Redirect Trojan---geting progressively worse

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Want a New HP LaserJet MFP? Trade in your old printer and receive $1,000 in savings!
Trade in your old printer and receive up to $1,000 in saving on a new HP LaserJet Multifunction Printer. Click here for savings!

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

Redirect Trojan---geting progressively worse

Options

nicnite View Member Profile	Nov 27 2009, 06:12 PM Post #1
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Dear friends, The other day I stupidly clicked on this link which purported to show a video of the LHC startup (how much of a nerd does THAT make me?): Link removed I was prompted for a Flash update which I stupidly assented to all the while thinking, "something's not quite right." Soon after I noticed that google search result links in Firefox were being redirected to various commercial sites. I switched to Chrome which didn't have a problem at first but soon developed the same problem If I requested that the link open in a new tab there was initially no redirect, but now it opens multiple empty tabs as well as the link and sometimes crashes Chrome. I was running AVG internet security (the pay version) at the time of the initial infection. Adaware, Malwarebytes etc. failed to find anything. I now have Kaspersky internet security installed and it has found nothing on the scan. My Hijack This log is below and also attached. Any help will be greatly appreciated. Nick Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:48:31 PM, on 11/27/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\brss01a.exe C:\Program Files\Elantech\ktp.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Digidesign\Drivers\MMERefresh.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tsnp2std.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\system32\tsnp2std.exe O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7413 bytes This post has been edited by garmanma: Nov 27 2009, 06:36 PM Attached File(s)* hijackthis_11_27_09_nick.txt ( 7.24k ) Number of downloads: 0

nicnite View Member Profile	Nov 29 2009, 11:08 PM Post #2
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Have since been working on this a lot, following various advice. In case something's changed I've attached a new combofix log and SD report. Thanks for any help. The redirects continue to happen on almost all google links. Nick Attached File(s) combfix_log.txt ( 19.66k ) Number of downloads: 15 SD_Fix_report.txt ( 5.04k ) Number of downloads: 11

sempai View Member Profile	Dec 5 2009, 07:22 AM Post #3
Bleepin Pinoy Group: Malware Response Team Posts: 2,981 Joined: 30-June 06 From: 3 stars and the sun Member No.: 74,094	Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan: Download DDS by sUBs from one of the following links. Save it to your desktop. DDS.scr DDS.pif Double click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop. Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE -------------------- Please consider a donation. Thank you. Please don't PM asking for support. Post on the Forums instead. Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

nicnite View Member Profile	Dec 10 2009, 02:17 AM Post #4
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Dear Sempai, I apologize for my slow reply. My computer's current symptoms are as follows: 1) Most google search links in Explorer, Firefox and Chrome get redirected to a variety of commercial sites or cause browser to crash. 2) If I select "open in new tab" or "open in new window" some links will open normally, others will cause chrome or firefox to crash. 3) Chrome and Firefox will sometimes open multiple empty tabs or will attempt to open webpages that don't exist or won't open. 4) Some other functions on computer seem to hang where they didn't before infection. Thanks very much for your help! Nick DDS log as follows: DDS (Ver_09-12-01.01) - NTFSx86 Run by Just Nick at 1:06:36.57 on Thu 12/10/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1276 [GMT -6:00] AV: Kaspersky Internet Security On-access scanning enabled (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security enabled {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: AVG Firewall disabled {8decf618-9569-4340-b34a-d78d28969b66} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\tsnp2std.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Elantech\ktp.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\ThreatFire\TFTray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\ThreatFire\TFService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\winhlp32.exe C:\Documents and Settings\Just Nick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Just Nick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Just Nick\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [tsnp2std] c:\windows\system32\tsnp2std.exe mRun: [KTPWare] c:\program files\elantech\ktp.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: igfxcui - igfxdev.dll Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Authentication Packages = msv1_0 relog_ap ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-11-29 51984] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-11-29 59664] R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-25 315408] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480] R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-11-25 18816] R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456] R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?] R3 echo1394;Onyx 400F service;c:\windows\system32\drivers\echo1394.sys [2007-5-16 59264] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-11-29 33552] S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?] S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\drivers\KORGUMDS.SYS [2005-12-19 21720] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8c.tmp --> c:\windows\system32\8C.tmp [?] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408] =============== Created Last 30 ================ 2009-12-01 07:50:46 32 ----a-w- c:\windows\system32\msvcsv60.dll 2009-11-30 06:58:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-30 06:58:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-30 06:58:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-30 05:51:21 0 d-----w- C:\thcbytes 2009-11-30 03:34:22 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys 2009-11-30 03:34:22 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys 2009-11-30 03:34:22 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys 2009-11-30 03:34:20 0 d-----w- c:\program files\ThreatFire 2009-11-30 03:34:20 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2009-11-30 02:35:30 0 d-----w- c:\program files\common files\Wise Installation Wizard 2009-11-30 02:11:26 0 d-sha-r- C:\cmdcons 2009-11-30 02:09:35 98816 ----a-w- c:\windows\sed.exe 2009-11-30 01:41:46 0 d-----w- c:\windows\ERUNT 2009-11-29 22:01:55 0 d-----w- C:\SDFix 2009-11-29 03:56:27 125929 ----a-w- c:\documents and settings\just nick\AdobeFnt10.lst 2009-11-26 22:59:05 0 d-----w- c:\program files\Trend Micro 2009-11-26 19:26:04 0 d-----w- c:\program files\Defraggler 2009-11-25 22:42:29 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-25 20:54:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-25 20:54:23 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-25 20:53:10 0 d-----w- c:\program files\Kaspersky Lab 2009-11-25 20:53:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-11-25 20:36:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-11-25 20:00:50 0 d-----w- C:\AVGTemp 2009-11-25 07:52:41 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys 2009-11-24 00:00:45 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-11-24 00:00:38 0 d-----w- c:\program files\SUPERAntiSpyware 2009-11-24 00:00:37 0 d-----w- c:\docume~1\justni~1\applic~1\SUPERAntiSpyware.com 2009-11-23 23:31:58 77312 ----a-w- c:\windows\MBR.exe 2009-11-23 23:31:58 260608 ----a-w- c:\windows\PEV.exe 2009-11-23 23:31:58 161792 ----a-w- c:\windows\SWREG.exe 2009-11-23 22:13:39 0 d-----w- C:\stdtsa 2009-11-23 20:58:46 0 d-----w- c:\program files\Sophos 2009-11-22 18:01:29 0 d-----w- c:\program files\Paint.NET 2009-11-22 17:47:55 0 d-----w- c:\windows\system32\XPSViewer 2009-11-22 17:46:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-11-22 17:46:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-11-22 17:46:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-11-22 17:46:31 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-11-22 17:46:31 117760 ------w- c:\windows\system32\prntvpt.dll 2009-11-22 17:46:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-11-22 17:46:30 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-11-22 17:41:53 0 d-----w- c:\program files\MSXML 6.0 2009-11-22 17:40:06 0 d-----r- C:\AHCache 2009-11-22 17:29:04 0 d-----w- c:\program files\Pixia 2009-11-20 21:39:12 36 ----a-w- c:\windows\system32\?? 2009-11-17 19:48:39 0 d-----w- c:\program files\TC Electronic ==================== Find3M ==================== 2009-10-21 02:34:56 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-15 03:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys 2009-09-26 16:45:03 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe 2009-09-26 16:45:00 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll 2009-09-26 16:44:57 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL 2009-09-21 17:04:53 38660 ---ha-w- c:\windows\system32\mlfcache.dat ============= FINISH: 1:09:03.98 ===============

m0le View Member Profile	Dec 10 2009, 07:35 PM Post #5
I know the drill! Group: Malware Response Team Posts: 14,906 Joined: 24-July 08 From: London Member No.: 224,929	Hi, Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log. Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. Please reply to this post so I know you are there. The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic. ---------------------------------------------- You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer. Let's see if we can find the culprit by running a couple of rootkit scans Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. "%userprofile%\desktop\win32kdiag.exe" -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. Then We Need to check for Rootkits with RootRepeal Download RootRepeal from the following location and save it to your desktop. First Location Second Location Third Location Open on your desktop. Click the tab. Click the button. Check all seven boxes: Push Ok Check the box for your main system drive (Usually C:), and press Ok. Allow RootRepeal to run a scan of your system. This may take some time. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please. Thanks -------------------- If I have helped you fix your PC then please donate to the anti-malware cause. Thanks *m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)* m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer

nicnite View Member Profile	Dec 12 2009, 06:22 PM Post #6
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Dear M0le, Thank you in advance for your help. I think it's very cool you and the others on this forum do this kind of work. Since my last post, Kaspersky Internet Security identified and disinfected rootkit.win32.tdss.y This appears to have stopped the search link redirects. I'm not sure if I'm in the clear yet or not and will follow any of your recommendations. Also, as of tomorrow morning I have to travel away from the problem computer for two weeks. I will be checking email from another computer. I apologize for this and will follow whatever recommendation you make regarding reposting/followup. Below I've pasted the two requested reports. Running from: C:\Documents and Settings\Just Nick\desktop\win32kdiag.exe Log file at : C:\Documents and Settings\Just Nick\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/12/12 16:49 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA806C000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5E6000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA73E7000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: c:\documents and settings\just nick\local settings\temp\etilqs_ceq1w90amstytfzqxfgk Status: Allocation size mismatch (API: 8192, Raw: 0) Path: c:\documents and settings\just nick\local settings\temp\etilqs_ilcn2q9t4smfb3dlazhq Status: Allocation size mismatch (API: 32768, Raw: 0) Path: d:\mbam-setup.exe Status: Size mismatch (API: 4045528, Raw: 1006554516721351384) Path: D:\Do˂uments Status: Invisible to the Windows API! Path: D:\stԿ20sasfx.exe Status: Invisible to the Windows API! Path: D:\WiԿ32kDiag.exe Status: Invisible to the Windows API! Path: D:\Documents Status: Visible to the Windows API, but not on disk. Path: D:\std20sasfx.exe Status: Visible to the Windows API, but not on disk. Path: D:\Win32kDiag.exe Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\cimg0113.jpg Status: Size mismatch (API: 150401, Raw: 219831956811172737) Path: D:\My Pictures\CI̍G0122.JPG Status: Invisible to the Windows API! Path: D:\My Pictures\H2O Soul Flyer 10_26_07.jp̯ Status: Invisible to the Windows API! Path: D:\My Pictures\Picture 005.jpǡ Status: Invisible to the Windows API! Path: d:\my pictures\picture 010.jpg Status: Allocation size mismatch (API: 720896, Raw: 135389463798546432) Path: D:\My Pictures\stȮ lukes 7th grade.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\ThȮmbs.db Status: Invisible to the Windows API! Path: d:\my pictures\with triz.jpg Status: Size mismatch (API: 4239, Raw: 157063037004550287) Path: d:\my pictures\cimg0138.jpg Status: Allocation size mismatch (API: 2916352, Raw: 36591746975301632) Path: d:\my pictures\cimg0156.jpg Status: Allocation size mismatch (API: 1900544, Raw: 161285161657106432) Path: D:\My Pictures\for site 0Ƚ3.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk Status: Invisible to the Windows API! Path: D:\My Pictures\CIMG0122.JPG Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\for site 003.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\H2O Soul Flyer 10_26_07.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Nick Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Picture 005.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\st. lukes 7th grade.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Thumbs.db Status: Visible to the Windows API, but not on disk. Path: \\?\D:\Do˂uments\* Status: Could not enumerate files with the Windows API (0x00000003)! Path: D:\Do˂uments\TAJ Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\15 - Multiԟ Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\15 - Multis Status: Visible to the Windows API, but not on disk. Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602} Status: Invisible to the Windows API! Path: D:\System Volume Information\_restore{1D1BDE28-ED91-46B0-8CA7-398282769602} Status: Visible to the Windows API, but not on disk. Path: D:\Loops\Acid60Content\StƏndard Collection Status: Invisible to the Windows API! Path: D:\Loops\Acid60Content\Standard Collection Status: Visible to the Windows API, but not on disk. Path: D:\Loops\Free_Loops_Special_2009\Prime Voops - Future House Drum Loops Status: Invisible to the Windows API! Path: D:\Loops\Free_Loops_Special_2009\Prime Loops - Vee Coombs Tech Funk Vol 2 Status: Invisible to the Windows API! Path: D:\Loops\Free_Loops_Special_2009\Prime Loops - Future House Drum Loops Status: Visible to the Windows API, but not on disk. Path: D:\Loops\Free_Loops_Special_2009\Prime Loops - Lee Coombs Tech Funk Vol 2 Status: Visible to the Windows API, but not on disk. Path: D:\Loops\Rhythm Station - WAV\Rimgroĺve 090 Status: Invisible to the Windows API! Path: D:\Loops\Rhythm Station - WAV\Hoľ 113.9 Status: Invisible to the Windows API! Path: D:\Loops\Rhythm Station - WAV\Hop 113.9 Status: Visible to the Windows API, but not on disk. Path: D:\Loops\Rhythm Station - WAV\Rimgroove 090 Status: Visible to the Windows API, but not on disk. Path: D:\Loops\Smokers Delight\A99_Snare_Loops_Only_Rex2 Status: Size mismatch (API: 0, Raw: 105553116266496000) Path: D:\Loops\Smokers Delight\A85_JaǥzGtr_Chords Status: Invisible to the Windows API! Path: D:\Loops\Smokers Delight\A85_JazzGtr_Chords Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\ca kids\inventory 024.jpg Status: Size mismatch (API: 633866, Raw: 55732045389343754) Path: D:\My Pictures\Cat and Mouse Convention\4118549751_e6765387d4_o.jp Status: Invisible to the Windows API! Path: D:\My Pictures\Cat and Mouse Convention\4118549751_e6765387d4_o.jpg Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\girl activity\p1010518.jpg Status: Allocation size mismatch (API: 131072, Raw: 68398419340820480) Path: d:\my pictures\inventory\cimg0466.jpg Status: Allocation size mismatch (API: 3047424, Raw: 97390341944934400) Path: D:\My Pictures\Inventory\in entory 007.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\Inventory\Ro®e NT5 030.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\Inventory\inventory 007.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Inventory\Rode NT5 030.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Italy\Rome SummeƄ '09 Status: Invisible to the Windows API! Path: D:\My Pictures\Italy\ThƄmbs.db Status: Invisible to the Windows API! Path: D:\My Pictures\Italy\Rome Summer '09 Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Italy\Thumbs.db Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\jack shiels vietnam pics\image107.jpg Status: Size mismatch (API: 8234778, Raw: 9570149216397082) Path: D:\My Pictures\Jack Shiels Vietnam pics\Im"ge116.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\Jack Shiels Vietnam pics\Image125.j"g Status: Invisible to the Windows API! Path: D:\My Pictures\Jack Shiels Vietnam pics\Image41.jp! Status: Invisible to the Windows API! Path: D:\My Pictures\Jack Shiels Vietnam pics\Image4!.jpg Status: Invisible to the Windows API! Path: d:\my pictures\jack shiels vietnam pics\image251.jpg Status: Size mismatch (API: 7584773, Raw: 8444249308904453) Path: d:\my pictures\jack shiels vietnam pics\image234.jpg Status: Size mismatch (API: 7548285, Raw: 7881299355446653) Path: d:\my pictures\jack shiels vietnam pics\image156.jpg Status: Allocation size mismatch (API: 8912896, Raw: 8444249310232576) Path: D:\My Pictures\Jack Shiels Vietnam pics\Im&ge192.jpg Status: Invisible to the Windows API! Path: d:\my pictures\jack shiels vietnam pics\image138.jpg Status: Allocation size mismatch (API: 9469952, Raw: 8162774334078976) Path: D:\My Pictures\Jack Shiels Vietnam pics\Image76.jp Status: Invisible to the Windows API! Path: d:\my pictures\jack shiels vietnam pics\image217.jpg Status: Allocation size mismatch (API: 7962624, Raw: 7881299355860992) Path: D:\My Pictures\Jack Shiels Vietnam pics\Imge225.jpg Status: Invisible to the Windows API! Path: d:\my pictures\jack shiels vietnam pics\image2.jpg Status: Allocation size mismatch (API: 7503872, Raw: 8162774332112896) Path: d:\my pictures\jack shiels vietnam pics\image183.jpg Status: Allocation size mismatch (API: 8519680, Raw: 7881299356418048) Path: D:\My Pictures\Jack Shiels Vietnam pics\Image116.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Jack Shiels Vietnam pics\Image125.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Jack Shiels Vietnam pics\Image192.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Jack Shiels Vietnam pics\Image225.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Jack Shiels Vietnam pics\Image41.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Jack Shiels Vietnam pics\Image46.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Jack Shiels Vietnam pics\Image76.jpg Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\judo\img_0963.jpg Status: Size mismatch (API: 226982, Raw: 110901140824225446) Path: D:\My Pictures\Judo\To¹kon Classic 2009 Status: Invisible to the Windows API! Path: D:\My Pictures\Judo\Tohkon Classic 2009 Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\kat victoria band\kat6.jpg Status: Size mismatch (API: 175699, Raw: 16325548649393747) Path: d:\my pictures\kat victoria band\singer 2b.jpg Status: Allocation size mismatch (API: 196608, Raw: 16325548649414656) Path: D:\My Pictures\Pictures\Frœm marco 4.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\Pictures\From marco 4.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Soul People\WiǍh Estelle and Vaughn Status: Invisible to the Windows API! Path: D:\My Pictures\Soul People\with Julie DexǍer Status: Invisible to the Windows API! Path: d:\my pictures\soul people\p1010034.jpg Status: Size mismatch (API: 654995, Raw: 117938015242419859) Path: D:\My Pictures\Soul People\With Estelle and Vaughn Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Soul People\with Julie Dexter Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\The Chess Club\CIMG0472.JFG Status: Invisible to the Windows API! Path: d:\my pictures\the chess club\cimg0486.jpg Status: Size mismatch (API: 5088419, Raw: 19703248374834339) Path: d:\my pictures\the chess club\cimg0497.jpg Status: Allocation size mismatch (API: 4390912, Raw: 18014398513872896) Path: D:\My Pictures\The Chess Club\Thumbs@db Status: Invisible to the Windows API! Path: D:\My Pictures\The Chess Club\CIMG0472.JPG Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\The Chess Club\Thumbs.db Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Triz Sessions\n48348171895_1730654_81727^3.jpg Status: Invisible to the Windows API! Path: d:\my pictures\triz sessions\p3180514.jpg Status: Size mismatch (API: 466357, Raw: 26458647811268021) Path: D:\My Pictures\Triz Sessions\n48348171895_1730654_8172713.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Live with Obi\Bloom1ß.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\Live with Obi\Thßmbs.db Status: Invisible to the Windows API! Path: D:\My Pictures\Live with Obi\Bloom10.jpg Status: Visible to the Windows API, but not on disk. Path: D:\My Pictures\Live with Obi\Thumbs.db Status: Visible to the Windows API, but not on disk. Path: \\?\D:\My Pictures\NiŒk\* Status: Could not enumerate files with the Windows API (0x00000003)! Path: D:\My Pictures\NiŒk\128280655-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128280681-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128280716-M.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128280716-O.jp Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128281285-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128281820-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128281849-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128283229-M.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128283229-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\128284059-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\133322667-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\133323067-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\224299438-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\224299964-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\224301562-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\224301848-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\224302154-M.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\224302380-O.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\CIMG0465.JPG Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\Jaffe Headshot.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\nick onstage original comp²essed.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\Nick with guitar.JPG Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\nickbylaura.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\nickinasuit.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\nickindiningroom.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\nickonstage.jpg Status: Invisible to the Windows API! Path: D:\My Pictures\NiŒk\Thumbs.db Status: Invisible to the Windows API! Path: D:\My Pictures\Otchek\Range of Woodchuckàjpg Status: Invisible to the Windows API! Path: D:\My Pictures\Otchek\Range of Woodchuck.jpg Status: Visible to the Windows API, but not on disk. Path: d:\my pictures\pa xmas 08\3145529263_91d30f8158_o.jpg Status: Allocation size mismatch (API: 360448, Raw: 35747322042613760) Path: \\?\D:\Do˂uments\TAJ\* Status: Could not enumerate files with the Windows API (0x00000003)! Path: D:\Do˂uments\TAJ\Conferences Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Items letter.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\4(1) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\4(2) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\4(3) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\4(4) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\5(1) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\5(2) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\5(3) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\5(4) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\6(1) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\6(2) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\6(3) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\6(4) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\7(1) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\7(2) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\7(3) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\7(4) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\8(1) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\8(2) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\8(3) Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\AFTA Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\AFTA Natl. initiative Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Archive Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Articles Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Artist Corps Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\ATA Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Book Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Bulk Ordering info.eml Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Bulk Sales TrackerϚxls Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Clippings Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Columbia Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Pre Hire Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Promotion Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Publishers Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Redesign Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Sections Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Strategy Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Submission Tracker.xls Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Supporters of TAJ Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\T&F Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ Address.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ letterhead.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ logo.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ Masthead Changes Effective issŞe 6(3).docx Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ Mission Statement.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ Order link.eml Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ Proof Checklist.docx Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ SmŞll Logo.png Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TAJ Sub Received Log .doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\TARP Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Teaching Artist Journal Submission guidelines.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Thumbs.db Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Use of TAJ for PD Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\VLA Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\vol 6 color Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Web Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\workingcorners_coverpage Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Yahoo Group Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~$ems ļetter.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~$sterLog.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~WRL0001.tmp Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~WRL0002.tmp Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~WRL0003.tmp Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~WRL0004.tmp Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~WRL0005.tmp Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\~WRL0006.tļp Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\MasterLog.doc Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\New Microsoft éffice Word Document (2).docx Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Office of Academic Research Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Operations Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Penland NC Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Permissions Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Perpich Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Personnel Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Possible bulk sales contacts from NR Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Contract Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Design Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Donors Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\EB correspondence Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\EB Files Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Erlbaum Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Expenses Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Google Group Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Graham Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\HTAJ 2009 Bind-In Cardńcopy.pdf Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\HTAJ--Gratis.xls Status: Invisible to the Windows API! Path: D:\Do˂uments\TAJ\Internet.lnk Status: Invisible to the Windows API! Path: \\?\D:\Do˂uments\Teaching\* Status: Could not enumerate files with the Windows API (0x00000003)! Path: D:\Do˂uments\Teaching\Masters Program Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Alternatives Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Australia Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\CAPE Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Chicago Reader Classifieds Jobs Social Services P-T Computer Clubhouse Assistant.htm Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Chicago Reader Classifieds Jobs Social Services ͈P-T Computer Clubhouse Assistant_files Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Cornerstone Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\CTC Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Curriculum Docs Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Deaf Students Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Digital Music Article Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Dolezal Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Kinzie Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Ma͈gy Stover Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Maud Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\MIENC Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Mississippi Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\NKO Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\notes for an FDP'er on student studios Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Street Levʃl Docs Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Tape Op Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\THE BOOK Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\UNC Conference Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Urban Gateways Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\Waters Students Status: Invisible to the Windows API! Path: D:\Do˂uments\Teaching\YMCA Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\22 Trombone ensembȶe Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\27ȶPercussion Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\13 Clarinet & BassţClarinet Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\13 Clarinet & Bass Clarinet Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\22 Trombone ensemble Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\27 Percussion Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\02 - KSP Instruments\06 - Harmonizer Status: Size mismatch (API: 0, Raw: 146366987889541120) Path: D:\Kontakt 2 Library\04 - Electric Pianos\MKÑ2 - Double Detune.nki Status: Invisible to the Windows API! Path: d:\kontakt 2 library\04 - electric pianos\mk 2 - honky tonk.nki Status: Allocation size mismatch (API: 32768, Raw: 58828270132559872) Path: D:\Kontakt 2 Library\04 - Electric Pianos\Stage E-Piano Cloud.nkÑ Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\04 - Electric Pianos\MK 2 - Double Detune.nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\04 - Electric Pianos\Stage E-Piano Cloud.nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\Drawbar Organ ÑStutter).nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\House Ęrgan.nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Fonds+Quint (rls).nkĘ Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Ęoix Humaine 8' (rls).nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\RoĘk Organ (Amp'ed).nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\Drawbar Organ (Stutter).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\House Organ.nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Fonds+Quint (rls).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Voix Humaine 8' (rls).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\Rock Organ (Amp'ed).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\06 - Acoustic Drums\VintagĤ Funk Kit+GM Perc.nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\06 - Acoustic Drums\Vintage Funk Kit+GM Perc.nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\07 - Electronic Drums\CD Kit 1 (Spacious).nkĝ Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\07 - Electronic Drums\CD Kit 1 (Spacious).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\08 - Percussion\Orchestral Thuğder.nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\08 - Percussion\Orchestral Thunder.nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\09 - Guitars\Steel String.nËi Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\09 - Guitars\Steel String.nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\10 - Basses\AcĠustic Bass (Cho).nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\10 - Basses\SemiAcou Bass (EFXĠ.nki Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\10 - Basses\Acoustic Bass (Cho).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\10 - Basses\SemiAcou Bass (EFX).nki Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\11 - Synthesizers\03 AllȀSynth Leads.nkb Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\11 - Synthesizers\03 All Synth Leads.nkb Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\12 - Loops\Altereŗ States 2 Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\12 - Loops\Altered States 2 Status: Visible to the Windows API, but not on disk. Path: D:\Kontakt 2 Library\14 - Banks\11 - AÑl Synth Basses.nkb Status: Invisible to the Windows API! Path: d:\kontakt 2 library\14 - banks\13 - all surround instruments.nkb Status: Allocation size mismatch (API: 32768, Raw: 58828270132559872) Path: D:\Kontakt 2 Library\14 - Banks\11 - All Synth Basses.nkb Status: Visible to the Windows API, but not on disk. Path: \\?\D:\Kontakt 2 Library\15 - Multiԟ\* Status: Could not enumerate files with the Windows API (0x00000003)! Path: D:\Kontakt 2 Library\15 - Multiԟ\00 - Demo Multi Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\15 - Multiԟ\01 - Orchestra Multis Status: Invisible to the Windows API! Path: D:\Kontakt 2 Library\15 - Multiԟ\02 - Output Configurations Status: Invisible to the Windows API! Path: \\?\D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\* Status: Could not enumerate files with the Windows API (0x00000003)! Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\RP26 Status: Invisible to the Windows API! Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\RP27 Status: Invisible to the Windows API! Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\RP28 Status: Invisible to tSSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926558c #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265e0c #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266922 #: 035 Function Name: NtCreateEvent Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266e94 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92660ee #: 041 Function Name: NtCreateKey Status: Hooked by "TfSysMon.sys" at address 0xb9ec4a1c #: 043 Function Name: NtCreateMutant Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266d6c #: 044 Function Name: NtCreateNamedPipeFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265192 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266c28 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926534e #: 051 Function Name: NtCreateSemaphore Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266fc6 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268c08 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265aaa #: 056 Function Name: NtCreateWaitablePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266cca #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92685fa #: 063 Function Name: NtDeleteKey Status: Hooked by "TfSysMon.sys" at address 0xb9ec4c10 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "TfSysMon.sys" at address 0xb9ec4cb6 #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266576 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92695ca #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264eca #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264f74 #: 084 Function Name: NtFsControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266382 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926868c #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264412 #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264424 #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268cbc #: 111 Function Name: NtNotifyChangeKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92650c0 #: 114 Function Name: NtOpenEvent Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266f36 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265e8e #: 119 Function Name: NtOpenKey Status: Hooked by "TfSysMon.sys" at address 0xb9ec490c #: 120 Function Name: NtOpenMutant Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266e04 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265792 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268c32 #: 126 Function Name: NtOpenSemaphore Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9267068 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92656b6 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926501e #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264c46 #: 167 Function Name: NtQuerySection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268fd4 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264896 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268922 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264b0e #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92642b0 #: 194 Function Name: NtReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92673f2 #: 195 Function Name: NtReplyWaitReceivePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92672b8 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926839a #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926be2c #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92694ac #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264248 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926665c #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265cc8 #: 230 Function Name: NtSetInformationToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9267c4a #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268786 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9269114 #: 247 Function Name: NtSetValueKey Status: Hooked by "TfSysMon.sys" at address 0xb9ec4e52 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92691f8 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9269320 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268526 #: 257 Function Name: NtTerminateProcess Status: Hooked by "TfSysMon.sys" at address 0xb9ec6b30 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265860 #: 267 Function Name: NtUnmapViewOfSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268e8a #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92659ea Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276ca6 #: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276d70 #: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276dda #: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276d0a #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92768ba #: 323 Function Name: NtUserCallOneParam Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276c72 #: 378 Function Name: NtUserFindWindowEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276aa8 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276822 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276baa #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa927686e #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92769fa #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276950 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92769a4 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276b3a #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276a5a #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276772 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92767c8 ==EOF==

m0le View Member Profile	Dec 12 2009, 06:43 PM Post #7
I know the drill! Group: Malware Response Team Posts: 14,906 Joined: 24-July 08 From: London Member No.: 224,929	The logs look good. TDSS is something which we should double check for. If you are away for a few weeks then I will note that, I will occasionally bump the topic so I can check that you are still there. Please run MBAM Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs* tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes. Then let's use another rootkit search Please download GMER from one of the following locations and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. Thanks -------------------- If I have helped you fix your PC then please donate to the anti-malware cause. Thanks *m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)* m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer

nicnite View Member Profile	Dec 13 2009, 11:28 AM Post #8
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Dear m0le, Thanks very much for your reply. I have run Malaware Bytes and will run the other scan as soon as I return. Thank you for your help and patience. Regards, Nick

m0le View Member Profile	Dec 16 2009, 06:54 PM Post #9
I know the drill! Group: Malware Response Team Posts: 14,906 Joined: 24-July 08 From: London Member No.: 224,929	Hi nicnite, just checking that you're still there -------------------- If I have helped you fix your PC then please donate to the anti-malware cause. Thanks *m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)* m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer

nicnite View Member Profile	Dec 20 2009, 12:08 PM Post #10
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	I'm still here m0le, thanks for checking. Again I apologize for this break in the middle of you helping me--I had to travel to take care of my father who is ill. I hope to be back at my computer at home (the one with the problem) shortly after New Year. If you need me to start again from scratch I understand completely, just let me know. Thanks! Nick

nicnite View Member Profile	Dec 24 2009, 09:09 PM Post #11
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Still here, still away from home. Thanks! n

m0le View Member Profile	Dec 25 2009, 09:11 AM Post #12
I know the drill! Group: Malware Response Team Posts: 14,906 Joined: 24-July 08 From: London Member No.: 224,929	Merry Christmas, nicnite -------------------- If I have helped you fix your PC then please donate to the anti-malware cause. Thanks *m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)* m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer

m0le View Member Profile	Dec 31 2009, 04:12 PM Post #13
I know the drill! Group: Malware Response Team Posts: 14,906 Joined: 24-July 08 From: London Member No.: 224,929	Just checking in. Happy New Year -------------------- If I have helped you fix your PC then please donate to the anti-malware cause. Thanks *m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)* m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer

nicnite View Member Profile	Jan 1 2010, 11:05 AM Post #14
New Member Group: Members Posts: 9 Joined: 27-November 09 Member No.: 408,642	Thank you m0le, Merry Christmas and Happy New Year to you and yours. I'm still away from home, and it's looking like another ten days or so--caring for my father who is ill. Just let me know if you want me to start from the bac'k of the queue--it's no problem. Regards, Nick

m0le View Member Profile	Jan 3 2010, 07:56 PM Post #15
I know the drill! Group: Malware Response Team Posts: 14,906 Joined: 24-July 08 From: London Member No.: 224,929	No problem Nick, I will close it if I haven't heard anything by the 11th of January. -------------------- If I have helped you fix your PC then please donate to the anti-malware cause. Thanks *m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)* m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th September 2010 - 05:33 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides