Hi:

Well upon booting my computer up last night Avast warned me that I had a possible root kit(can't remember the exact wording).

File: SVC: NDMONPRONTO

It asked if I wanted to delete it. I said yes and then an error occurred in processing the request. I also okayed for Avast to reboot and scan my computer before it was fully started. It found nothing.

Then after boot up it brought up the same warning. I tried a few reboots and even ran spybot. Nothing.

I did a search on yahoo for the above file and found nothing.

Any help would be appreciated immensely. Thank you.

Regards,

Arc

That alert seems to indicate you have a hidden service called called ndmonpronto, so let's see if that is true.

These directions are based on your OS being XP or Vista. If that is not the case, then do not use Gmer.

Please download ATF Cleaner by Atribune.

This program is for Vista, XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt, and uncheck cookies.

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt, and uncheck cookies.

• Click the "Autostart" Tab
• Click the Scan button
• When the autostart scan is finished, click Copy to save the Autostart log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
• Save the log and post it in your next reply.

• On the right-side of the Gmer screen, check all the items to be scanned (it should be this way by default.)
• Select all drives that are connected to your system to be scanned
• Click the Scan button
• When the scan is finished, click Copy to save the scan log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
• Save the gmer scan log and post it in your next reply.
• Close Gmer
• Open a command prompt (Start | run |type cmd and hit Enter)
  • Type or paste the following to unload the gmer driver:
  • net stop gmer
  • Hit Enter
  • Exit the command prompt.
• Re-enable all active protection taht you had disabled to conduct the scans.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Thanks for the reply Negster.

Okay, I'm on Windows 2000. Apologies I should have put that in my first post.

I have firefox, opera and IE. I generally only use firefox. Not sure if that's important or not?
Anything else you need to know before you type out another in depth reply? Thanks again.

Regards,

Arc

You're in luck, I just checked and GMER runs on Windows NT/W2K/XP/VISTA, so go for it!

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Okay cool! I'll let you know.

I'm at work at the moment so I'll have to wait until tonight...maybe Friday.

Little afraid to log on to the net at home with this.

Thanks again Neg.

Regards,

Arc

Rarrrhhh!

Long story short if you ever lose your password for avast I don't think NSA could find it!

Can find my registration key all I want...password no!

Anyways, I need the password to shut off avast to run the test.

There is no easy way I can find to find my password like most times when I lose a password. No not that often.

Going to ask on the avast forums.

Big big apologies for taking so long with this.

Regards,

Arc

Okay, that was fun. I think I did everything you asked correctly.

Nothing red in: C:\Windows\System32\Drivers\

Or in C:\Windows\System32\

So that's good.

Next post autoscan.

GMER 1.0.14.14316 - http://www.gmer.net
Autostart scan 2008-04-11 23:36:14
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
PCANotify@DLLName = PCANotify.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart@ = C:\WINNT\system32\ati2sgag.exe
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
BBDemon@ = C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe -service /*file not found*/
C-DillaSrv@ = C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
F-Prot Antivirus Update Monitor@ = "C:\Program Files\FSI\F-Prot\fpavupdm.exe"
PersFw@ = C:\Program Files\Tiny Personal Firewall\persfw.exe
PPPoEService@ = C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
RemoteRegistry@ = %SystemRoot%\system32\regsvc.exe
Schedule@ = %SystemRoot%\system32\MSTask.exe
StiSvc@ = %systemroot%\system32\stisvc.exe
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@NeroCheckC:\WINNT\System32\NeroCheck.exe = C:\WINNT\System32\NeroCheck.exe
@IPInSightLAN 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
@IPInSightMonitor 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@msnmsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@Yahoo! PagerC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

HKLM\Software\Classes\.hta@ =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
@{1E2CDF40-419B-11D2-A5A1-002018648BA7} /*AVG Shell Extension*/(null) =
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINNT\system32\AcSignIcon.dll = C:\WINNT\system32\AcSignIcon.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/C:\Program Files\FSI\F-Prot\shexthk.dll = C:\Program Files\FSI\F-Prot\shexthk.dll
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/C:\Program Files\FSI\F-Prot\shexthk.dll = C:\Program Files\FSI\F-Prot\shexthk.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
FRISK@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} = C:\Program Files\FSI\F-Prot\shexthk.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
InventorMenu@{6FDE7A70-351B-11d6-988B-0010B57A8BB7} = C:\Program Files\Autodesk\Inventor 9\Bin\DT.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{141D5717-99E7-3392-2378-84655850DA77}C:\WINNT\system32\sdkdt32.dll /*file not found*/ = C:\WINNT\system32\sdkdt32.dll /*file not found*/
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{65D886A2-7CA7-479B-BB95-14D1EFB7946A}C:\Program Files\Yahoo!\Common\YIeTagBm.dll = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
@{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLabout:blank = about:blank
@Start Page =
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000020@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000021@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14316 - http://www.gmer.net
Rootkit scan 2008-04-11 23:32:11
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB72371C2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB72370AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB7236184] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB7854CB8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB7235A36] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB7236B4C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB785512A] <-- ROOTKIT !!!
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xBFE41B23] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78548AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB72366AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB7854D2E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78547C8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB785483C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB7854E42] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB7854E02] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB7236ED8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB7854F84] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB7236E10] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

PAGENDSM NDIS.sys!NdisMIndicateStatus BFE7184A 6 Bytes JMP B7AA0AC0 \SystemRoot\System32\Drivers\fwdrv.sys

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE416E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE41A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BFE41A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BFE41979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BFE4148A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE416E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE41A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE41A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE416E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [BFE416E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [BFE41A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BFE4148A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BFE41979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BFE41A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NTOSKRNL.EXE!ZwLoadDriver] [B7AA0928] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7AA0820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7AA08CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7AA083B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7AA08CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7AA0820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7AA083B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[ntoskrnl.exe!ZwLoadDriver] [B7AA0928] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [B7AA0820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [B7AA083B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [B7AA08CB] \SystemRoot\System32\Drivers\fwdrv.sys

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs FSTOPW.SYS (F-StopW Version 3.16B/Frisk Software International - www.f-prot.com)
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\fwdrv \Device\FWDRV avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat FSTOPW.SYS (F-StopW Version 3.16B/Frisk Software International - www.f-prot.com)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- Services - GMER 1.0.14 ----

Service (*** hidden *** ) NDMONPROTO <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO


I didn't both posting the file section as nothing looked pertinent there, just gif and bmp files.

Looks like I got something.

Again sorry for the delay. Thanks again.

Regards,

Arc

Hio, just checking in to see if anyone figured out how to murder whatever is on my computer. Thanks.

Regards,

Arc

Hi,

Negster22 is out of town this week and unavailable. I will help you until negster22 returns. You certainly do have a rootkit. Please join CastleCops, and subscribe to this topic so you will get an email when I respond to it.

First, however, I have some confusion about exactly what firewall and anti-virus you are using.

For anti-virus, I see Avast! plus traces of AVG and F-Protect. For firewall I see Tiny and also Sunbelt Kerio. Can you elaborate on that.

Next, I need you to give me some additional scans, so please follow the following instructions.

1. Please click Here to download HijackThis to your desktop.

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis

A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click on "Do a system scan and save logfile" When the log pops up in Notepad, click on the Notepad Format menu and uncheck Word Wrap, then copy and paste that file back here.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Before closing HJT, please click on the AnalyzeThis button. That sends purely statistical data to TrendMicro so they can continue to improve HJT. It does not analyze your log, it simply lists what HJT finds, both legitimate software and malware. Do not take any action or try to fix anything based upon that information. Then, close the web page that appears and then close the program HJT.

Please post a "before" HJT log before proceeding to the next steps.

2. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

When finished, it will produce a report for you.

PCbruiser:

Thanks for the help!

Okay I have Avast & AVG, however AVG I disabled it on start up so I only have Avast running. I remember that you can't have two anti-viruses running at once? I do however scan my computer with both. I believe I've used F-Prot once to kill something. I have Tiny personal fire wall. As for Sunbelt Kerio...I thought they had something to do with Tiny if not...I don't remember.

Does this help?

As for the rest of the stuff you've written out, it may take me a day or two to get to I'll try tonight but if I don't have time it will be Wednesday night. Apologies.

I just signed up for CC forum. Haven't received my password yet though.

Any ideas on what this thing is doing?

Thanks again.

Regards,

Arc

Hi,

OK, I got the A/V situation. You are correct, you can only have one A/V with real-time protection, but you can have multiple ones to use for on-demand scanning. Your HJT log will tell me more about what is running real-time and what is not.

I'll clean up the firewall situation once I see the other logs. Then I'll have a much better picture of what is going on in your system. As to what the rootkit is doing, that I don't know yet. I am going to try to capture the file and analyze it. That will help tell us what it is doing, and what kind of rootkit it is.

Now, what you should understand is that what we call a rootkit defines how it is working and not what it is doing. Rarely do we find a rootkit in total isolation, there is usually other malware involved with it. To get rid of it entirely, I need to have a clear picture of exactly what other malware there is on your system.

In other words, I could kill the rootkit with GMER, but I need to see what else is going on, and kill that too, because killing the rootkit, but potentially leaving other malware on your system, is a sure route to reinfection.

BTW, the history of Tiny and Kerio. It's confusing.

Tiny sold the rights to the original Tiny Firewall to Kerio in 2002. Kerio was subsequently acquired by Sunbelt.

Tiny then went on to develop a new firewall, based on different technology. Tiny was then sold to ComputerAssociates in 2005.

So, both Sunbelt and CA have firewalls based on Tiny, only it is a different Tiny technology that each are based on. Got it???

PC-B:

Ah it's viral festival!

As for Tiny, I think I have one of the earlier versions because I hated the new ones. Probably not the smartest move. And thanks for the info on the whole multi-company swap thing.

Any firewall recommendations?

Odd still haven't got my password.

Thanks again.

Regards,

Arc