Page 5 of 6 FirstFirst 123456 LastLast
Results 41 to 50 of 56

Thread: Internet explorer re-direct using paypal

  1. 2008-06-02, 19:16 #41
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Log looks fine.

    Still popups?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  2. 2008-06-02, 19:26 #42
    lt1bird
    lt1bird is offline
    Member
    Join Date
    May 2008
    Posts
    67

    Default

    yes it does :(
  3. 2008-06-02, 19:31 #43
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Re-run gmer.

    Post gmer log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  4. 2008-06-02, 19:41 #44
    lt1bird
    lt1bird is offline
    Member
    Join Date
    May 2008
    Posts
    67

    Default

    here ya go!

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-06-02 13:40:32
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xF0A8D7A6]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF0A8A794]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xF0A8AF1E]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xF0A8E1F0]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xF0A8E42A]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xF0A8F12A]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xF0A8E83C]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xF0A89D0A]
    SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF0A89384]

    ---- Kernel code sections - GMER 1.0.14 ----

    PAGE CLASSPNP.SYS!ClassInitialize + F4 F75024B2 4 Bytes [ B4, 8F, 6B, 86 ]
    PAGE CLASSPNP.SYS!ClassInitialize + FF F75024BD 4 Bytes [ 3A, 4F, 6B, 86 ]
    PAGE CLASSPNP.SYS!ClassInitialize + 10A F75024C8 4 Bytes [ C6, 8F, 6B, 86 ]
    PAGE CLASSPNP.SYS!ClassInitialize + 111 F75024CF 4 Bytes [ BA, 8F, 6B, 86 ]
    PAGE CLASSPNP.SYS!ClassInitialize + 118 F75024D6 4 Bytes [ C0, 8F, 6B, 86 ]
    PAGE ...
    ? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
    ? C:\DOCUME~1\Dan\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.14 ----

    .text C:\WINDOWS\system32\RUNDLL32.EXE[112] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 3A, 84 ]
    .text C:\WINDOWS\system32\RUNDLL32.EXE[112] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\system32\RUNDLL32.EXE[112] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\RUNDLL32.EXE[112] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Documents and Settings\Dan\Desktop\gmer.exe[384] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, B9, 83 ]
    .text C:\Documents and Settings\Dan\Desktop\gmer.exe[384] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\Documents and Settings\Dan\Desktop\gmer.exe[384] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Documents and Settings\Dan\Desktop\gmer.exe[384] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2pre.exe[556] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BD, 83 ]
    .text C:\Program Files\Citrix\GoToMyPC\g2pre.exe[556] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2pre.exe[556] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[624] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6D, 84 ]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[624] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[624] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\csrss.exe[664] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, D8, 84 ]
    .text C:\WINDOWS\system32\csrss.exe[664] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\csrss.exe[664] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\winlogon.exe[688] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, AE, 84 ]
    .text C:\WINDOWS\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 63, 84 ]
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 7C, 84 ]
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 48, 84 ]
    .text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 59, 84 ]
    .text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Spyware Doctor\pctsSvc.exe[1016] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 43, A1, C3, 83 ]
    .text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6C, 85 ]
    .text C:\WINDOWS\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2tray.exe[1116] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6B, 86 ]
    .text C:\Program Files\Citrix\GoToMyPC\g2tray.exe[1116] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2tray.exe[1116] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 24, 84 ]
    .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 45, 84 ]
    .text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text c:\program files\oem\msaspgh\msaspghost.exe[1500] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 50, 87 ]
    .text c:\program files\oem\msaspgh\msaspghost.exe[1500] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text c:\program files\oem\msaspgh\msaspghost.exe[1500] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\ehome\ehtray.exe[1516] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BD, 83 ]
    .text C:\WINDOWS\ehome\ehtray.exe[1516] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\ehome\ehtray.exe[1516] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\ehome\ehtray.exe[1516] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\spoolsv.exe[1568] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 74, 84 ]
    .text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Norton antivirus\vptray.exe[1632] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 0B, 84 ]
    .text C:\Program Files\Norton antivirus\vptray.exe[1632] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\Program Files\Norton antivirus\vptray.exe[1632] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Norton antivirus\vptray.exe[1632] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\eHome\ehmsas.exe[1644] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BA, 83 ]
    .text C:\WINDOWS\eHome\ehmsas.exe[1644] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\eHome\ehmsas.exe[1644] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\eHome\ehmsas.exe[1644] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1B, 84 ]
    .text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[1652] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Norton antivirus\rtvscan.exe[1688] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 55, 89 ]
    .text C:\Program Files\Norton antivirus\rtvscan.exe[1688] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Norton antivirus\rtvscan.exe[1688] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, B3, 84 ]
    .text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 00EA2C2D
    .text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 00EA2BEA
    .text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 00EA2BAE
    .text C:\WINDOWS\Explorer.EXE[1724] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\Explorer.EXE[1724] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!send 71AB428A 5 Bytes JMP 00EA2A1F
    .text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00EA2B11
    .text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00EA2A57
    .text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00EA2A8F
    .text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00EA2B93
    .text C:\WINDOWS\system32\nvsvc32.exe[1744] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, F3, 83 ]
    .text C:\WINDOWS\system32\nvsvc32.exe[1744] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\nvsvc32.exe[1744] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Norton antivirus\defwatch.exe[1808] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 52, 84 ]
    .text C:\Program Files\Norton antivirus\defwatch.exe[1808] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Norton antivirus\defwatch.exe[1808] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\eHome\ehRecvr.exe[1828] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 67, 84 ]
    .text C:\WINDOWS\eHome\ehRecvr.exe[1828] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\eHome\ehRecvr.exe[1828] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\eHome\ehSched.exe[1852] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 19, 84 ]
    .text C:\WINDOWS\eHome\ehSched.exe[1852] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\eHome\ehSched.exe[1852] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2svc.exe[1912] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BE, 83 ]
    .text C:\Program Files\Citrix\GoToMyPC\g2svc.exe[1912] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2svc.exe[1912] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2comm.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6A, 85 ]
    .text C:\Program Files\Citrix\GoToMyPC\g2comm.exe[2008] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Citrix\GoToMyPC\g2comm.exe[2008] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 64, 84 ]
    .text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe[2080] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6F, 84 ]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2092] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2F, 87 ]
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 57, 9E, C3, 83 ]
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[2400] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe[2408] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 36, 84 ]
    .text C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe[2408] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe[2408] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\svchost.exe[2476] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 53, 84 ]
    .text C:\WINDOWS\system32\svchost.exe[2476] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\svchost.exe[2476] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\wdfmgr.exe[2512] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, E4, 83 ]
    .text C:\WINDOWS\system32\wdfmgr.exe[2512] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\wdfmgr.exe[2512] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Messenger\msmsgs.exe[3096] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 3F, 84 ]
    .text C:\Program Files\Messenger\msmsgs.exe[3096] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\Program Files\Messenger\msmsgs.exe[3096] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Messenger\msmsgs.exe[3096] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\dllhost.exe[3264] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 02, 84 ]
    .text C:\WINDOWS\system32\dllhost.exe[3264] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\system32\dllhost.exe[3264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\dllhost.exe[3264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\wscntfy.exe[3456] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1A, 84 ]
    .text C:\WINDOWS\system32\wscntfy.exe[3456] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\system32\wscntfy.exe[3456] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\wscntfy.exe[3456] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\MsgSys.EXE[3544] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, AF, 84 ]
    .text C:\WINDOWS\system32\MsgSys.EXE[3544] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\system32\MsgSys.EXE[3544] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\MsgSys.EXE[3544] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\System32\alg.exe[3600] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, EB, 83 ]
    .text C:\WINDOWS\System32\alg.exe[3600] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\System32\alg.exe[3600] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\System32\alg.exe[3600] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
    .text C:\WINDOWS\system32\ctfmon.exe[3748] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2B, 84 ]
    .text C:\WINDOWS\system32\ctfmon.exe[3748] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
    .text C:\WINDOWS\system32\ctfmon.exe[3748] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\ctfmon.exe[3748] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A

    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    Device \Driver\Cdrom \Device\CdRom0 866B8FB4
    Device \Driver\Disk \Device\Harddisk0\DR0 866B8FB4
    Device \Driver\Disk \Device\Harddisk1\DR3 866B8FB4
    Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+7 866B8FB4
    Device \Driver\Disk \Device\Harddisk2\DR4 866B8FB4
    Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 866B8FB4
    Device \Driver\Disk \Device\Harddisk3\DR5 866B8FB4
    Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 866B8FB4
    Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a 866B8FB4
    Device \Driver\Disk \Device\Harddisk4\DR6 866B8FB4

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Threads - GMER 1.0.14 ----

    Thread 4:1156 866EBCA0
    Thread 4:1160 866D8DA0
    Thread 4:1164 867937C0
    Thread 4:1168 866C4E20
    Thread 4:2412 866EBCA0
    Thread 4:208 866D8DA0
    Thread 4:492 867937C0
    Thread 4:1396 866C4E20

    ---- Disk sectors - GMER 1.0.14 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;

    ---- EOF - GMER 1.0.14 ----
  5. 2008-06-02, 19:44 #45
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Looks like that there is still rootkit.

    Try to re-run mbr.exe -f and post its log, please.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  6. 2008-06-02, 19:50 #46
    lt1bird
    lt1bird is offline
    Member
    Join Date
    May 2008
    Posts
    67

    Default

    hello...... this is the latest report.

    Do I need to reeboot or clear my cookies/files or anything in IE to see a change?




    Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
  7. 2008-06-02, 19:52 #47
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    You can try it but I don't think it will help.

    If you like to continue with cleaning, I think that I will need to ask for help.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  8. 2008-06-02, 19:55 #48
    lt1bird
    lt1bird is offline
    Member
    Join Date
    May 2008
    Posts
    67

    Default

    I would greatly love the help...by all means, please talk with your freinds!
    Ill check back a bit later.

    Thanks!
  9. 2008-06-02, 20:08 #49
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    OK, I will let you know if someone was able to find a solution
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  10. 2008-06-02, 20:21 #50
    lt1bird
    lt1bird is offline
    Member
    Join Date
    May 2008
    Posts
    67

    Default

    I re-booted and all seems fine at this time. It use to come and go before. I re-booted a few times, still working good... It use to seem like it would go away for 4-6 hours then come back. Almost like it was on a clock....Very wired.

    Ill run another scan....
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules