[1900] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Dan\LOCALS~1\Temp\gmer.exe[1900] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Citrix\GoToMyPC\g2svc.exe[1912] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BE, 83 ]
.text C:\Program Files\Citrix\GoToMyPC\g2svc.exe[1912] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Citrix\GoToMyPC\g2svc.exe[1912] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Citrix\GoToMyPC\g2comm.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6A, 85 ]
.text C:\Program Files\Citrix\GoToMyPC\g2comm.exe[2008] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Citrix\GoToMyPC\g2comm.exe[2008] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 64, 84 ]
.text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6F, 84 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2F, 87 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 57, 9E, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe[2408] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 36, 84 ]
.text C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe[2408] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe[2408] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[2476] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 53, 84 ]
.text C:\WINDOWS\system32\svchost.exe[2476] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[2476] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2512] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, E4, 83 ]
.text C:\WINDOWS\system32\wdfmgr.exe[2512] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2512] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Messenger\msmsgs.exe[3096] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 3F, 84 ]
.text C:\Program Files\Messenger\msmsgs.exe[3096] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Messenger\msmsgs.exe[3096] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Messenger\msmsgs.exe[3096] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\dllhost.exe[3264] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 02, 84 ]
.text C:\WINDOWS\system32\dllhost.exe[3264] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\dllhost.exe[3264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\dllhost.exe[3264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[3456] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1A, 84 ]
.text C:\WINDOWS\system32\wscntfy.exe[3456] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wscntfy.exe[3456] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[3456] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\MsgSys.EXE[3544] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, AF, 84 ]
.text C:\WINDOWS\system32\MsgSys.EXE[3544] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\MsgSys.EXE[3544] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\MsgSys.EXE[3544] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[3600] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, EB, 83 ]
.text C:\WINDOWS\System32\alg.exe[3600] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[3600] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[3600] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[3748] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2B, 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[3748] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\ctfmon.exe[3748] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3748] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Cdrom \Device\CdRom0 866B8FB4
Device \Driver\Disk \Device\Harddisk0\DR0 866B8FB4
Device \Driver\Disk \Device\Harddisk1\DR3 866B8FB4
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+7 866B8FB4
Device \Driver\Disk \Device\Harddisk2\DR4 866B8FB4
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 866B8FB4
Device \Driver\Disk \Device\Harddisk3\DR5 866B8FB4
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 866B8FB4
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a 866B8FB4
Device \Driver\Disk \Device\Harddisk4\DR6 866B8FB4
Device \Driver\Disk \Device\Harddisk5\DP(1)0-0+c 866B8FB4
Device \Driver\Disk \Device\Harddisk5\DR11 866B8FB4
Device \FileSystem\Fastfat \Fat ECCFCC8A
Device \FileSystem\Fastfat \Fat ECD00958

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:1156 866EBCA0
Thread 4:1160 866D8DA0
Thread 4:1164 867937C0
Thread 4:1168 866C4E20
Thread 4:404 866EBCA0
Thread 4:416 866D8DA0
Thread 4:400 867937C0
Thread 4:468 866C4E20

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x1d1c4581 size 0x2c3
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----

**Shaba** · 2008-06-01, 17:41

Hi

You have MBR rootkit.

Download and run this and post back its log afterwards.

**lt1bird** · 2008-06-01, 17:46

hi!

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x1d1c4581 size 0x2c3 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**Shaba** · 2008-06-01, 18:43

Hi

Where did you save that mbr.exe?

Please tell me full filepath.

**lt1bird** · 2008-06-02, 01:25

Hello...
MRB is on my desktop....

C:\Documents and Settings\Dan\Desktop

**Shaba** · 2008-06-02, 16:39

Hi

Thanks for the info.

Go to start - run

Type cmd and click ok

Type cd\ and press enter

Type cd C:\Documents and Settings\Dan\Desktop and press enter

Type mbr.exe -f and press enter

And post back log from mbr.exe, please

**lt1bird** · 2008-06-02, 17:44

Good morning!!
ran mbr.exe -f

results:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

**Shaba** · 2008-06-02, 18:40

Hi

Looks good

Please post a fresh HijackThis log next.

**lt1bird** · 2008-06-02, 19:02

Hello!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:36 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton antivirus\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\program files\oem\msaspgh\msaspghost.exe
C:\Program Files\Norton antivirus\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton antivirus\vptray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dynotunenitrous.com/store...ts/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.dynotunenitrous.com"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton antivirus\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Hot Keyboard] C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Assign &hot key - C:\Program Files\Hot Keyboard Pro1\IEScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Handle with &Hot Keyboard - I:\hot keys\Hot Keyboard Pro\IEScript.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.Ricavision.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Norton antivirus\defwatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MEls - Unknown owner - C:\Program Files\CoCreate\MEls\MEls32.exe
O23 - Service: MSAS Plugin Host Service (MSASPGHost) - OEM - c:\program files\oem\msaspgh\msaspghost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Norton antivirus\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SDserver2006 - CoCreate Software GmbH - C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe

--
End of file - 6964 bytes

Thread: Internet explorer re-direct using paypal

Thread Tools

Display

Posting Permissions