BleepingComputer.com: Pls some urgent help.. TR/TDSS.yuk & TR.Trash.Gen

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Pls some urgent help.. TR/TDSS.yuk & TR.Trash.Gen

#1 User is offline   outandabout 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 29-March 09

Posted 01 July 2009 - 04:09 PM

Urgent!! Sorry for this but i need help with a virus!!

TR/TDSS.yuk

Sorry for the urgent call but i need help with a virus i have. My laptop Dell Inspiron 1720 is used as my main tool in my company Got alot of confidential data and various programs that makes it extremely difficult to setup and fine tune again. If someone could offer his advice i would be grateful. I took some action on my own but i can get up to a certain point.

All scan are in numerical order as stated:

01) Avira gives me an TR/TDSS.yuk. Says it has succesfully deleted them.

02) Malware Bytes found 3 instances deleted them on reboot.
Rescanned and nothing found.

Funny cause i thought Avira did previously.

03) Dr.Web live CD came up with a notification regarding a possible instance of a batch virus in c:System
Volume information..
Deleted it, just in case, rescanned nothing found..

I reboot into windos and scan with the following

04) Spybot has came up Win32.TDSS.reg. 10 instances fixed on reboot.
Rebooted in windows connected to Internet, rescaned found another 2 instances

05) Malware Bytes, i scan again no instances.

06) SUPERAntispyware.. no detection

I get some files Perflib_Perfdata than i cannot delete C:Windows\temp

Please find attached logs from Hijack This, McAffee Stinger, McAffee Rootkit detective, Malware Bytes Anti Malware, Spybot

!!!!!!!! As im writing this Avira is giving me TR.Trash.Gen at system volume info


Is there any chance this is a spreadable virus to wards usb and different partitions?? I have split my 2 internal hard drives in to 12 partitions



Malware Bytes Log
----------------------

Malwarebytes' Anti-Malware 1.38
Database version: 2357
Windows 5.1.2600 Service Pack 3

7/1/2009 3:51:33 PM
mbam-log-2009-07-01 (15-51-33).txt

Scan type: Quick Scan
Objects scanned: 93834
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETbfuiteoo.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETpxurqppx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETpfypdvbf.sys (Trojan.Agent) -> Quarantined and deleted successfully.



Spybot Log
-------------

Win32.TDSS.reg: [SBI $DA0335ED] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETvhpymttk

Win32.TDSS.reg: [SBI $51D00BF4] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETvhpymttk

Common Dialogs: History (6 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1417001333-1214440339-1801674531-1001\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1417001333-1214440339-1801674531-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (32 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1417001333-1214440339-1801674531-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1417001333-1214440339-1801674531-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1417001333-1214440339-1801674531-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cache: [SBI $49804B54] Cache (6) (Cache, nothing done)


History: [SBI $49804B54] History (11) (History, nothing done)


Cookie: [SBI $49804B54] Cookie (15) (Cookie, nothing done)







--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-06-28 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-06-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-06-30 Includes\Malware.sbi (*)
2009-06-30 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-30 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti (*)
2009-06-17 Includes\Trojans.sbi (*)
2009-06-30 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll





Rootkit Detective has being attached as a file

I do not know but it contains huge amounts of Acronis Scheduler entries



HiJackThis Log:
------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:57, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\[ Internet ]\Online Armor\OAcat.exe
C:\Program Files\[ Internet ]\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\sched.exe
C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\[ Drivers ]\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\[ Drivers ]\BlueSoleil\BsMobileCS.exe
C:\Program Files\[ Internet ]\Java\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\[ Drivers ]\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\[ Internet ]\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\[ Internet ]\Online Armor\OAhlp.exe
C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe
C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\[ Internet ]\Mozilla\Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\[ Protection ]\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\[ Internet ]\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1417001333-1214440339-1801674531-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1417001333-1214440339-1801674531-500\..\RunOnce: [KeyScrambler] C:\Program Files\[ Internet ]\KeyScrambler\getting_started.html (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\[ Media ]\Babylon\Utils\BabylonIEPI.dll/Translate.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1246204283343
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\[ Protection ]\SUPER Antispyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleilCS - IVT Corporation - C:\Program Files\[ Drivers ]\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - IVT Corporation - C:\Program Files\[ Drivers ]\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - IVT Corporation - C:\Program Files\[ Drivers ]\BlueSoleil\BsMobileCS.exe
O23 - Service: CCYQJ - Unknown owner - C:\DOCUME~1\dMitRiY\LOCALS~1\Temp\CCYQJ.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\[ Media ]\Folder Size\FolderSizeSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\[ Internet ]\Java\bin\jqs.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\[ Internet ]\Online Armor\OAcat.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\[ Protection ]\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\[ Internet ]\Online Armor\oasrv.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8293 bytes



MacAffee Stingel log
-----------------------


McAfee® Stinger Version 10.0.1.546 built on Apr 8 2009

Copyright © 2009 McAfee, Inc. All Rights Reserved.

Virus data file v5000 created on Apr 8 2009.

Ready to scan for 633 viruses, trojans and variants.



Scan initiated on Wed Jul 01 23:31:15 2009

Number of clean files: 455830





GMER Log:
------------


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-01 21:55:35
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xB831E790]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xB831EDB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xB831D2A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xB832B890]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwCreateKey [0xBAB49800]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xB831CF50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xB831A220]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xB831A5F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xB8319D40]
SSDT BAEBA634 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xB831C230]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xB832C320]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwDeleteKey [0xBAB49A00]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwDeleteValueKey [0xBAB49BE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDuplicateObject [0xB831CC70]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xB832B830]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xB832B860]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xB831E260]
SSDT BAEBA652 ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xB832BF30]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwOpenKey [0xBAB49900]
SSDT BAEBA620 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xB8319FB0]
SSDT BAEBA625 ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xB831EA40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xB832B7D0]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwQueryValueKey [0xBAB49CC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xB831EF30]
SSDT BAEBA65C ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xB831DE10]
SSDT BAEBA657 ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xB831C920]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xB832B7B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xB831D660]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xB831C050]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetInformationFile [0xB832C5E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xB831C3B0]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwSetValueKey [0xBAB49AF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xB831E160]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xB831CAD0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xB831C750]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xB831C590]
SSDT BAEBA62F ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xB831BE30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xB831E480]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xB831EBF0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [50, CF, 31, B8, 20, A2, 31, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2DE8 80504684 4 Bytes JMP E7E4B831
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [D0, CA, 31, B8, 50, C7, 31, ...]
? C:\DOCUME~1\dMitRiY\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[520] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\[ Internet ]\Online Armor\oaui.exe[760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014F0001
.text C:\Program Files\[ Internet ]\Online Armor\oaui.exe[760] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Internet ]\Online Armor\oaui.exe[760] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\[ Internet ]\Online Armor\oaui.exe[760] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\system32\csrss.exe[968] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\winlogon.exe[996] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\services.exe[1044] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\lsass.exe[1056] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\ctfmon.exe[1124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B40001
.text C:\WINDOWS\system32\ctfmon.exe[1124] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1124] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1124] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[1124] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[1124] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[1124] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[1124] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01600001
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0339A939 C:\Program Files\[ Protection ]\Spybot - Search & Destroy\Plugins\Chai.dll
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Program Files\[ Protection ]\Spybot - Search & Destroy\SpybotSD.exe[1144] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1424] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1464] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\[ Internet ]\Online Armor\OAhlp.exe[1516] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01010001
.text C:\Program Files\[ Internet ]\Online Armor\OAhlp.exe[1516] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Internet ]\Online Armor\OAhlp.exe[1516] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\[ Internet ]\Online Armor\OAhlp.exe[1516] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F40001
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F250F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F280F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F1C0F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F220F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F340F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F300F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F370F5A
.text C:\Documents and Settings\dMitRiY\Local Settings\Apps\F.lux\flux.exe[1568] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\[ Drivers ]\BlueSoleil\BlueSoleilCS.exe[1640] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Internet ]\Online Armor\OAcat.exe[1704] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\[ Internet ]\Online Armor\oasrv.exe[1728] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B70001
.text C:\Program Files\[ Internet ]\Online Armor\oasrv.exe[1728] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\[ Internet ]\Online Armor\oasrv.exe[1728] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\Program Files\[ Drivers ]\BlueSoleil\BsMobileCS.exe[1752] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\spoolsv.exe[1964] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avguard.exe[2012] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\[ Internet ]\Java\bin\jqs.exe[2064] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\oodag.exe[2152] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text ...
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[2396] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BE0001
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Program Files\[ Protection ]\[ Strings ]\[ Rootkit ]\Gmer\fqj9qzne.exe[2420] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[2616] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Drivers ]\BlueSoleil\BsHelpCS.exe[2960] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D00001
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Program Files\[ Protection ]\Avira\AntiVir Desktop\avgnt.exe[3096] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Program Files\[ Media ]\ObjectDock\ObjectDock.exe[3136] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3152] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\Program Files\[ Protection ]\Acronis\True Image 2009\TimounterMonitor.exe[3168] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F130F5A
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3448] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[3476] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DD0001
.text C:\WINDOWS\Explorer.EXE[3476] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[3476] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[3476] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[3476] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!socket 71AB4211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F2A0F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\Explorer.EXE[3476] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F250F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BAA8B300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BAA8B360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BAA8B610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BAA8B650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BAA8B610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BAA8B360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BAA8B300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BAA8B300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BAA8B360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BAA8B650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BAA8B610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BAA8B610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BAA8B650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BAA8B300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BAA8B360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume12 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume12 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume13 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume13 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume9 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume9 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume10 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume10 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume11 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume11 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main@aid 10093
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main\connections
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main.REN
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\main.REN.REN
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules@SKYNETrk.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules@SKYNETcmd.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules@SKYNETlog.dat \systemroot\system32\SKYNETonpypqfq.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules@SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules@SKYNET.dat \systemroot\system32\SKYNETwqeaxyra.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules.REN
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETvhpymttk\modules.REN.REN
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main@aid 10093
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main\connections
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main.REN
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\main.REN.REN
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules@SKYNETrk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules@SKYNETcmd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules@SKYNETlog.dat \systemroot\system32\SKYNETonpypqfq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules@SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules@SKYNET.dat \systemroot\system32\SKYNETwqeaxyra.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules.REN
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvhpymttk\modules.REN.REN
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA3301004F7706000000000040\Usage@AcrobatElements 987824731
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 4A18F8AF1354813E31B6417D0324C7A53B087292D895EF1FBCFD6BCE1AB68A551D214D0FE19F9200337DC0ECA3A6DAA6F09C860D4825C278E01356FC06C4BCB671930FA1A267ADA292A139376B178E0C20C6D65E9207E8E4A15E023A4FAA9C665470E09ED353FCC9089D62549164B18BCC96D05DCE977748EF29B25D87CC239BC2D8FA00A66E7C9A408C877E07E3665C72C174A74A12D58A31623D06F9EF9C0EB0152783812900415A2C89356DCD2439FA21D99D03993F99419B0C1322BFA8FC058E46ABFCD5ACEBEA635DBBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D14079DB7CE019D40AA5CC038D530D6EB3452C4BB7A553B39B510C0A80F92F591F5C63E33B75F6C84536E61F68456ED5100A33134AE6C40A7662FCFB169EFB8D829FA7A2C1386AA097428E25C26CAA4021C2BCD0985EF790892F98A2917F521C51FC93B15A473604C78E1E3C99D6C49929E71CE3C1A35081A1089443CB26CFB95C38F8FE32EFEA4A002D64F1DF2C2628FFDB69C34D616FEC7CA3C02F8311D892617EBB7EFC7050601C588C31804D9692D447A55BBFDEF639941367BD3D6577DFB2F402C76D9E306098CBA17DF7DC34DBE8E81480224A4324088DAA0A23DEC80C032B418972580977AB5F4CEFEE393ED3F11D5FA97329
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----








Again guys. Thank you so much for the help.. Really appreciate it!!

PS I have various AV boot cd's/ Dr.Web, Avira, Kaspersky, Gdata, VBA32. Would any of these help in my situation??

Attached File(s)


#2 User is offline   outandabout 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 29-March 09

Posted 02 July 2009 - 11:18 AM

Consider this post finished......almost!! Reformated partition with Active Kill. Nothing left. Took all night :< Though i would be interested in knowing if there is any chance that it has affected any System volume information of my other partitions. As mentioned above i got 2 internal hdd, split into 10 partitions

Kind regards

#3 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,058
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 06 July 2009 - 06:02 AM

Hello outandabout,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,058
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 14 July 2009 - 11:44 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users