WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Need to get rid of Virtumonde and Win32.TDSS.rtk.

Started by Neo , Mar 09 2009 04:15 PM

This topic is locked

139 replies to this topic

#121 Neo

Silver Member

Guests
374 posts

Posted 22 March 2009 - 11:40 AM

Tom,
ahhhhh, glad I didn't decide to do use the clean button, lol. :blush:

Ok... I have already made the decision as to what I will be doing ( Mal ware Eradicator ) once I start classes here, I know I can't start until my pc's clean, but I have to ask if it is ok with you, for you to breifly explain to me what each of these programs are doing as you give them to me, so that I can better understand them, learning better how and why and when to use them, please? This would become a fantastic form of "pre-school" for me that way, and I would feel much more secure in my knowledge as a helper

Here's the gmer log, and when I got into command and typed in net stop gmer, this is what it said back to me: C:\Documents and Settings\Compaq_Owner> net stop gmer
System error 1060 has occurred.
The specific service does not exist as an installed service. ( is that normal? )

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-22 12:03:35
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xF7201800]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xF7201E20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF71396B8]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xF72002F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xF720E7B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF7139574]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xF71FFFA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xF71FD400]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xF71FD7D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xF71FCF20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateThread [0xF71FE7D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xF71FF2E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xF720F2C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteKey [0xF720D080]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF7139A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF713914C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xF720E750]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xF720E780]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xF72012D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadKey [0xF720DE20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xF720EED0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF713964E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF713908C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xF71FD190]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF71390F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xF7201AB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xF720E6F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF713976E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xF7201FA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwReplaceKey [0xF720E1C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xF7200E60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF713972E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xF71FF9B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xF720E6D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xF72006B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xF71FF100]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetInformationFile [0xF720F580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xF71FF460]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF71398AE]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xF72011D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xF71FFB60]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xF71FF7E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xF71FF640]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateProcess [0xF71FE590]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xF71FEF30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xF72014F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xF7201C60]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [A0, FF, 1F, F7, 00, D4, 1F, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [60, FB, 1F, F7, E0, F7, 1F, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[160] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oacat.exe[312] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\csrss.exe[344] KERNEL32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\winlogon.exe[368] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\services.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text ...
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[960] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[960] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[960] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\system32\Ati2evxx.exe[1004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01520001
.text C:\WINDOWS\system32\Ati2evxx.exe[1004] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1004] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1004] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\Ati2evxx.exe[1004] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1004] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 022D0001
.text C:\WINDOWS\Explorer.EXE[1060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1060] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 716F003D
.text C:\WINDOWS\Explorer.EXE[1060] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1060] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[1696] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jqs.exe[2000] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[2220] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\WINDOWS\system32\wscntfy.exe[2220] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2220] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2220] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[2220] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2220] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[2468] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2800] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2800] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2800] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2800] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2800] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2824] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E80001
.text C:\Program Files\Java\jre6\bin\jusched.exe[2824] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2824] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2824] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jusched.exe[2824] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2824] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01540001
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3060] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3060] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3060] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\system32\ctfmon.exe[3164] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\WINDOWS\system32\ctfmon.exe[3164] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3164] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[3164] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[3164] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3164] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001
.text C:\Program Files\Secunia\PSI\psi.exe[3304] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3304] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3304] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Secunia\PSI\psi.exe[3304] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Secunia\PSI\psi.exe[3304] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[3376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01030001
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[3376] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[3376] USER32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oahlp.exe[3376] USER32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\ALCXMNTR.EXE[3784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00960001
.text C:\WINDOWS\ALCXMNTR.EXE[3784] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ALCXMNTR.EXE[3784] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ALCXMNTR.EXE[3784] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\ALCXMNTR.EXE[3784] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\ALCXMNTR.EXE[3784] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text c:\windows\system\hpsysdrv.exe[3880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001
.text c:\windows\system\hpsysdrv.exe[3880] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text c:\windows\system\hpsysdrv.exe[3880] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text c:\windows\system\hpsysdrv.exe[3880] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text c:\windows\system\hpsysdrv.exe[3880] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text c:\windows\system\hpsysdrv.exe[3880] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[4012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[4012] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[4012] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[4012] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[4012] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer.exe[4012] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F100F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [FA12C3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [FA12C410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [FA12C6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [FA12C700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [FA12C6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [FA12C410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [FA12C3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [FA12C6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [FA12C700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [FA12C3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [FA12C410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[412] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[412] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Newbe17

Best
Wishes,

Neo

Posted Image

Advertisements

Register to Remove

#122 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 22 March 2009 - 12:26 PM

newbe17, Most of the tools we use have a load of information about them on the internet. However, some of them are considered "advanced tools" and as such are deemed to be "dangerous" as, due to their power, if used incorrectly, a computer could be rendered unusable. This is not to say that the other tools can't be used to destroy your computer. Using HijackThis as an example. It is considered a "safer" tool. But rest assured, if used incorrectly, your computer would be unbootable. As far as the "advanced tools" go, there are some of them that the authors who wrote them, forbid their discussion on an open forum. They cannot even be discussed with a trainee until he/she achieves senior status at an accredited school. The tool we just used, gmer, is an advanced tool. However, I can tell you it does exactly what it looks like. It provides a log for us to review looking for rootkits. Please let me know how it's running now and also give me a new DDS log.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#123 Neo

Silver Member

Guests
374 posts

Posted 22 March 2009 - 01:17 PM

Tom, do you want me to run the same script u posted earlier into the dds, or do i even need a script? Newbe17

Best
Wishes,

Neo

Posted Image

#124 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 22 March 2009 - 01:48 PM

newbe17,

There isn't any way to run a script with DDS. It's strictly a log producing tool.

Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

Don't forget to update me on any symptoms your noticing.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#125 Neo

Silver Member

Guests
374 posts

Posted 22 March 2009 - 02:27 PM

Tom, Sorry, got the dds confused with the old timer,lol, my bad. There shouldn't be any prob with this scrip as I copied the whole text

DDS (Ver_09-03-16.01) - NTFSx86 Run by Compaq_Owner at 15:10:00.89 on Sun 03/22/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.13 [GMT -5:00] AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning enabled* (Updated) FW: Online Armor Firewall *enabled* ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\alg.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Tall Emu\Online Armor\oahlp.exe C:\Program Files\Secunia\PSI\psi.exe C:\WINDOWS\ALCXMNTR.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237323000500 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab TCP: {0064A5F4-20F9-40DD-8516-C7C7B21E6882} = 207.65.4.25 216.153.94.101 Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\evspears@hifo.net\ FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-13 114768] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-19 190664] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-19 29384] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-19 28872] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-13 20560] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808] S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2005-5-10 20224] =============== Created Last 30 ================ 2009-03-22 10:30 <DIR> --d----- C:\_OTMoveIt 2009-03-21 10:20 <DIR> --d----- c:\program files\Windows Media Connect 2 2009-03-21 10:13 <DIR> --d----- c:\windows\system32\LogFiles 2009-03-20 16:08 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Foxit 2009-03-20 16:08 <DIR> --d----- c:\program files\Foxit Software 2009-03-20 12:45 <DIR> --d----- c:\program files\Secunia 2009-03-19 22:30 <DIR> --d----- c:\docume~1\compaq~1\applic~1\OnlineArmor 2009-03-19 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor 2009-03-19 22:29 29,384 a------- c:\windows\system32\drivers\OAmon.sys 2009-03-19 22:29 190,664 a------- c:\windows\system32\drivers\OADriver.sys 2009-03-19 22:29 28,872 a------- c:\windows\system32\drivers\OAnet.sys 2009-03-19 22:29 <DIR> --d----- c:\program files\Tall Emu 2009-03-19 22:29 <DIR> --d----- C:\OnlineArmor 2009-03-19 17:52 <DIR> --d----- c:\windows\system32\CatRoot_bak 2009-03-19 14:42 <DIR> --d----- c:\docume~1\compaq~1\applic~1\FreshDiagnose 2009-03-18 21:52 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll 2009-03-18 21:52 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll 2009-03-18 21:52 267,776 -------- c:\windows\system32\dllcache\iertutil.dll 2009-03-18 21:52 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll 2009-03-18 21:52 63,488 -------- c:\windows\system32\dllcache\icardie.dll 2009-03-18 21:52 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-03-18 21:52 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat 2009-03-18 21:52 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui 2009-03-18 21:52 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll 2009-03-18 18:09 <DIR> --d----- c:\program files\MSXML 4.0 2009-03-18 16:27 333,952 -------- c:\windows\system32\dllcache\srv.sys 2009-03-18 15:09 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys 2009-03-18 14:33 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll 2009-03-18 14:27 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-03-18 14:27 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-03-18 14:27 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-03-18 14:27 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-03-18 13:59 203,136 -------- c:\windows\system32\dllcache\rmcast.sys 2009-03-18 13:15 <DIR> --d----- c:\program files\Messenger 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\scripting 2009-03-18 13:15 <DIR> --d----- c:\windows\l2schemas 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\en 2009-03-18 13:15 <DIR> --d----- c:\windows\system32\bits 2009-03-18 13:12 <DIR> --d----- c:\windows\ServicePackFiles 2009-03-18 13:02 <DIR> --d----- c:\windows\EHome 2009-03-18 03:13 331,776 -------- c:\windows\system32\dllcache\msadce.dll 2009-03-17 16:01 23,576 a------- c:\windows\system32\wuapi.dll.mui 2009-03-17 15:49 <DIR> --dsh--- c:\documents and settings\compaq_owner\UserData 2009-03-17 13:39 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-17 13:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-17 13:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-03-16 12:42 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll 2009-03-16 12:27 337,408 -------- c:\windows\system32\dllcache\netapi32.dll 2009-03-16 12:17 272,128 -------- c:\windows\system32\dllcache\bthport.sys 2009-03-15 16:10 <DIR> --d----- C:\KAV 2009-03-15 09:41 <DIR> --d----- c:\documents and settings\compaq_owner\DoctorWeb 2009-03-14 23:54 <DIR> --d-h--- c:\windows\$hf_mig$ 2009-03-14 22:32 410,984 a------- c:\windows\system32\deploytk.dll 2009-03-14 16:12 <DIR> --d-h--- c:\windows\PIF 2009-03-13 18:21 <DIR> --d----- c:\program files\Full Tilt Poker.Net 2009-03-12 02:36 <DIR> --d----- C:\Rooter$ 2009-03-09 17:12 <DIR> --d----- c:\program files\Trend Micro 2009-03-05 19:00 <DIR> --d----- c:\windows\Speeditup Free ==================== Find3M ==================== 2009-03-19 18:51 8,704 a--sh--- c:\program files\Thumbs.db 2009-03-18 13:19 81,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-03-18 13:19 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe 2009-03-18 13:19 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll 2009-03-18 13:19 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll 2009-03-18 13:19 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe 2009-03-18 13:19 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll 2009-03-18 13:19 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll 2009-03-18 13:19 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll 2009-03-18 13:19 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll 2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys 2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys 2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll 2006-09-03 15:37 11,746,992 a------- c:\program files\antivir_workstation_win7u_en_h.exe 2006-08-25 12:23 56,742 a------- c:\program files\vdl.dat 2006-08-25 10:30 452,719 a------- c:\program files\sarman.pdf ============= FINISH: 15:13:27.76 =============== You should be happy with this one

Best
Wishes,

Neo

Posted Image

#126 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 22 March 2009 - 03:17 PM

newbe17,

Happy as a clam, but:

Please tell me how it's running now.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#127 Neo

Silver Member

Guests
374 posts

Posted 22 March 2009 - 04:23 PM

Tom, Everything seems to b running at a pretty good pace right now... No lag to speak of

Newbe17 P.S. I'm itchin ta get started in class

Best
Wishes,

Neo

Posted Image

#128 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 22 March 2009 - 04:33 PM

newbe17, How about startup? Is it normal or is it still like it was before you went to the tech team?

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#129 Neo

Silver Member

Guests
374 posts

Posted 22 March 2009 - 05:24 PM

Tom, It's still like it was. I spoke to my provider about it and he told me it's not a big concern, as long as windows boots normally after I choose to start it normally. And it's something I can live with as well. Like I said I'm itching to get my classes started, lol. But I will go and do whatever you chose . :thumbup:

Thanks for your help, Newbe17

Best
Wishes,

Neo

Posted Image

#130 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 22 March 2009 - 05:51 PM

newbe17,

I suggest that you go back to the windows forum and give them a chance to help you fix that. It's got to be annoying.

Log looks good (again)

Double click on OTMoveIt3.exe to run it.
Click on CleanUp!
When done, you will be prompted to restart your computer. Please restart your computer.

Any more questions at this time?

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

Advertisements

Register to Remove

#131 Neo

Silver Member

Guests
374 posts

Posted 22 March 2009 - 06:44 PM

Tom, Do I need to start a new topic, or just try to find my old one? And if I get accepted, will I be able to change my nicname? Newbe17

Best
Wishes,

Neo

Posted Image

#132 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 22 March 2009 - 08:40 PM

newbe17,

I'd try to return to the previous thread. It is here.

There is some way to change your nic. I don't know what it is. You might just note that when you fill out your application.

Good luck. :thumbup:

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#133 Neo

Silver Member

Guests
374 posts

Posted 23 March 2009 - 01:39 PM

Tom, I have a file that I would like to upload for analysis. Would you please post the link for me so I don't have to go looking for it? The virtumonde showed up again in a spybot search. I have spybot still opened with the path to the infected file. It says it has fixed the problem, but I thought uploading a file or 2 for analysis would be a good precautionary measure. Newbe17

Best
Wishes,

Neo

Posted Image

#134 Neo

Silver Member

Guests
374 posts

Posted 23 March 2009 - 01:44 PM

Tom, I forgot to note that I think I know the origin of how it got back on. I use CCleaner regularly and scan for issues daily. when the issues come up I fix them all every time without further examination. I think this might be the cause of why it has shown back up, although I could be wrong. newbe 17

Best
Wishes,

Neo

Posted Image

#135 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 23 March 2009 - 02:14 PM

newbe17,

CCleaner should not put any files on your system.

Can you post the warning from Spybot?

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

Questionable file here <===this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If you submit a file, I want you to post the results here.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

Body Background

skin color theme