Apparent infection or trojan detected

jay_j · Mar 5, 2010

SYSTEM INFORMATION:
Dell Precision 340 Workstation
_______________________________________
Windows 2000 Professional
5.00.2195 Service Pack 4
_______________________________________
Mozilla FireFox Version: 3.6
_______________________________________
Internet Explorer Version: 6.0.2800.1106
_______________________________________
ESET NOD32 Antivirus 4.0.467.0
_______________________________________
SUPERAntiSpyware
_______________________________________
Malwarebytes' Anti-Malware
_______________________________________
SpywareBlaster version 4.2
_______________________________________
SpyBot version: 1.6.2.46
__________________________________________________________
Hi:
My system appears to be repeatedly infected by either a trojan or malware as detected by Spybot and or SpywareBlaster.
I need easy to follow step by step instructions that a computing novice can safely follow.
-------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:44 PM, on 3/5/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Siber Systems\AI RoboForm\PasswordGenerator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238646850718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238646834468
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 7667 bytes

-------------------------------------------------------------
Problem summary:
a) Within “SpywareBlaster”: Something is REPEATEDLY Disabling Protection for “Mozilla Firefox”. At the time that I made this posting to this forum: “230 items have protection disabled”.

b)Within “Spybot”: Something is REPEATEDLY Disabling Protection for 39,734 things.
[Just One example: “Global [Hosts]” 169 things are Unprotected.]
Please be advised that until recently.............I've been using both of the aforementioned programs for a while as without any apparent issues. It appears that the machine has become recently infected.
Best Regards,
j

shelf life · Mar 10, 2010

hi,

your log is a few days old. If you still need help reply to my post and we can get a closer look for malware. I dont use either of those two apps you mentioned so cant speak directly about them.

jay_j · Mar 12, 2010

Thank you +

Hi shelf life:
Thank you for replying to my posting.
I Grrreatly appreciate Your Honesty :thanks: (in making the following statement) as it's apparently becoming a rare virtue in today's world.
You wrote:

I dont use either of those two apps you mentioned so cant speak directly about them.

Therefore, I must admit to being a bit confused or uncertain if you'll be able to help me.
I honestly don't know how to proceed.
Question: Do you think that I'll have better odds of achieving success in this technical matter......If I wait for a reply from another expert who's familiar with the two programs that I'm using?
Best Regards
J

PS. I sincerely hope that I didn't accidentally offend you with my query.

shelf life · Mar 13, 2010

I wouldn't be able to answer any questions about those two app's directly, like if you had specific questions about them that is. I see you have several anti-malware apps. I assume they are updated and come up clean after a scan?
We will get one more download for a check. Link and directions:

download Gmer to your desktop. ( a randomly named .exe)

http://gmer.net/download.php

close any running programs.

double click the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

--->select NO<---

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

jay_j · Mar 13, 2010

Fatal Errors after running GMER + Log

Hi shelf life:
I already had GMER on my desktop.
I had some difficulty and tried running it 3 or 4 times.
I hope I ran it correctly as I was unable to see your directions after closing the web browser.
First I pushed the pause button on the cable internet modem.
Then, I shut down the programs seen running in the lower bottom right hand corner of the desktop - task bar.
Then I ran GMER.
Following (each of 3-4 times) running of GMER my (repeatedly) computer experienced:
:sad: A Fatal System Error - Approximate message: Windows Logon Failed. Then the computer Shutdown and restarted.
GMER's approximate message: "Might have been caused by rootkits".

--------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-13 00:13:18
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xBEA02810]
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xBEA02840]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Threads - GMER 1.0.15 ----

Thread System [8:112] 88BA7930

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------
After all of these Fatal Errors........Do you think it's safe to proceed?
Best Regards,
J

shelf life · Mar 13, 2010

Hi,
I wouldnt be to concerned about the root kit activity with all the problems running Gmer.

Try running it in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option on the list safe mode.

While you are in safe mode you can do this first then run gmer. you might want to copy/paste it into notepad and save it so you can read it in safe mode:

-------------------------------------
using explorer(right click on start>explore) drill down to these folders and delete what you can inside the folders

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------------
If you dont see a folder called Local Settings or any of the others then try this and look for them again:

on the Windows desktop, double-click the My Computer icon
on the Tools menu, click Folder Options.
Under the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Last while in safe mode try running Gmer again, save the log.
reboot normally, post the gmer log if it ran ok

jay_j · Mar 14, 2010

Fatal Error messages

Hi shelf life:
You wrote:

I wouldnt be to concerned about the root kit activity with all the problems running Gmer.

After reading your comment I'm wondering.............Do you think that I should run Microsoft's - System File Checker prior to proceeding?
Regards.
J

shelf life · Mar 14, 2010

You can proceed as is with Gmer. you can run SFC if you want also.
have you ever reinstalled W2K?
We can also get another look with RootRepeal. Link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

jay_j · Mar 15, 2010

Hi shelf life:
I ran SFC.
You asked: Have you ever reinstalled W2K?
My Answer: Yes, A long time age.
You wrote:

using explorer(right click on start>explore) drill down to these folders and delete what you can inside the folders

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------------

Reminder: I'm using Windows 2000 Professional as my operating system.
Sadly, the above steps were not productive.

You wrote:

If you dont see a folder called Local Settings or any of the others then try this and look for them again:

on the Windows desktop, double-click the My Computer icon
on the Tools menu, click Folder Options.
Under the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Re: "uncheck Hide protected operating system files." Where is it?
Re: "Hidden files" folder, click Show hidden files and folders."
Please note: Under the Hidden (Folder):
There were only two choices as follows:
a) NOHIDDEN
b) SHOWALL
Please note: In place of the "a)" and "b)" there was a circle nest to each choice. There was a Dot inside of the circle next to "NOHIDDEN".
______________________________________________________________
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-15 11:48:41
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
_____________________________________________________________
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/15 12:17
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE938000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF69CC000 Size: 4096 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xF65C0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\v\Application Data\Mozilla\Firefox\Profiles\jzbmtgoq.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: D:\Socialization\MySpace_Stuff\NOTIFI~1.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
ServiceTable Hooked [0x80480a60]!

#: 016 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f58c0

#: 018 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5ee0

#: 027 Function Name: NtConnectPort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f43b0

#: 032 Function Name: NtCreateFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02870

#: 035 Function Name: NtCreateKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea00b90

#: 040 Function Name: NtCreatePort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f4060

#: 041 Function Name: NtCreateProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f14c0

#: 043 Function Name: NtCreateSection
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f0fe0

#: 046 Function Name: NtCreateThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2890

#: 052 Function Name: NtDeleteFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea032d0

#: 053 Function Name: NtDeleteKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01140

#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01a90

#: 060 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02810

#: 061 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02840

#: 086 Function Name: NtLoadKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01ee0

#: 100 Function Name: NtOpenFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02ee0

#: 103 Function Name: NtOpenKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01380

#: 106 Function Name: NtOpenProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f22c0

#: 108 Function Name: NtOpenSection
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f1250

#: 111 Function Name: NtOpenThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2d50

#: 119 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5b70

#: 139 Function Name: NtQueryKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea027b0

#: 155 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea027e0

#: 169 Function Name: NtReplaceKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02280

#: 176 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f4f20

#: 180 Function Name: NtRestoreKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea024e0

#: 181 Function Name: NtResumeThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f3a70

#: 182 Function Name: NtSaveKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02790

#: 186 Function Name: NtSetContextThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f31c0

#: 194 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea03590

#: 215 Function Name: NtSetValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea013a0

#: 217 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5290

#: 221 Function Name: NtSuspendThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f38a0

#: 222 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f3700

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2650

#: 225 Function Name: NtTerminateThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2ff0

#: 240 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5d20

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x88bf6b20]
Process: System Address: 0x88b9d930 Size: 1744

Shadow SSDT
-------------------
#: 012 Function Name: NtGdiBeginPath
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef840

#: 297 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ed5c0

#: 300 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eec80

#: 373 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edea0

#: 390 Function Name: NtUserGetDC
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef520

#: 403 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edd70

#: 405 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edc40

#: 423 Function Name: NtUserGetWindowDC
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef6b0

#: 444 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edfd0

#: 449 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef100

#: 459 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ee3a0

#: 460 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ee700

#: 481 Function Name: NtUserSendInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eea50

#: 490 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eedf0

#: 510 Function Name: NtUserSetParent
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eef30

#: 527 Function Name: NtUserSetWindowPos
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef3f0

#: 529 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ecfb0

#: 530 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ecbf0

#: 533 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ed210

#: 536 Function Name: NtUserShowWindow
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef320

==EOF==
Regards,
j

jay_j · Mar 15, 2010

PS. I forgot to ask

Hi:
There's a new icon that suddenly appeared on my desktop.
It's name: "settings.dat"
Do you know what this is and can I safely delete it?
Regards,
j
PPS. How do I edit my posting?

shelf life · Mar 15, 2010

ok thanks for all the info. you can delete the .dat file. Once logged in you would use the edit button to edit your post. I dont know if everyone can do this though. Do you see a edit button? Root repeal logs looks ok.
I havent used w2k in a while so maybe the file structure is different than what i posted. I reformat/reinstall my OS at least every year in a half or so. It can do wonders for a machine. If its been years for yours you might consider it.
Back to the problem; checking for malware.
Do a updated Superantispyware, ESET and malwarebytes come up clean after a scan?
when you say;

REPEATEDLY Disabling Protection

do you mean the protection is being disabled or turned off when you expect it to be enabled and on?

jay_j · Mar 16, 2010

Hi shelf life:
You wrote:

Once logged in you would use the edit button to edit your post. I dont know if everyone can do this though. Do you see a edit button?

It appears that I don't have a edit button. Can you assist me in changing this?
You wrote:

Do a updated Superantispyware, ESET and malwarebytes come up clean after a scan?

I updated and ran all of the aforementioned programs to no avail.
Following are a portion of the results:
In the “Immunize” section of “SpyBot Search and Destroy” the following is seen:
Mozilla Firefox (default) (cookies) Unprotected = 193
Mozilla Firefox (default) (Images) Unprotected = 13,136
Mozilla Firefox (default) (Installations) Unprotected = 13,136
Mozilla Firefox (default) (Popups) Unprotected = 13,136
Global (Hosts) Unprotected = 169
After seeing the above results of the “Immunize” scan…I then typically click on “Immunize” and that temporarily fixes the problems.
However, soon thereafter something happens that causes the above problems to re-appear.

In “SpywareBlaster” Protection Status:
The following message is seen: “Some protection is not enabled. For full protection you should Enable All Protection.”
Under the “Mozilla Firefox” section it typically indicates “178” or “240” items have protection disabled.
I then typically click on “Enable All Protection” and that Temporarily appears to solve the problems.
You (and I) wrote:

when you say;
Quote: REPEATEDLY Disabling Protection
do you mean the protection is being disabled or turned off when you expect it to be enabled and on?

[FONT=&quot]Please note: Despite all of my repeated efforts (as outlined above)……..These problems soon re-appear.[/FONT]
Regards,
j

shelf life · Mar 18, 2010

iam not sure if all members can edit there post or not. I will find out.
It looks like Spybot and Spywareblaster either are not enabled or lose there real time protection for some reason. You are using the latest software versions of each?

jay_j · Mar 18, 2010

Hi shelf life:
You wrote:

You are using the latest software versions of each?

Yes.
PS. Something appears to be Repeatedly disabling protection as otherwise afforded by “SpyBot - Search and Destroy” and or “SpywareBlaster” programs.
Regards,
j

shelf life · Mar 21, 2010

start SpywareBlaster by clicking the icon on the desktop:
click on Updates on the left, then the 'check for updates' button
any new ones will be downloaded.
click the Protection status link
at the bottom under Quick tasks
click enable all protection.
May have to do this after it updates.
See if that helps Spywareblaster anyway

jay_j · Mar 21, 2010

Hi shelf life:
I followed your instructions.
Please note: I regularly do the same thing - Without any progress.
Regards,
j

shelf life · Mar 21, 2010

hi:

Some info regarding edits:

Can I edit my own posts?

1. In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.
2. In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.

Having a hard time finding any malware. Lets try Dr. Web and see if it can dig up anything:

Download Dr.Web CureIt to the desktop:

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note

If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

jay_j · Mar 21, 2010

Hi shelf life:
I downloaded and ran (per your instructions) Dr.Web, version: 6.00.1.03150
You wrote:

* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.

Please note: The “save report list” link was grayed out and not available.
Therefore, I was not able to follow the (see above) portion of your directions.
Regards,
j
PS. I found a message on the bottom left of this web page that reads: "You may not edit your posts"....Can you get this changed?

shelf life · Mar 22, 2010

No I can't change the edit options for the malware removal forum.
did the Dr Web scan find/remove anything during the scan? Still searching for a malware cause.

jay_j · Mar 23, 2010

Hi shelf life:
If I'm not mistaken, I think it may have either removed or Quarantined some of the Host(s). If I decide to....How can I restore them?
You wrote:

Still searching for a malware cause.

I'm a bit confused........Are you asking me a question or are you making a statement?
Regards,
j

Apparent infection or trojan detected

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member