Apparent infection or trojan detected

[jay_j]

SYSTEM INFORMATION:
Dell Precision 340 Workstation
_______________________________________
Windows 2000 Professional
5.00.2195 Service Pack 4
_______________________________________
Mozilla FireFox Version: 3.6
_______________________________________
Internet Explorer Version: 6.0.2800.1106
_______________________________________
ESET NOD32 Antivirus 4.0.467.0
_______________________________________
SUPERAntiSpyware
_______________________________________
Malwarebytes' Anti-Malware
_______________________________________
SpywareBlaster version 4.2
_______________________________________
SpyBot version: 1.6.2.46
__________________________________________________________
Hi:
My system appears to be repeatedly infected by either a trojan or malware as detected by Spybot and or SpywareBlaster.
I need easy to follow step by step instructions that a computing novice can safely follow.
-------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:44 PM, on 3/5/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Siber Systems\AI RoboForm\PasswordGenerator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1238646850718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1238646834468
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 7667 bytes

-------------------------------------------------------------
Problem summary:
a) Within “SpywareBlaster”: Something is REPEATEDLY Disabling Protection for “Mozilla Firefox”. At the time that I made this posting to this forum: “230 items have protection disabled”.

b)Within “Spybot”: Something is REPEATEDLY Disabling Protection for 39,734 things.
[Just One example: “Global [Hosts]” 169 things are Unprotected.]
Please be advised that until recently.............I've been using both of the aforementioned programs for a while as without any apparent issues. It appears that the machine has become recently infected.
Best Regards,
j

[shelf life]

hi,

your log is a few days old. If you still need help reply to my post and we can get a closer look for malware. I dont use either of those two apps you mentioned so cant speak directly about them.

[jay_j]

Hi shelf life:
Thank you for replying to my posting.
I Grrreatly appreciate Your Honesty (in making the following statement) as it's apparently becoming a rare virtue in today's world.
You wrote:

I dont use either of those two apps you mentioned so cant speak directly about them.

Therefore, I must admit to being a bit confused or uncertain if you'll be able to help me.
I honestly don't know how to proceed.
Question: Do you think that I'll have better odds of achieving success in this technical matter......If I wait for a reply from another expert who's familiar with the two programs that I'm using?
Best Regards
J

PS. I sincerely hope that I didn't accidentally offend you with my query.

[shelf life]

I wouldn't be able to answer any questions about those two app's directly, like if you had specific questions about them that is. I see you have several anti-malware apps. I assume they are updated and come up clean after a scan?
We will get one more download for a check. Link and directions:

download Gmer to your desktop. ( a randomly named .exe)

http://gmer.net/download.php

close any running programs.

double click the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

--->select NO<---

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

[jay_j]

Hishelf life:
I already had GMER on my desktop.
I had some difficulty and tried running it 3 or 4 times.
I hope I ran it correctly as I was unable to see your directions after closing the web browser.
First I pushed the pause button on the cable internet modem.
Then, I shut down the programs seen running in the lower bottom right hand corner of the desktop - task bar.
Then I ran GMER.
Following (each of 3-4 times) running of GMER my (repeatedly) computer experienced:
A Fatal System Error - Approximate message: Windows Logon Failed. Then the computer Shutdown and restarted.
GMER's approximate message: "Might have been caused by rootkits".

--------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-13 00:13:18
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xBEA02810]
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xBEA02840]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Threads - GMER 1.0.15 ----

Thread System [8:112] 88BA7930

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------
After all of these Fatal Errors........Do you think it's safe to proceed?
Best Regards,
J

[shelf life]

Hi,
I wouldnt be to concerned about the root kit activity with all the problems running Gmer.

Try running it in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option on the list safe mode.

While you are in safe mode you can do this first then run gmer. you might want to copy/paste it into notepad and save it so you can read it in safe mode:

-------------------------------------
using explorer(right click on start>explore) drill down to these folders and delete what you can inside the folders

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------------
If you dont see a folder called Local Settings or any of the others then try this and look for them again:

on the Windows desktop, double-click the My Computer icon
on the Tools menu, click Folder Options.
Under the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Last while in safe mode try running Gmer again, save the log.
reboot normally, post the gmer log if it ran ok

[jay_j]

Hi shelf life:
You wrote:

I wouldnt be to concerned about the root kit activity with all the problems running Gmer.

After reading your comment I'm wondering.............Do you think that I should run Microsoft's - System File Checker prior to proceeding?
Regards.
J

[shelf life]

You can proceed as is with Gmer. you can run SFC if you want also.
have you ever reinstalled W2K?
We can also get another look with RootRepeal. Link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

[jay_j]

Hi shelf life:
I ran SFC.
You asked: Have you ever reinstalled W2K?
My Answer: Yes, A long time age.
You wrote:

using explorer(right click on start>explore) drill down to these folders and delete what you can inside the folders

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------------

Reminder: I'm using Windows 2000 Professional as my operating system.
Sadly, the above steps were not productive.

You wrote:

If you dont see a folder called Local Settings or any of the others then try this and look for them again:

on the Windows desktop, double-click the My Computer icon
on the Tools menu, click Folder Options.
Under the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Re: "uncheck Hide protected operating system files." Where is it?
Re: "Hidden files" folder, click Show hidden files and folders."
Please note: Under the Hidden (Folder):
There were only two choices as follows:
a) NOHIDDEN
b) SHOWALL
Please note: In place of the "a)" and "b)" there was a circle nest to each choice. There was a Dot inside of the circle next to "NOHIDDEN".
______________________________________________________________
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-15 11:48:41
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
_____________________________________________________________
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/15 12:17
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE938000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF69CC000 Size: 4096 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xF65C0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\v\Application Data\Mozilla\Firefox\Profiles\jzbmtgoq.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: D:\Socialization\MySpace_Stuff\NOTIFI~1.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
ServiceTable Hooked [0x80480a60]!

#: 016 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f58c0

#: 018 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5ee0

#: 027 Function Name: NtConnectPort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f43b0

#: 032 Function Name: NtCreateFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02870

#: 035 Function Name: NtCreateKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea00b90

#: 040 Function Name: NtCreatePort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f4060

#: 041 Function Name: NtCreateProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f14c0

#: 043 Function Name: NtCreateSection
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f0fe0

#: 046 Function Name: NtCreateThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2890

#: 052 Function Name: NtDeleteFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea032d0

#: 053 Function Name: NtDeleteKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01140

#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01a90

#: 060 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02810

#: 061 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02840

#: 086 Function Name: NtLoadKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01ee0

#: 100 Function Name: NtOpenFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02ee0

#: 103 Function Name: NtOpenKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01380

#: 106 Function Name: NtOpenProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f22c0

#: 108 Function Name: NtOpenSection
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f1250

#: 111 Function Name: NtOpenThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2d50

#: 119 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5b70

#: 139 Function Name: NtQueryKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea027b0

#: 155 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea027e0

#: 169 Function Name: NtReplaceKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02280

#: 176 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f4f20

#: 180 Function Name: NtRestoreKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea024e0

#: 181 Function Name: NtResumeThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f3a70

#: 182 Function Name: NtSaveKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02790

#: 186 Function Name: NtSetContextThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f31c0

#: 194 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea03590

#: 215 Function Name: NtSetValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea013a0

#: 217 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5290

#: 221 Function Name: NtSuspendThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f38a0

#: 222 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f3700

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2650

#: 225 Function Name: NtTerminateThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2ff0

#: 240 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5d20

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x88bf6b20]
Process: System Address: 0x88b9d930 Size: 1744

Shadow SSDT
-------------------
#: 012 Function Name: NtGdiBeginPath
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef840

#: 297 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ed5c0

#: 300 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eec80

#: 373 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edea0

#: 390 Function Name: NtUserGetDC
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef520

#: 403 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edd70

#: 405 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edc40

#: 423 Function Name: NtUserGetWindowDC
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef6b0

#: 444 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edfd0

#: 449 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef100

#: 459 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ee3a0

#: 460 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ee700

#: 481 Function Name: NtUserSendInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eea50

#: 490 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eedf0

#: 510 Function Name: NtUserSetParent
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eef30

#: 527 Function Name: NtUserSetWindowPos
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef3f0

#: 529 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ecfb0

#: 530 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ecbf0

#: 533 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ed210

#: 536 Function Name: NtUserShowWindow
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef320

==EOF==
Regards,
j

[jay_j]

Hi:
There's a new icon that suddenly appeared on my desktop.
It's name: "settings.dat"
Do you know what this is and can I safely delete it?
Regards,
j
PPS. How do I edit my posting?